MainCourse Catalog › EC-Council СHFI v9

EC-Council СHFI v9

Course code
СHFI-9
40
hours
5
days
January
-
February
March
-
April
-
EC-Council СHFI v9

The purpose of the course is to give students the knowledge and skills to work with key techniques for detecting computer crimes both in the local network and when interacting on the Internet with mobile clients and cloud services. Also in the course are widely presented software products for collecting and recovering information that indicates an intrusion into the system.

Audience
This course provides extensive knowledge of security analysis of modern computer networks and will be useful to all interested IT professionals, including network and system administrators and IT managers. The course will be of interest to information security officers, law enforcement officers and military officials involved in investigating computer network intrusions. In addition, the course is useful for security professionals in preparation for international certification.

At the end of the course students will be able to:
– Independently detect intrusions into the OS, web applications, mobile devices and cloud services;
– Use proven methods of intrusion detection;
– Gather evidence to support the invasion;
– Use specialized tools for analysis of intrusions;
– Analyze text, graphic or media traffic flows for bookmarks;
– Analyze storage systems to detect traces of intrusion;
– Restore and analyze the state of non-volatile (non-volatile) and random access (volatile) memory from Windows, Mac and Linux;
– Recover deleted files and partitions in Windows, Mac and Linux;
– Analyze the state of systems against insider attacks;
– Apply the technique of reverse engineering to analyze the attacking code;
– Detect hacking (or attempted hacking) of password files;
– Extract and analyze logs of proxy servers, firewalls, intrusion detection / prevention systems, workstations, servers, switches, routers, domain controllers, DNS and DHCP servers, access control systems and other devices;
– Take the necessary measures to transfer evidence to law enforcement agencies.

Certification exams
The course helps to prepare for the following certification exams:
312-49: Computer Hacking Forensic Investigator

Preparation required
To learn effectively, students must have the following knowledge and skills:
– Experience working with client and server operating systems;
– Understanding the operation of the network and network devices;
– understanding of basic security concepts;
– CEH and CND courses or equivalent knowledge and skills.

Listener’s materials
Students are provided with a branded textbook and manual for laboratory work (electronically), as well as other materials and software needed to perform these works.

Module 1: Investigating IS incidents around the world
Topics

  • Identification of computer threats
  • Classification of cyber-attacks
  • Challenges for cybercrime researchers
  • Types of cyber-attacks and basic rules of investigation
  • Evidence collection rules and basic types of digital evidence
  • Assessment of incident preparedness and action plan
  • The scope of activities of computer security incident investigators and the area of ​​responsibility
  • Review of legal, ethical and confidential issues during the investigation of the incident

Module 2: IS Incident Investigation Process
Topics

  • The process of investigating the IS incident
  • Stages of the IS incident investigation process
  • Requirements for the laboratory environment and the team of incident investigators
  • Research software
  • Tasks of the first researchers of the IS incident
  • Finding evidence and gathering evidence
  • Placement and storage of evidence
  • Deduplication of data, recovery of deleted data and verification of evidence
  • Writing a report
    Lab:
  • Data recovery using EasyUS Data Recovery Wizard;
  • Use HashCalc to calculate a hash, checksum, or HMAC;
  • Using MD5 Calculator;
  • View files of various formats through File Viewer;
  • Detection of traces of work with data by means of P2 Commander;
  • Create a partition image using R-Drive Image.

Module 3: Collecting evidence from disks and file systems
Topics

  • Classification of computer network security tools
  • Methods and means of access control
  • Methods and means of authentication, authorization and audit of access
  • A brief overview of the main methods of cryptographic protection of information
  • Basic classes of hardware and software for computer network protection and principles of their operation
  • Network protocols designed to ensure security and the principles of their operation
    Lab:
  • Detect deleted files using WinHex;
  • File system analysis using The Sleuth Kit;
  • Raw image analysis using Autopsy.

Module 4: Investigating Operating System Incidents
Topics

  • Methods of obtaining data
  • Getting current data
  • Teaching static data
  • Duplication of data
  • Device change lock
  • Methods and means of obtaining data
  • Get data in Windows and Linux
    Lab:
  • Research the NTFS partition using DiskExplorer for NTFS;
  • View graphic content with the FTK Imager Tool.

Module 5: Countering methods of concealing evidence
Topics

  • Countering methods of concealing evidence and the purpose of counteraction
  • Review of techniques for counteracting methods of concealing evidence
  • Extraction of evidence from deleted files and sections, files with password protection and steganography
  • Code entanglement, artifact stripping, data / metadata overwriting and encryption
  • Methods for detecting encryption protocols, program packers and rootkits.
  • Countermeasures to counter methods of concealing evidence
    Lab:
  • Hacking application passwords;
  • Detection of steganography.

Module 6: Methods of data collection and copying
Topics

  • Check for data that changes and does not change Windows
  • Windows memory and registry analysis
  • Check cache, cookies and browser history
  • Check Windows files and metadata
  • Analyze text logs and Windows event logs
  • Linux log commands and files
  • Check Mac logs
    Lab:
  • Detection and removal of materials hidden on the computer using OSForensics;
  • Get information about the download process using ProcessExplorer;
  • View, monitor and analyze events using Event Log Explorer;
  • Computer research on penetration using Helix;
  • Obtaining variable (operational) data in Linux;
  • Analysis of immutable (static) data in Linux.

Module 7: Investigation of network technology incidents
Topics

  • Network intrusions
  • Basic concepts of journaling
  • An overview of ways to compare events
  • Check routers, firewalls, IDS, DHCP and ODBC logs
  • Checking network traffic
  • Collection of evidence of network penetration
  • Reconstruction of the invasion
    Lab:;
  • Interception and analysis of events using GFI EventsManager;
  • Incident investigation and data collection using XpoLog Center Suite;
  • Investigate network attacks with Kiwi Log Viewer;
  • Track network traffic with Wireshark.

Module 8: Investigating Web Application Attacks
Topics

  • Threats to web applications
  • Web application architecture
  • Web attacks and steps to implement them
  • Web attacks on a Windows server
  • IIS server architecture and work with its log
  • Apache web server architecture and work with its log
  • Ways to attack web applications
    Lab:
  • Domain network analysis and IP address requests using SmartWhois.

Module 9: Investigation of DBMS incidents
Topics

  • Database threats
  • MSSQL threats
  • Signs of database intrusion
  • Collect evidence of intrusion using SQL Server Management Studio and Apex SQL DBA
  • MySQL threats
  • MySQL architecture and definition of data directory structure
  • Utilities for analyzing and collecting evidence of penetration into MySQL
  • MySQL threats to WordPress web application databases
    Lab:
  • Extract database from Android devices using Andriller;
  • SQLite database analysis using DB Browser for SQLite;
  • Study the MySQL database.

Module 10: Investigation of incidents related to cloud programs
Topics

  • Description of the principles of cloud computing
  • Cloud attacks
  • Ways to protect the clouds
  • Cloud protection stakeholders
  • DropBox and GoogleDrive cloud services
    Lab:
  • Detection of vulnerabilities in DropBox;
  • Google Drive research.

Module 11: Investigation of malicious code incidents
Topics

  • Ways to penetrate malware into the OS
  • Basic components and malware distribution
  • Malware protection concept
  • Detection and removal of malware from systems
  • Malware analysis – analysis rules and test environment
  • Static and dynamic analysis of malware
    Lab:
  • Static analysis of suspicious files;
  • Dynamic analysis of malicious code;
  • Analysis of infected PDF-files;
  • Scanning PDF files using web resources;
  • Scan suspicious MS Office files.

Module 12: Investigating Email Incidents
Topics

  • Mail systems, mail clients and mail servers
  • Account management
  • Email attacks
  • Components of e-mail messages
  • Common headers and X-headers
  • Detect mail attacks
  • Tools for analyzing e-mails
  • American law CAN-SPAM
    Lab:
  • Recover deleted emails with Recover My Email;
  • Detection of dangerous messages with Paraben’s Email Examiner;
  • Track emails with eMailTrackerPro.

Module 13: Investigating Mobile Incidents
Topics

  • Threats to mobile devices
  • Features of hacking of mobile devices and mobile OS
  • Mobile device architecture
  • Android stack architecture and download process
  • IOS stack architecture and download process
  • Mobile data storage
  • Preparation and invasion of mobile OS
    Lab:
  • Analysis of dangerous images and recovery of deleted files using Autopsy;
  • Explore your Android device with Andriller.

Module 14: Preparation of Incident Investigation Reports
Topics

  • The structure of the incident investigation report
  • Signs of a good report
  • Incident investigation report template
  • Classification of reports and manuals for their writing
  • Expert opinions in the report
  • Differences between technical and expert opinions
  • Daubert and Fyre standards
  • Ethical standards during the investigation

Complete information about the course computer-hacking-forensic-investigator-v9

The course price is $ 1,500

Share
Registration for the course
* required fields

To pre-register for courses or clarify information, please call: +380 44 230 34 74

E-mail: education@erc.ua