CHFIv11 Version Change Document
Uploaded by
nguyenbaviet89CHFIv11 Version Change Document
Uploaded by
nguyenbaviet89Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Computer Hacking Forensic Investigator
Version Change Document
CHFIv10 CHFIv11
Total Number of Modules 16 15
Total Number of Slides 1265 1210
Total Number of Labs 59 68
Total Number of New Labs 32 18
Total Volume of Evidence
52.4 GB 74 GB
File
Computer Forensics
Standards, eDiscovery,
Wireless Network Forensics,
Google Cloud Forensics,
IoT, Dark Web, AWS and
Social Media Forensics,
New Concepts Added Azure (Cloud), Fileless
Electron Application
Malware, SSD
Analysis, Web Browser
Forensics, Complete Mac
Forensics, Computer
Forensics using Python
Windows 10, Windows Server Windows 11, Windows
OS Used for Labs
2016, Ubuntu (Linux) Server 2022, Ubuntu (Linux)
Course Duration 5 Days (9:00 AM to 5:00 PM) 5 Days (9:00 AM to 5:00 PM)
Exam 150 Questions (MCQ) 150 Questions (MCQ)
Exam Duration 4 Hours 4 Hours
Exam Delivery EC-Council Exam Portal EC-Council Exam Portal
NICE Compliance Final NICE 2.0 Framework Final NICE 2.0 Framework
Page | 1 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
CHFIv11 Change Summary
1. The name of Module 13: Investigating Email Crimes in CHFIv10 changed to Module 13:
Email and Social Media Forensics in CHFIv11
2. The Module 01: Computer Forensics in Today’s World includes the cyber attribution
techniques, forensic readiness procedures, role of threat and artificial intelligence in
computer forensics, and computer forensics standards and best practices in CHFIv11
3. The Module 03: Understanding Hard Disks and File Systems includes the file system
timeline creation and analysis in CHFIv11
4. The Module 04: Data Acquisition and Duplication includes the eDiscovery, eDiscovery
collection methodologies, identifying RAID Drives in Linux and Windows systems, and
data acquisition guidelines in CHFIv11
5. The Module 05: Defeating Anti-forensics Techniques includes the recycle bin forensics
using Python, file carving on macOS, and recovering ReFS volumes in CHFIv11
6. The Module 06: Windows Forensics includes collecting Windows domain information,
examining compressed files, advanced memory forensics, electron application analysis,
web browser forensics, and extracting metadata from PDF and office documents using
Python in CHFIv11
7. The Module 07: Linux and Mac Forensics includes collecting volatile and non-volatile
information in Mac and Mac memory forensics in CHFIv11
8. The Module 08: Network Forensics includes the wireless network forensics and
investigation of wireless network attacks in CHFIv11
9. The Module 09: Malware Forensics includes malware forensics using Python scripts in
CHFIv11
10. The Module 10: Investigating Web Attacks includes investigating web attacks using
Python scripts in CHFIv11
11. The Module 12: Cloud Forensics includes cloud security risks, Google cloud
fundamentals, and Google cloud forensics in CHFIv11
12. The Module 13: Email and Social Media Forensics includes social media crimes and
social media forensics in CHFIv11
13. The Module 14: Mobile Forensics includes OWASP's top 10 mobile risks, mobile attacks,
and Android and iOS forensic analysis in CHFIv11
14. More than 70 GB of crafted evidence files for investigation purposes
15. Update information as per the latest developments with a proper flow
16. Latest OS covered and a patched testing environment
17. All the tool screenshots are replaced with the latest version
18. All the tool listing slides are updated with the latest tools
Page | 2 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module Comparison
CHFIv10 CHFIv11
Module 01: Computer Forensics in Today's Module 01: Computer Forensics in Today's
World World
Module 02: Computer Forensics Module 02: Computer Forensics
Investigation Process Investigation Process
Module 03: Understanding Hard Disks and Module 03: Understanding Hard Disks and
File Systems File Systems
Module 04: Data Acquisition and Duplication Module 04: Data Acquisition and Duplication
Module 05: Defeating Anti-forensics Module 05: Defeating Anti-forensics
Techniques Techniques
Module 06: Windows Forensics Module 06: Windows Forensics
Module 07: Linux and Mac Forensics Module 07: Linux and Mac Forensics
Module 08: Network Forensics Module 08: Network Forensics
Module 09: Investigating Web Attacks Module 09: Malware Forensics
Module 10: Dark Web Forensics Module 10: Investigating Web Attacks
Module 11: Database Forensics Module 11: Dark Web Forensics
Module 12: Cloud Forensics Module 12: Cloud Forensics
Module 13: Email and Social Media
Module 13: Investigating Email Crimes
Forensics
Module 14: Malware Forensics Module 14: Mobile Forensics
Module 15: Mobile Forensics Module 15: IoT Forensics
Module 16: IoT Forensics
Page | 3 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Courseware Content Comparison
The notations used:
1. Red points are new slides in CHFIv11
2. Blue points are substantially modified in CHFIv11
3. Striked points are removed from CHFIv10
CHFIv10 CHFIv11
Module 01: Computer Forensics in Today’s Module 01: Computer Forensics in Today’s
World World
Understand the Fundamentals of Computer Understand the Fundamentals of Computer
Forensics Forensics
▪ Understanding Computer Forensics ▪ Understanding Computer Forensics
▪ Why and When Do You Use Computer
▪ Need for Computer Forensics
Forensics?
▪ Why and When Do You Use Computer
▪ Scope of Computer Forensics
Forensics?
Understand Cybercrimes and their Understand Cybercrimes and their
Investigation Procedures Investigation Procedures
▪ Types of Cybercrimes ▪ Types of Cybercrimes
o Examples of Cybercrimes o Examples of Cybercrimes
▪ Impact of Cybercrimes at the Organizational ▪ Impact of Cybercrimes at the Organizational
Level Level
▪ Cybercrime Investigation ▪ Cyber Attribution
o Civil vs. Criminal Investigation o Cyber Attribution Techniques
o Administrative Investigation o Challenges of Cyber Attribution
Understand Digital Evidence ▪ Cybercrime Investigation
▪ Introduction to Digital Evidence o Civil vs. Criminal Investigation
▪ Types of Digital Evidence o Administrative Investigation
▪ Roles of Digital Evidence Understand Digital Evidence and eDiscovery
▪ Sources of Potential Evidence ▪ Introduction to Digital Evidence
▪ Rules of Evidence ▪ Types of Digital Evidence
▪ Best Evidence Rule ▪ Roles of Digital Evidence
▪ Federal Rules of Evidence (United States) ▪ Sources of Potential Evidence
▪ Scientific Working Group on Digital Evidence
▪ Rules of Evidence
(SWGDE)
Page | 4 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ The Association of Chief Police Officers
▪ Best Evidence Rule
(ACPO) Principles of Digital Evidence
Understand Forensic Readiness, Incident
Response and the Role of SOC (Security ▪ Federal Rules of Evidence (United States)
Operations Center) in Computer Forensics
▪ The Association of Chief Police Officers
▪ Forensic Readiness (ACPO) (inherited into NPCC) Principles of
Digital Evidence
▪ Forensic Readiness and Business Continuity ▪ Computer Forensics vs. eDiscovery
▪ Legal and IT Team Considerations for
▪ Forensics Readiness Planning
eDiscovery
▪ Incident Response ▪ Best Practices for Handling Digital Evidence
▪ Computer Forensics as a part of Incident
Understand Forensic Readiness
Response Plan
▪ Overview of Incident Response Process Flow ▪ Forensic Readiness
▪ Role of SOC in Computer Forensics ▪ Forensic Readiness and Business Continuity
Identify the Roles and Responsibilities of a
▪ Forensics Readiness Planning
Forensic Investigator
▪ Need for a Forensic Investigator ▪ Forensic Readiness Procedures
▪ Roles and Responsibilities of a Forensics
o Forensic Policy
Investigator
▪ What Makes a Good Computer Forensics o Forensics in the Information System Life
Investigator? Cycle
▪ Code of Ethics o Creating an Investigation Team
▪ Accessing Computer Forensics Resources o Maintaining an Inventory
Understand the Challenges Faced in
o Host Monitoring
Investigating Cybercrimes
▪ Challenges Cybercrimes Pose to Investigators o Network Monitoring
▪ Other Factors That Influence Forensic Understand the Role of Various Processes and
Investigations Technologies in Computer Forensics
▪ Computer Forensics as a part of Incident
▪ Computer Forensics: Legal Issues
Response Plan
▪ Computer Forensics: Privacy Issues ▪ Overview of Incident Response Process Flow
Understand Legal Compliance in Computer ▪ Role of Computer Forensics in SOC
Forensics Operations
▪ Role of Threat Intelligence in Computer
▪ Computer Forensics and Legal Compliance
Forensics
▪ Role of Artificial Intelligence in Computer
▪ Other Laws Relevant to Computer Forensics
Forensics
▪ Forensics Automation and Orchestration
Page | 5 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Identify the Roles and Responsibilities of a
Forensic Investigator
▪ Need for a Forensic Investigator
▪ Roles and Responsibilities of a Forensics
Investigator
▪ What Makes a Good Computer Forensics
Investigator?
▪ Code of Ethics
▪ Managing Clients or Employers during
Investigations
▪ Accessing Computer Forensics Resources
Understand the Challenges Faced in
Investigating Cybercrimes
▪ Challenges Cybercrimes Pose to Investigators
▪ Other Factors that Influence Forensic
Investigations
▪ Computer Forensics: Legal Issues
▪ Computer Forensics: Privacy Issues
Understand Various Standards and Best
Practices Related to Computer Forensics
▪ ISO Standards
o ISO/IEC 27037
o ISO/IEC 27041
o ISO/IEC 27042
o ISO/IEC 27043
o ISO/IEC 27050
▪ ENFSI Best Practices for Forensic Examination
of Digital Technology
Understand Laws and Legal Compliance in
Computer Forensics
▪ Role of Local/International Agencies during
Cybercrime Investigation
▪ Computer Forensics and Legal Compliance
▪ Other Laws Relevant to Computer Forensics
Page | 6 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module 02: Computer Forensics Investigation Module 02: Computer Forensics Investigation
Process Process
Understand the Forensic Investigation Process Understand the Forensic Investigation Process
and its Importance and its Importance
▪ Importance of Computer Forensic
▪ Forensic Investigation Process
Investigation Process
▪ Importance of the Forensic Investigation ▪ Phases Involved in the Computer Forensics
Process Investigation Process
Understand the Pre-investigation Phase Understand First Response
▪ Setting Up a Computer Forensics Lab ▪ First Response
▪ Building the Investigation Team ▪ First Responder
▪ Understanding the Hardware and Software
▪ Roles of First Responder
Requirements of a Forensic Lab
▪ Validating Laboratory Software and Hardware ▪ First Response Basics
▪ Ensuring Quality Assurance ▪ First Response: Different Situations
Understand First Response o First Response by Non-forensic Staff
o First Response by System/Network
▪ First Response Basics
Administrators
o First Response by Laboratory Forensics
▪ First Response by Non-forensics Staff
Staff
▪ First Response by System/Network
▪ First Responder Common Mistakes
Administrators
▪ First Response by Laboratory Forensics Staff ▪ Health and Safety Issues
Understand the Investigation Phase Understand the Pre-investigation Phase
▪ Documenting the Electronic Crime Scene ▪ Setting Up a Computer Forensics Lab
o Documenting the Electronic Crime Scene ▪ Building the Investigation Team
▪ Understanding Hardware and Software
o Photographing and Sketching the Scene
Requirements of a Forensics Lab
▪ Search and Seizure ▪ Validating Laboratory Software and Hardware
o Search and Seizure Process Flow ▪ Ensuring Quality Assurance
▪ Building Security Content, Scripts, Tools, or
o Planning the Search and Seizure
Methods to Enhance Forensic Processes
o Seeking Consent Understand the Investigation Phase
o Obtaining Witness Signatures ▪ Documenting the Electronic Crime Scene
o Obtaining Warrant for Search and Seizure o Photographing and Sketching the Scene
o Example of a Search Warrant ▪ Search and Seizure
o Searches Without a Warrant o Search and Seizure Process Flow
o Collecting Incident Information o Planning Search and Seizure
Page | 7 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Initial Search of the Scene o Seeking Consent
o Securing and Evaluating the Crime Scene:
o Obtaining Witness Signatures
A Checklist
o Seizing Evidence at the Crime Scene o Obtaining Warrant for Search and Seizure
o Dealing with Powered-On Computers o Examples of a Search Warrant
o Dealing with Powered-Off Computers o Search Without Warrant
o Dealing with Networked Computers o Collecting Incident Information
o Dealing with Open Files and Startup Files o Initial Search of the Scene
o Operating System Shutdown Procedure o Securing and Evaluating Crime Scene
o Dealing with Smartphones or Other
o Seizing Evidence at Crime Scene
Handheld Devices
▪ Evidence Preservation o Collecting Evidence
o Preserving Evidence o Dealing with Powered-on Computers
o Chain of Custody o Dealing with Powered-off Computers
o Simple Format of the Chain of Custody
o Dealing with Networked Computers
Document
o Chain of Custody Form o Dealing with Open Files and Startup Files
o Chain of Custody on Property Evidence
o Operating System Shutdown Procedure
Envelope/Bag and Sign-out Sheet
o Dealing with Smartphones or Other
o Evidence Bag Contents List
Handheld Devices
o Packaging Evidence o Collecting Evidence from Social Networks
o Exhibit Numbering ▪ Evidence Preservation
o Determining the Location for Evidence
o Chain of Custody
Examination
o Simple Format of Chain of Custody
o Transporting and Storing Evidence
Document
▪ Data Acquisition o Chain of Custody Form
o Chain of Custody on Property Evidence
o Acquiring the Data
Envelope/Bag and Sign-out Sheet
o Duplicating the Data (Imaging) o Evidence Bag Contents List
▪ Data Analysis o Packaging Evidence
o Analyzing the Data o Exhibit Numbering
o Determining Location for Evidence
o Case Analysis
Examination
o Analysis of the Case o Transporting and Storing Evidence
o Evidence Reconstruction ▪ Data Acquisition
o Collecting Evidence from Social Networks o Duplicating the Data (Imaging)
Page | 8 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Understand the Post-investigation Phase ▪ Data Analysis
▪ Reporting ▪ Case Analysis
o Gathering and Organizing Information o Evidence Reconstruction
o Writing the Investigation Report Understand the Post-investigation Phase
o Forensic Investigation Report Template ▪ Reporting
o Guidelines for Writing a Report o Audience of the Computer Forensic Report
▪ Testify as an Expert Witness o Gathering and Organizing Information
o Who is an Expert Witness? o Writing the Investigation Report
o Roles of an Expert Witness o Forensic Investigation Report Template
o What Makes a Good Expert Witness? o Guidelines for Writing a Report
o Visual Aids and Presentation Techniques in
o Testifying in the Court
a Digital Forensic Report
o General Ethics while Testifying o Mock Case Presentations and Critiques
o Data Visualization and Report Generation
Tools
▪ Testifying as an Expert Witness
o Who is an Expert Witness?
o Roles of an Expert Witness
o What Makes a Good Expert Witness?
o Testifying in Court
o General Ethics while Testifying
Module 03: Understanding Hard Disks and File Module 03: Understanding Hard Disks and File
Systems Systems
Describe Different Types of Disk Drives and Describe Different Types of Disk Drives and
their Characteristics their Characteristics
▪ Understanding Hard Disk Drive ▪ Understanding Hard Disk Drive
o Tracks o Tracks
o Sector o Sectors
o 4K Sectors o 4K Sectors
o Data Density on a Hard Disk o Data Density on a Hard Disk
o CHS (Cylinder-Head-Sector) Data o Logical Block Addressing (LBA) and Disk
Addressing and Disk Capacity Calculation Capacity Calculation
o Measuring the Hard Disk Performance o Measuring the Hard Disk Performance
▪ Understanding Solid-State Drive (SSD) ▪ Understanding Solid-State Drive (SSD)
▪ Disk Interfaces ▪ Disk Interfaces
o ATA/PATA (IDE/EIDE) o Serial ATA/SATA (AHCI)
Page | 9 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Serial ATA/ SATA (AHCI) o mSATA III, SATA III
o Serial Attached SCSI o SCSI
o PCIe SSD o Serial Attached SCSI
o SCSI o PCIe
Explain the Logical Structure of a Disk o NVMe
▪ Logical Structure of Disks Explain the Logical Structure of a Disk
o Clusters ▪ Logical Structure of Disks
o Lost Clusters o Clusters
o Slack Space o Lost Clusters
o Master Boot Record (MBR) o Slack Space
o Structure of a Master Boot Record o Master Boot Record (MBR)
o Disk Partitions • Structure of a Master Boot Record
o BIOS Parameter Block (BPB) o Disk Partitions
o Globally Unique Identifier (GUID) o BIOS Parameter Block (BPB)
• GUID Partition Table (GPT) o Globally Unique Identifier (GUID)
Understand Booting Process of Windows, Linux
• GUID Partition Table (GPT)
and Mac Operating Systems
Understand the Booting Process of Windows,
▪ What is the Booting Process?
Linux, and macOS Operating Systems
▪ Essential Windows System Files ▪ What is the Booting Process?
▪ Essential Windows System Files and
▪ Windows Boot Process: BIOS-MBR Method
Components
o Identifying the MBR Partition ▪ Windows Boot Process: BIOS-MBR Method
▪ Windows Boot Process: UEFI-GPT o Identifying the MBR Partition
o Identifying the GUID Partition Table (GPT) ▪ Windows Boot Process: UEFI-GPT
o Analyzing the GPT Header and Entries o Identifying the GUID Partition Table (GPT)
o GPT Artifacts o Analyzing the GPT Header and Entries
▪ Macintosh Boot Process o GPT Artifacts
▪ Linux Boot Process ▪ macOS Boot Process
Understand Various File Systems of Windows,
▪ Linux Boot Process
Linux and Mac Operating Systems
Understand Various File Systems of Windows,
▪ Windows File Systems
Linux and macOS Operating Systems
o File Allocation Table (FAT) ▪ Windows File Systems
• FAT File System Layout o File Allocation Table (FAT)
• FAT Partition Boot Sector • FAT File System Layout
• FAT Folder Structure • FAT Partition Boot Sector
Page | 10 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• Directory Entries and Cluster Chains • FAT Folder Structure
• Filenames on FAT Volumes • Directory Entries and Cluster Chains
• FAT32 • Filenames on FAT Volumes
o New Technology File System (NTFS) • FAT32
• NTFS Architecture o exFAT
• NTFS System Files o New Technology File System (NTFS)
• NTFS Partition Boot Sector • NTFS Architecture
• Cluster Sizes of NTFS Volume • NTFS System Files
• NTFS Master File Table (MFT) • NTFS Partition Boot Sector
➢ Metadata Files Stored in the MFT • Cluster Sizes of NTFS Volume
• NTFS Attributes • NTFS Master File Table (MFT)
• NTFS Data Stream ➢ Metadata Files Stored in the MFT
• NTFS Compressed Files • NTFS Attributes
• Encrypting File Systems (EFS) • NTFS Data Stream
➢ Components of EFS • NTFS Compressed Files
➢ EFS Attribute • NTFS Journals
➢ Extracting information from USN
• Sparse Files
Journal
▪ Linux File Systems • Encrypting File Systems (EFS)
o Linux File System Architecture ➢ Components of EFS
o Filesystem Hierarchy Standard (FHS) ➢ EFS Attribute
o Extended File System (ext) • Sparse Files
o Second Extended File System (ext2) o Resilient File System (ReFS)
o Third Extended File System (ext3) ▪ Linux File Systems
o Journaling File System o Linux File System Architecture
o Fourth Extended File System (ext4) o Filesystem Hierarchy Standard (FHS)
o Understanding Superblocks, Inodes, and
o Second Extended File System (ext2)
Data Blocks
▪ Mac OS X File Systems o Third Extended File System (ext3)
o Hierarchical File System Plus (HFS+) o Journaling File System
• HFS Plus Volumes o Fourth Extended File System (ext4)
o Understanding Superblocks, Inodes, and
• HFS Plus Journal
Data Blocks
o Apple File System (APFS) ▪ macOS File Systems
• Major Components of APFS o Hierarchical File System Plus (HFS+)
• APFS vs. HFS Plus • HFS Plus Volumes
Page | 11 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ CD-ROM/DVD File System • HFS Plus Journal
▪ Virtual File System (VFS) and Universal Disk
o Apple File System (APFS)
Format (UDF) File System
Examine File System Using Autopsy and The
• Major Components of APFS
Sleuth Kit Tools
▪ File System Analysis Using Autopsy • APFS vs. HFS Plus
▪ File System Analysis Using The Sleuth Kit (TSK) Understand File System Analysis
o The Sleuth Kit (TSK): fsstat ▪ File System Analysis Using Autopsy
o The Sleuth Kit (TSK): istat ▪ File System Analysis Using The Sleuth Kit (TSK)
o The Sleuth Kit (TSK): fls and img_stat o The Sleuth Kit (TSK): fsstat
Understand Storage Systems o The Sleuth Kit (TSK): istat
▪ RAID Storage System o The Sleuth Kit (TSK): fls
o Levels of RAID Storage System o The Sleuth Kit (TSK): img_stat
o Just a Bunch of Drives/Disks (JBOD) o The Sleuth Kit (TSK): ffind
o Host Protected Areas (HPA) and Device
o The Sleuth Kit (TSK): ils
Configuration Overlays (DCO)
▪ File System Timeline Creation and Analysis
▪ NAS/SAN Storage
Using The Sleuth Kit (TSK)
o Network-Attached Storage (NAS) o MACB Timestamps
o Storage Area Network (SAN) ▪ NTFS Timestamp Rules in Windows and Linux
o Differences between NAS and SAN o Windows NTFS Timestamp Rules
Understand Encoding Standards and Hex
Understand Storage Systems
Editors
▪ Character Encoding Standard: ASCII ▪ RAID Storage System
▪ Character Encoding Standard: UNICODE o Levels of RAID Storage System
▪ OFFSET o Just a Bunch of Drives/Disks (JBOD)
o Host Protected Areas (HPA) and Device
▪ Understanding Hex Editors
Configuration Overlays (DCO)
▪ Understanding Hexadecimal Notation ▪ Network-Attached Storage (NAS)
Analyze Popular File Formats Using Hex Editor ▪ Storage Area Network (SAN)
▪ Image File Analysis: JPEG ▪ Differences between NAS and SAN
Understand Encoding Standards and Hex
▪ Image File Analysis: BMP
Editors
▪ Hex View of Popular Image File Formats ▪ Character Encoding Standards
▪ PDF File Analysis o ASCII
▪ Word File Analysis o UNICODE
▪ PowerPoint File Analysis ▪ OFFSET
Page | 12 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Excel File Analysis ▪ Understanding Hex Editors
▪ Hex View of Other Popular File Formats ▪ Understanding Hexadecimal Notation
▪ Hex View of Popular Video File Formats Analyze Popular File Formats Using Hex Editor
▪ Hex View of Popular Audio File Formats ▪ Image File Analysis: JPEG
▪ Image File Analysis: BMP
▪ Hex View of Popular Image File Formats
▪ PDF File Analysis
▪ Word File Analysis
▪ PowerPoint File Analysis
▪ Excel File Analysis
▪ Hex View of Other Popular File Formats
▪ Hex View of Popular Video File Formats
▪ Hex View of Popular Audio File Formats
Module 04: Data Acquisition and Duplication Module 04: Data Acquisition and Duplication
Understand Data Acquisition Fundamentals Understand Data Acquisition Fundamentals
▪ Understanding Data Acquisition ▪ Understanding Data Acquisition
▪ Live Acquisition ▪ Live Acquisition
▪ Order of Volatility ▪ Order of Volatility
▪ Dead Acquisition ▪ Dead Acquisition
▪ Rules of Thumb for Data Acquisition ▪ Rules of Thumb for Data Acquisition
▪ Types of Data Acquisition ▪ Types of Data Acquisition
o Logical Acquisition o Logical Acquisition
o Sparse Acquisition o Sparse Acquisition
o Bit-Stream Imaging o Bitstream Image
• Bit-stream disk-to-image file • Bitstream Disk-to-Image File
• Bit-stream disk-to-disk • Bitstream Disk-to-Disk
▪ Determine the Data Acquisition Format ▪ Determine Data Acquisition Format
o Raw Format o Raw Format
o Proprietary Format o Proprietary Format
o Advanced Forensics Format (AFF) o Advanced Forensics Format (AFF)
o Advanced Forensic Framework 4 (AFF4) o Advanced Forensic Framework 4 (AFF4)
Understand Data Acquisition Methodology Understand eDiscovery
▪ Data Acquisition Methodology ▪ eDiscovery
▪ Step 1: Determine the Best Data Acquisition ▪ Electronic Discovery Reference Model (EDRM)
Method Cycle
Page | 13 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Monitor and Maintain Accurate Metrics and
▪ Step 2: Select the Data Acquisition Tool Detailed Tracking Information Related to
eDiscovery
▪ Step 3: Sanitize the Target Media ▪ eDiscovery Collection Methodologies
▪ Step 4: Acquire Volatile Data ▪ Best Practices for eDiscovery
o Acquire Volatile Data from a Windows
▪ eDiscovery Tools
Machine
o Acquire Volatile Data from a Linux
o Intella Pro
Machine
• Acquire Volatile Data from a Linux
o Logikcull
Machine Using dd (Local Acquisition)
• Acquire Volatile Data from a Linux
Machine Using dd and Netcat (Remote o Nuix
Acquisition)
• Acquire Volatile Data from a Linux
o Nextpoint
Machine Using LiME (Local Acquisition)
• Acquire Volatile Data from a Linux
Machine Using LiME and Netcat o Relativity One
(Remote Acquisition)
o Acquire Volatile Data from a Mac Machine
o DISCO Ediscovery
Using
• MacQuisition Understand Data Acquisition Methodology
• OSXpmem ▪ Data Acquisition Methodology
▪ Step 5: Enable Write Protection on the ▪ Step 1: Determine the Best Data Acquisition
Evidence Media Method
▪ Step 6: Acquire Non-volatile Data ▪ Step 2: Select Data Acquisition Tool
o Using a Windows Forensic Workstation ▪ Step 3: Sanitize Target Media
o Using a Linux Forensic Workstation ▪ Step 4: Acquire Volatile Data
o Acquire Volatile Data from Windows
o Using macOS - Single User Mode
Machine
o Using macOS - Target Disk Mode o Acquire Volatile Data from Linux Machine
• Acquire Volatile Data from Linux
o Using a Linux Bootable CD/USB
Machine Using dd (Local Acquisition)
• Acquire Volatile Data from Linux
o Using MacQuisition Machine Using dd and Netcat (Remote
Acquisition)
• Acquire Volatile Data from Linux
o Acquiring RAID Disks
Machine Using LiME (Local Acquisition)
Page | 14 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• Acquire Volatile Data from Linux
▪ Step 7: Plan for Contingency Machine Using LiME and Netcat
(Remote Acquisition)
o Acquire Volatile Data from Mac Machine
▪ Step 8: Validate Data Acquisition Using
Using
o Windows Validation Methods • Digital Collector
▪ Step 5: Enable Write Protection on the
o Linux/Mac Validation Methods
Evidence Media
Prepare an Image File for Examination ▪ Step 6: Acquire Non-volatile Data
▪ Preparing an Image for Examination o Using Windows Forensic Workstation
o Scenario 1: The Acquired Evidence is in E01
Format and the Forensic Workstation is o Using Linux Forensic Workstation
Linux
o Scenario 2: The Acquired Evidence Needs
o Using macOS - Single User Mode
to be Converted to a Bootable VM
o Scenario 3: The Acquired Physical Hard
Disk Contains Windows File System and o Using macOS - Target Disk Mode
the Forensic Workstation is Linux
o Scenario 4: The Acquired Evidence
Contains APFS file system and the Forensic o Using Linux Bootable USB
Workstation is Linux
▪ Viewing an Image on a Windows, Linux and
o Using Digital Collector
Mac Forensic Workstations
o Acquiring RAID Disks
• Identifying RAID Drives in Linux System
• Identifying RAID Drives in Windows
System
• Rebuilding RAID
▪ Step 7: Plan for Contingency
▪ Step 8: Validate Data Acquisition Using
o Windows Validation Methods
o Linux/Mac Validation Methods
▪ Data Acquisition Guidelines and Best
Practices
Prepare an Image File for Examination
▪ Preparing an Image for Examination
o Scenario 1: Examining Images on Linux
Forensic Workstation
Page | 15 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• Scenario 1.1: Converting E01 Image File
to dd Image File
• Scenario 1.2: Converting E01 Image File
to Raw Image File
• Scenario 1.3: Converting dd Image File
to VHDX File
• Scenario 1.4: Examining a dd Image File
• Scenario 1.5: Examining Physical Hard
Disk
• Scenario 1.6: Examining Mac APFS
Image File
• Scenario 1.7: Examining Disk Image
Using PyTSK
o Scenario 2: Examining Images on Windows
Forensic Workstation
• Examining Mac HFS+ Image File
o Scenario 3: Examining Images on Mac
Forensic Workstation
▪ Digital Forensic Imaging Tools
o OSFClone
Module 05: Defeating Anti-forensics Module 05: Defeating Anti-forensics
Techniques Techniques
Understand Anti-forensics Techniques Understand Anti-forensics Techniques
▪ What is Anti-forensics? ▪ What is Anti-forensics?
▪ Anti-forensics Techniques o Anti-forensics Techniques
Discuss Data Deletion and Recycle Bin Forensics ▪ Challenges to Forensics from Anti-forensics
▪ Anti-forensics Technique: Data/File Deletion Discuss Data Deletion and Recycle Bin Forensics
▪ What Happens When a File is Deleted in
▪ Anti-forensics Technique: Data/File Deletion
Windows?
▪ What Happens When a File is Deleted in
▪ Recycle Bin in Windows
Windows?
o Recycle Bin Forensics ▪ Recycle Bin in Windows
Illustrate File Carving Techniques and Ways to
o Recycle Bin Forensics
Recover Evidence from Deleted Partitions
▪ File Carving o Recycle Bin Forensics Using Python
Illustrate File Carving Techniques and Ways to
o File Carving on Windows
Recover Evidence from Deleted Partitions
Page | 16 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• SSD File Carving on Windows File
▪ File Carving
System
• HDD File Carving on Windows File
o File Carving on Windows
System
• SSD File Carving on Windows File
• File Recovery Tools: Windows
System
• HDD File Carving on Windows File
o File Carving on Linux
System
• SSD File Carving on Linux File System • File Recovery Tools: Windows
• File Recovery Tools: Linux o File Carving on Linux
o File Carving on macOS • SSD File Carving on Linux File System
• SSD File Carving on Apple File System • File Recovery Tools: Linux
• File Recovery Tools: macOS o File Carving on macOS
▪ Recovering Deleted Partitions • SSD File Carving on Apple File System
o Recovering Deleted Partitions: Using R- • Recovering Deleted Files on Mac
Studio Machine
o Recovering Deleted Partitions: Using • Recovering Deleted Files from USB on
EaseUS Data Recovery Wizard Mac Machine
o Partition Recovery Tools • File Recovery Tools: macOS
Explore Password Cracking/Bypassing
o Custom File Carving Signatures
Techniques
▪ Anti-forensics Technique: Password
▪ Recovering Deleted Partitions
Protection
▪ Using Rainbow Tables to Crack Hashed o Recovering Deleted Partitions: Using R-
Passwords Studio
o Tool to Create Rainbow Tables: Winrtgen o Partition Recovery Tools
▪ Password Cracking: Using L0phtCrack and
o Recovering ReFS Volumes Using ReFSUtil
Ophcrack
▪ Password Cracking: Using Cain & Abel and
o RAID Recovery Tools
RainbowCrack
Explore Password Cracking/Bypassing
▪ Password Cracking: Using PwDump7
Techniques
▪ Anti-forensics Technique: Password
▪ Password Cracking Tools
Protection
▪ Bypassing Passwords on Powered-off
▪ Tools to Extract the Password Hashes
Computer
o Bypassing BIOS Passwords ▪ Password Cracking Tools
o Bypassing BIOS Passwords by Resetting ▪ Bypassing Passwords on Powered-off
CMOS Using Jumpers Computer
Page | 17 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Bypassing BIOS Passwords by Removing
o Bypassing BIOS Passwords
CMOS Battery
o Bypassing BIOS Passwords by Resetting
▪ Tool to Reset Admin Password
CMOS Using Jumpers
o Bypassing BIOS Passwords by Removing
o Lazesoft Recover My Password
CMOS Battery
o Bypassing Windows User Password: ▪ Tool to Reset Admin and Local User
Lazesoft Recovery Suite Password: PassFab 4WinKey
o Bypassing Windows User Password by ▪ Bypassing Windows User Password by
Booting Live CD/USB Booting Live USB
o Application Password Cracking Tools ▪ Application Password Cracking Tools
Detect Steganography, Hidden Data in File Detect Steganography, Hidden Data in File
System Structures, Trail Obfuscation, and File System Structures, Trail Obfuscation, and File
Extension Mismatch Extension Mismatch
▪ Anti-forensics Technique: Steganography ▪ Anti-forensics Technique: Steganography
o Defeating Anti-forensics: Steganalysis o Defeating Anti-forensics: Steganalysis
o Steganalysis Methods/Attacks on
o Steganalysis Methods on Steganography
Steganography
o Detecting Steganography (Text, Image, o Detecting Steganography (Text, Image,
Audio, and Video Files) Audio, and Video Files)
o Steganography Detection Tools o Steganography Detection Tools
▪ Defeating Anti-forensics Technique: Detecting ▪ Defeating Anti-forensics Technique: Detecting
Data Hiding in File System Structures Using Data Hiding in File System Structures Using
OSForensics OSForensics
▪ Anti-forensics Technique: Alternate Data ▪ Anti-forensics Technique: Alternate Data
Streams Streams
o Defeating Anti-forensics Technique: o Defeating Anti-forensics Technique:
Detecting Alternate Data Streams Detecting Alternate Data Streams
o Defeating Anti-forensics Technique:
o Defeating Anti-forensics Technique: Tools
Detecting Alternate Data Streams Using
for Detecting Alternate Data Streams
Stream Detector
▪ Anti-forensics Technique: Trail Obfuscation ▪ Anti-forensics Technique: Trail Obfuscation
▪ Defeating Anti-forensics Technique: Detecting ▪ Defeating Anti-forensics Technique: Detecting
File Extension Mismatch Using Autopsy File Extension Mismatch Using Autopsy
Understand Techniques of Artifact Wiping, Understand Techniques of Artifact Wiping,
Overwritten Data/Metadata Detection, and Overwritten Data/Metadata Detection, and
Encryption Encryption
▪ Anti-forensics Technique: Artifact Wiping ▪ Anti-forensics Technique: Artifact Wiping
▪ Anti-forensics Technique: Overwriting ▪ Anti-forensics Technique: Overwriting
Data/Metadata Data/Metadata
Page | 18 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Defeating Anti-forensics Technique: o Defeating Anti-forensics Technique:
Detecting Overwritten Data/Metadata Detecting Overwritten Data/Metadata
▪ Anti-forensics Technique: Encryption ▪ Anti-forensics Technique: Encryption
o Recover Encrypted Files Using Advanced o Recover Encrypted Files Using Elcomsoft
EFS Data Recovery Tool Forensic Disk Decryptor
Detect Program Packers and Footprint Detect Program Packers and Footprint
Minimizing Techniques Minimizing Techniques
▪ Anti-forensics Technique: Program Packers ▪ Anti-forensics Technique: Program Packers
o Unpacking Program Packers o Detecting and Unpacking Program Packers
▪ Anti-forensics Techniques that Minimize • Detecting Program Packers Using
Footprint Detect it Easy (DiE)
o Defeating Anti-forensics Technique: • Detecting Program Packers Using
Detecting USB Devices Exeinfo PE
Understand Anti-forensic Techniques that
• Unpacking Program Packers Using
Exploit CFT Bugs and CFT Activities, and
Exeinfo PE
Interpret their Countermeasures
▪ Anti-forensics Technique: Exploiting Forensics ▪ Anti-forensics Techniques that Minimize
Tools Bugs Footprint
▪ Anti-forensics Technique: Detecting Forensic o Defeating Anti-forensics Technique:
Tool Activities Detecting USB Devices
▪ Anti-forensics Countermeasures ▪ Anti-forensics Countermeasures
▪ Anti-forensics Tools
Module 06: Windows Forensics Module 06: Windows Forensics
Collect Volatile and Non-volatile Information Understand Windows Forensics
▪ Collecting Volatile Information ▪ Introduction to Windows Forensics
o Collecting System Time ▪ Windows Forensics Methodology
o Collecting Logged-On Users Collect Volatile Information
• PsLoggedOn Tool ▪ Collecting Volatile Information
• net sessions Command o Collecting System Time
• LogonSessions Tool o Collecting Logged-on Users
o Collecting Open Files • PsLoggedOn Tool
• net file Command • net sessions Command
• Using NetworkOpenedFiles • LogonSessions Tool
o Collecting Network Information o Collecting Open Files
o Collecting Information about Network
• net file Command
Connections
o Process Information o Collecting Network Information
Page | 19 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• Collecting Information about Network
o Process-to-Port Mapping
Connections
o Examining Process Memory • Collecting Network Status
o Collecting Network Status o Process Information
o Examining Print Spool files o Process-to-Port Mapping
o Collecting Clipboard Contents and
o Examining Process Memory
Service/Driver Information
o Collecting Command History and Locally
o Examining Print Spool files
Shared Resource Information
o Collecting Clipboard Contents and
▪ Collecting Non-volatile Information
Service/Driver Information
o Collecting Command History and Locally
o Examining File Systems
Shared Resource Information
o ESE Database File Collect Non-volatile Information
• Examining .edb File Using
▪ Collecting Non-volatile Information
ESEDatabaseView
o Windows Search Index Analysis o Examining File Systems
o Detecting Externally Connected Devices to
o ESE Database File
the System
• Examining .edb Files Using
o Slack Space
ESEDatabaseView
o Collecting Hidden Partition Information o Windows Search Index Analysis
o Detecting Externally Connected Devices to
o Other Non-volatile Information
the System
o Analyzing Windows Thumbnail Cache o Slack Space
Perform Windows Memory and Registry
o Collecting Hidden Partition Information
Analysis
▪ Windows Crash Dump o Collecting User Account Information
o Extracting System Resource Usage Monitor
▪ Collecting Process Memory
(SRUM) Artifacts
▪ Random Access Memory (RAM) Acquisition o Analyzing Windows Thumbnail Cache
▪ Memory Forensics o Auditing Installed Applications
o Malware Analysis Using Redline o Identifying System Updates
o Malware Analysis Using Volatility
▪ Collecting Windows Domain Information
Framework
o Virtual Memory Acquisition Using FTK o Collecting Information from Domain
Imager Controllers
o Page File ▪ Examining Compressed Files
Page | 20 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
• Examining Pagefile Using Strings
o Analyzing ZIP Files in a Windows System
Command
▪ Extracting Information from Sticky Notes
o Hibernate Files
Using Python
▪ Windows Registry Analysis Perform Windows Memory Analysis
o Windows Registry ▪ Windows Memory Analysis
o Registry Structure within a Hive File ▪ Windows Crash Dump
o Windows Registry: Forensic Analysis ▪ Collecting Process Memory
o The Registry as a Log File ▪ Memory Forensics
o Collecting System Information o Malware Analysis Using Redline
o Collecting Last Shutdown Time and Time o Malware Analysis Using Volatility
Zone Information Framework
o Shares o Page File
• Examining Pagefile Using Strings
o Wireless SSIDs
Command
o Startup Locations o Hibernate Files
o Extracting Data from Hibernation Files
o System Boot
Using Hibernation Recon
o Importance of Volume Shadow Copy o Advanced Memory Forensics Using
Services MemProcFS
• Remote Memory Analysis Using
o User Login
MemProcFS
o Microsoft Security ID o Memory Analysis Tools
o User Activity • Velociraptor
o Enumerating Autostart Registry Locations Perform Windows Registry Analysis
o Registry Settings ▪ Windows Registry Analysis
o USB Removable Storage Devices o Windows Registry
o Mounted Devices o Windows Registry Data Types
o Tracking User Activity o Registry Structure within a Hive Files
o The UserAssist Keys o Windows Registry: Forensic Analysis
o MRU Lists o The Registry as Log File
o Connecting to Other Systems o Collecting System Information
o Collecting Last Shutdown Time and Time
o Analyzing Restore Point Registry Settings
Zone Information
o Determining the Startup Locations o Shares
Examine the Cache, Cookie and History
o Wireless SSIDs
Recorded in Web Browsers
Page | 21 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Cache, Cookie, and History Analysis: Mozilla
o Startup Locations
Firefox
o Examining System Bootup and
o Analysis Tool: MZCacheView
Enumerating Autostart Registry Locations
o Importance of Volume Shadow Copy
o Analysis Tool: MZCookiesView
Services
• Accessing Historical Data from Volume
o Analysis Tool: MZHistoryView
Shadow Copies
▪ Cache, Cookie, and History Analysis: Google
o User Login
Chrome
o Analysis Tool: ChromeCacheView o Microsoft Security ID
o Analysis Tool: ChromeCookiesView o User Activity
o Analysis Tool: ChromeHistoryView o Registry Settings
▪ Cache, Cookie, and History Analysis:
o Registry Last Write Time
Microsoft Edge
o Analysis Tool: IECacheView o Recovering Deleted Registry Keys
o Analysis Tool: EdgeCookiesView o USB Removable Storage Devices
o Analysis Tool: BrowsingHistoryView • Identifying Malicious HID USB Devices
Examine Windows Files and Metadata o Mounted Devices
▪ Windows File Analysis o Tracking User Activity
o System Restore Points (Rp.log Files) o UserAssist Keys
o System Restore Points (Change.log.x Files) o MRU Lists
o Prefetch Files o Connecting to Other Systems
• Examining Prefetch Files Using
o Analyzing Restore Point Registry Settings
WinPrefetchView
o Image Files o Determining Startup Locations
o Understanding EXIF Data o Analyzing Amcache and Shimcache
o Identifying Webcam and Microphone
▪ Metadata Investigation
Usage by Illicit Applications
▪ Windows Registry Analysis Using Magnet
o Understanding Metadata
AXIOM
o Metadata in Different File Systems Perform Electron Application Analysis
o Metadata in PDF Files ▪ Electron Application Forensics
o Metadata in Word Documents o Electron Application Architecture
o Metadata Analysis Tool: Metashield
o Local Data storage for Electron
Analyzer
Understand ShellBags, LNK Files, and Jump
▪ Extracting Data from Microsoft Teams
Lists
Page | 22 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Windows ShellBags ▪ Extracting Data from WhatsApp
o Windows ShellBags: Forensic Analysis ▪ Extracting Data from Skype
o Parsing ShellBags: Using ShellBags Explorer
Perform Web Browser Forensics
Tool
▪ Analyzing LNK Files ▪ Web Browser Forensics
▪ Cache, Cookie, and History Analysis: Mozilla
o Analyzing LNK files: LECmd Tool
Firefox
o SQLite Database Files Created by Mozilla
▪ Analyzing Jump Lists
Firefox
o Analyzing Jump Lists: JumpListExt Tool o Examining Download History
Understand Text-based Logs and Windows
o Examining Form History
Event Logs
▪ Understanding Events o Examining Session Recovery Files
▪ Types of Logon Events o Examining Firefox Extensions
o Examining Firefox Cross-device
▪ Event Log File Format
Synchronization Feature
▪ Organization of Event Records o Mozilla Firefox Analysis Tools
▪ Cache, Cookie, and History Analysis: Google
▪ ELF_LOGFILE_HEADER Structure
Chrome
▪ EventLogRecord Structure o Examining URLs and Visits Tables
o Examining History, Page Transition Types,
▪ Windows 10 Event Logs
and Preferences Files
▪ Evaluating Account Management Events o Examining Web Data
▪ Event Logs o Examining Shortcuts
o Examining Network Action Predictor
o Examining System Log Entries
Databases
o Examining Chrome Cache Files and
o Examining Application Log Entries
Timestamps
o Searching with Event Viewer o Examining Download History
o Using Event Log Explorer to Examine Log
o Examining Chrome Session Recovery
Files
o Examining Cross-device Chrome
o Windows Event Log Files Internals
Synchronization
o Examining Removable Storage Using Event
o Google Chrome Analysis Tools
Viewer
▪ Cache, Cookie, and History Analysis:
▪ Windows Forensics Tools
Microsoft Edge
o OSForensics o Examining Download History
o Kroll Artifact Parser and Extractor (KAPE) o Examining Session Recovery
Page | 23 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Hashing it Out in PowerShell: Using Get-
o Examining Microsoft Edge Collections
FileHash
o Examining Microsoft Edge Extensions
o Examining Browser Data Synchronization
o Examining Multiple User Profiles
o Microsoft Edge Analysis Tools
▪ Recovering Private Browsing Data and
Browser Artifacts
o Recovering InPrivate Browser Data
• Mozilla Firefox Private Browsing
• Google Chrome Private Browsing
• Microsoft Edge Private Browsing
▪ Carving SQLite Database Files Using FTK®
Imager
o Extracting and Rebuilding Cached Web
Pages Using FTK® Imager
o Extracting and Analyzing Stored Browser
Credentials Using FTK® Imager
Examine Windows Files and Metadata
▪ Windows File Analysis
o System Restore Points (Rp.log Files)
o System Restore Points (Change.log.x Files)
o Prefetch Files
• Examining Prefetch Files Using
WinPrefetchView
o Image Files
o Understanding EXIF Data
▪ Metadata Investigation
o Understanding Metadata
o Metadata in Different File Systems
o Metadata in PDF Files
o Extracting Metadata from PDF Documents
Using Python
o Metadata in Word Documents
o Extracting Metadata from Office
Documents Using Python
o Analyzing Zone.Identifier Streams
Page | 24 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Metadata Analysis Tools
Understand ShellBags, LNK Files, and Jump Lists
▪ Windows ShellBags
o Windows ShellBags: Forensic Analysis
o Parsing ShellBags
▪ Analyzing LNK Files
o Analyzing LNK files Using Belkasoft X
▪ Analyzing Jump Lists
o Tools for Analyzing Jump Lists
Understand Text-based Logs and Windows
Event Logs
▪ Understanding Events
▪ Types of Logon Events
▪ Event Log File Format
▪ Organization of Event Records
▪ ELF_LOGFILE_HEADER Structure
▪ EventLogRecord Structure
▪ Windows 11 Event Logs
▪ Evaluating Account Management Events
▪ Event Logs
o Examining System Log Entries
o Examining Application Log Entries
o Searching with Event Viewer
o Using Event Log Explorer to Examine Log
Files
o Windows Event Log Files Internals
o Examining Removable Storage Using Event
Viewer
o Analyzing Microsoft Office Alert Logs
o Examining Last Failed Login Attempts and
Login Count
o Auditing Windows Registry Using Security
Audit Event
▪ Windows Forensics Tools
o OSForensics
▪ Hashing it Out in PowerShell: Using Get-
FileHash
Page | 25 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module 07: Linux and Mac Forensics Module 07: Linux and Mac Forensics
Understand Volatile and Non-volatile Data in
Collect Volatile Information in Linux
Linux
▪ Introduction to Linux Forensics ▪ Introduction to Linux Forensics
▪ Collecting Volatile Data ▪ Collecting Volatile Information
o Collecting Hostname, Date, and Time o Collecting Hostname, Date, and Time
o Collecting Uptime Data o Collecting Uptime Data
o Collecting Network Information o Collecting Network Information
o Viewing Network Routing Tables o Viewing Network Routing Tables
o Collecting Open Port Information o Collecting Open Port Information
o Finding Programs/Processes Associated o Finding Programs/Processes Associated
with a Port with a Port
o Collecting Data on Open Files o Collecting Open Files
o Collecting Mounted File System o Collecting Mounted File System
Information Information
o Finding Loaded Kernel Modules o Finding Loaded Kernel Modules
o Collecting User Events and Reading ELF o Collecting User Events and Reading ELF
Files Files
o Viewing Running Processes in the System o Viewing Running Processes in the System
o Collecting Swap Areas and Disk Partition
o Viewing Linux Services Using systemctl
Information
o Collecting Swap Areas and Disk Partition
o Collecting Kernel Messages
Information
▪ Collecting Non-volatile Data o Collecting Kernel Messages
o Collecting System Information o Collecting Volatile Information Using Freta
o Collecting Volatile Information Using
o Collecting Kernel Information
Python
o Collecting User Account Information Collect Non-volatile Information in Linux
o Collecting Currently Logged-in Users and
▪ Collecting Non-volatile Information
Login History Information
o Collecting System Logs Data o Collecting System Information
o Linux Log Files o Collecting Kernel Information
o Collecting User History File Information
o Collecting User Account Information
and Viewing Hidden Files and Directories
o Collecting Currently Logged-in Users and
o Collecting Suspicious Information
Login History Information
o File Signature Analysis o Collecting System Logs Data
Page | 26 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Usage of File and Strings Command o Linux Log Files
o Collecting User History File Information
o Using find Command to Find Writable Files
and Viewing Hidden Files and Directories
Analyze Filesystem Images Using The Sleuth Kit o Collecting Suspicious Information
▪ File System Analysis Using The Sleuth Kit o File Signature Analysis
o fsstat o Usage of File and Strings Command
o fls o Using find Command to Find Writable Files
o istat o Examining Cron Jobs for Linux
Demonstrate Memory Forensics Using Volatility o Performing Hash Calculations Using
& PhotoRec Python
o Collecting System Reboot History Using
▪ Memory Forensics
Python
o Introduction o Viewing System Log Entries Using Python
o Collecting Network Information Understand Linux Memory Forensics
o Listing Open Files ▪ Linux Memory Forensics
o Collecting Bash Information o Listing Open Files
o Collecting System Information o Collecting Bash Information
o Collecting Kernel Memory Information o Collecting System Information
o Malware Analysis Using Volatility
o Collecting Kernel Memory Information
Framework
o Carving Memory Dumps Using PhotoRec o Malware Analysis Using Volatility
Tool Framework
Understand Mac Forensics Understand Mac Forensics
▪ Introduction to Mac Forensics ▪ Introduction to Mac Forensics
▪ Mac Forensics Data ▪ Mac Forensics Data
▪ Mac Log Files ▪ Mac Log Files
▪ Mac Directories ▪ Mac Directories
▪ APFS Analysis: Biskus APFS Capture Collect Volatile Information in Mac
▪ Parsing Metadata on Spotlight ▪ Collecting Volatile Information
▪ Mac Forensics Tools o Collecting System Date and Time
o Collecting Process Information
o Collecting Network information
o Collecting Open Files
o Collecting Clipboard Content Using Shell
Script
o Collecting Locally Shared Resource
Information
Page | 27 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Collecting Other Volatile Information
• Collecting Loaded Kernel Modules
• Collecting Logged-On Users
• Collecting Command History
Collect Non-volatile Information in Mac
▪ Collecting Non-volatile Information
o Collecting System Information and
Configuration
o Collecting Desktop Artifacts
o Collecting Startup Files
o Analyzing macOS Thumbnail Cache
o Collecting User Home Folder and Activities
Information
o Identifying Last Accessed Files and Folders
o Viewing Log Messages
Understand Mac Memory Forensics and Mac
Forensics Tools
▪ Mac Memory Forensics
o Collecting Swap Areas and Disk Partition
Information
▪ APFS Analysis
▪ Parsing Metadata on Spotlight
▪ Mac Forensics Tools
Module 08: Network Forensics Module 08: Network Forensics
Understand Network Forensics Understand Network Forensics
▪ Introduction to Network Forensics ▪ Introduction to Network Forensics
▪ Postmortem and Real-Time Analysis ▪ Postmortem and Real-Time Analysis
▪ Network Attacks ▪ Network Attacks
▪ Indicators of Compromise (IOCs) ▪ Indicators of Compromise (IoCs)
▪ Where to Look for Evidence ▪ Where to Look for Evidence
▪ Types of Network-based Evidence ▪ Types of Network-based Evidence
Explain Logging Fundamentals and Network
Summarize Event Correlation Concepts
Forensic Readiness
▪ Log Files as Evidence ▪ Event Correlation
▪ Legal Criteria for Admissibility of Logs as
▪ Types of Event Correlation
Evidence
Page | 28 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Records of Regularly Conducted Activity as
▪ Prerequisites of Event Correlation
Evidence
▪ Guidelines to Ensure Log File Credibility and
▪ Event Correlation Approaches
Usability
▪ Ensure Log File Authenticity o Topology-based Event Correlation
▪ Maintain Log File Integrity o Cross-domain Event Correlation
▪ Implement Centralized Log Management o Multivariate Correlation
o Centralized Logging Best Practices o Contextual Correlation
Identify Indicators of Compromise (IoCs) from
o Centralized Log Management Challenges
Network Logs
o Addressing the Challenges in Centralized
▪ Log Files as Evidence
Log Management
Summarize Event Correlation Concepts ▪ Analyzing Firewall Logs
▪ Event Correlation o Analyzing Firewall Logs: Cisco
▪ Types of Event Correlation o Analyzing Firewall Logs: Check Point
▪ Prerequisites of Event Correlation ▪ Analyzing IDS Logs
▪ Event Correlation Approaches o Analyzing IDS Logs: OSSEC
Identify Indicators of Compromise (IoCs) from
o Analyzing IDS Logs: Check Point
Network Logs
▪ Analyzing Firewall Logs ▪ Analyzing Honeypot Logs
o Analyzing Firewall Logs: Cisco ▪ Analyzing Router Logs
o Analyzing Firewall Logs: Check Point o Analyzing Router Logs: Cisco
▪ Analyzing IDS Logs o Analyzing Router Logs: Juniper
o Analyzing IDS Logs: Juniper ▪ Analyzing DHCP Logs
o Analyzing IDS Logs: Check Point ▪ Analyzing Cisco Switch Logs
▪ Analyzing Honeypot Logs ▪ Analyzing VPN Logs
▪ Analyzing Router Logs o VPN Log Analysis Using Elastic Stack
o Analyzing Router Logs: Cisco ▪ Analyzing SSH Logs
o Analyzing Router Logs: Juniper ▪ Analyzing DNS Server Logs
▪ Analyzing DHCP Logs ▪ Network Log Analysis Tools
Investigate Network Traffic o Security Onion
▪ Why Investigate Network Traffic? o Logz.io
▪ Gathering Evidence via Sniffers Investigate Network Traffic
▪ Sniffing Tool: Tcpdump ▪ Why Investigate Network Traffic?
▪ Sniffing Tool: Wireshark ▪ Gathering Evidence via Sniffers
o Display Filters in Wireshark ▪ Sniffing Tools
▪ Analyze Traffic for TCP SYN Flood DoS Attack o Tcpdump
Page | 29 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Analyze Traffic for SYN-FIN Flood DoS Attack o Wireshark
▪ Analyze Traffic for FTP Password Cracking
o Display Filters in Wireshark
Attempts
▪ Analyze Traffic for SMB Password Cracking
o Additional Wireshark Filters
Attempts
▪ Analyze Traffic for Sniffing Attempts ▪ Analyze Traffic for TCP SYN Flood DoS Attack
o Analyze Traffic for MAC Flooding Attempt ▪ Analyze Traffic for SYN-FIN Flood DoS Attack
o Analyze Traffic for ARP Poisoning Attempt ▪ Analyze Traffic for ICMP Flood Attack
▪ Analyze Traffic to Detect Malware Activity ▪ Analyze Traffic for UDP Flood Attack
Perform Incident Detection and Examination
▪ Analyze Traffic for HTTP Flood Attack
with SIEM Tools
▪ Analyze Traffic for FTP Password Cracking
▪ Centralized Logging Using SIEM Solutions
Attempts
▪ SIEM Solutions: Splunk Enterprise Security ▪ Analyze Traffic for SMB Password Cracking
(ES) Attempts
▪ SIEM Solutions: IBM QRadar ▪ Analyze Traffic for Sniffing Attempts
▪ Examine Brute-force Attacks o Analyze Traffic for MAC Flooding Attempt
▪ Examine DoS Attack o Analyze Traffic for ARP Poisoning Attempt
▪ Examine Malware Activity ▪ Analyze Traffic for SMTP HELO Flood Attack
▪ Examine Data Exfiltration Attempts over FTP ▪ Analyze Traffic to Detect Malware Activity
▪ Examine Network Scanning Attempts ▪ Analyze Network Traffic through NetFlow
▪ Examine Ransomware Attack ▪ Network Forensic Analysis Using Dshell
▪ Detect Rogue DNS Server (DNS Hijacking/DNS
▪ Tools for Investigating Network Traffic
Spoofing)
Monitor and Detect Wireless Network Attacks o NetworkMiner
▪ Wireless Network Security Vulnerabilities o Arkime
Incident Detection and Examination with SIEM
▪ Monitoring for Attacks and Vulnerabilities
Tools
▪ Detect Rogue Access Points ▪ Centralized Logging Using SIEM Solutions
▪ Detect Access Point MAC Address Spoofing
▪ SIEM Solutions
Attempts
▪ Detect Misconfigured Access Points o Splunk Enterprise Security (ES)
▪ Detect Honeypot Access Points o IBM Security Qradar SIEM
▪ Detect Signal Jamming Attack ▪ Examine Brute-force Attack
▪ Examine DoS Attack
▪ Examine Malware Activity
▪ Examine Data Exfiltration Attempts over FTP
▪ Examine Network Scanning Attempts
Page | 30 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Examine Ransomware Attack
▪ Detect Rogue DNS Server (DNS Hijacking/DNS
Spoofing)
Understand Wireless Network Forensics
▪ Introduction to Wireless Network Forensics
▪ Wireless Network Forensics Challenges and
Risks
▪ Types of Wireless Evidence
▪ Wireless Network Forensics Process
o Step 1: Discover Wireless Access Points
o Step 2: Detect Rogue/Malicious Access
Points
o Step 3: Identify Active Connections
o Step 4: Measure Signal Strength
o Step 5: Connect to the Suspected Wireless
Network
o Step 6: Sniff and Analyze Packets
Detect and Investigating Wireless Network
Attacks
▪ Detect Rogue Access Points
o Wi-Fi Discovery Tools
▪ Detect Access Point MAC Address Spoofing
Attempts
▪ Detect Misconfigured Access Points
▪ Detect Wi-Fi Jamming Attempts Using
Wireshark
▪ Analyze Wireless Packet Captures
o Examine Client Connections
o Examine Deauthentication Attack
o Examine Disassociation Attack
o Decrypt and Analyze Encrypted Wi-Fi
Traffic
▪ Analyze Wi-Fi Spectrum
▪ Analyze the Wireless Network Report
▪ Tools for Investigating Wireless Network
Traffic
Page | 31 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module 14: Malware Forensics Module 09: Malware Forensics
Define Malware and Identify the Common
Understand Malware Concepts
Techniques Attackers Use to Spread Malware
▪ Introduction to Malware ▪ Introduction to Malware
▪ Components of Malware ▪ Different Ways for Malware to Enter a System
▪ Common Techniques Attackers Use to ▪ Common Techniques Attackers Use to
Distribute Malware across Web Distribute Malware across Web
Understand Malware Forensics Fundamentals
▪ Components of Malware
and Recognize Types of Malware Analysis
▪ Introduction to Malware Forensics Understand Malware Forensics
▪ Why Analyze Malware? ▪ Introduction to Malware Forensics
▪ Malware Analysis Challenges ▪ Why Analyze Malware?
▪ Identifying and Extracting Malware ▪ Malware Analysis Challenges
▪ Prominence of Setting Up a Controlled
▪ Malware Forensic Artifacts
Malware Analysis Lab
▪ Preparing Testbed for Malware Analysis ▪ Indicators of Malware
▪ Prominence of Setting Up a Controlled
▪ Supporting Tools for Malware Analysis
Malware Analysis Lab
▪ General Rules for Malware Analysis ▪ Preparing Testbed for Malware Analysis
▪ Documentation Before Analysis ▪ Malware Analysis Tools
▪ Types of Malware Analysis ▪ Documentation Before Analysis
Understand and Perform Static Analysis of
▪ Types of Malware Analysis
Malware
▪ Malware Analysis: Static ▪ Static Malware Analysis
o Static Malware Analysis: File Fingerprinting ▪ Dynamic Malware Analysis
o Static Malware Analysis: Online Malware
o System Baselining
Scanning
o Online Malware Analysis Services o Host Integrity Monitoring
o Static Malware Analysis: Performing
Perform Static Malware Analysis
Strings Search
o Static Malware Analysis: Identifying
▪ Static Malware Analysis: File Fingerprinting
Packing/Obfuscation Methods
o Static Malware Analysis: Finding the
o File Fingerprinting Using Python
Portable Executables (PE) Information
• Analyzing Portable Executable File ▪ Static Malware Analysis: Local and Online
Using Pestudio Malware Scanning
o Static Malware Analysis: Identifying File ▪ Static Malware Analysis: Performing Strings
Dependencies Search
Page | 32 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Static Malware Analysis: Malware
o Performing Strings Search Using Python
Disassembly
▪ Static Malware Analysis: Identifying
o Malware Analysis Tool: IDA Pro
Packing/Obfuscation Methods
o Identifying Packing/Obfuscation Method
Analyze Suspicious Word and PDF Documents
of ELF Malware
▪ Analyzing Suspicious MS Office Document • Detect It Easy (DIE)
▪ Static Malware Analysis: Finding the Portable
▪ Analyzing Suspicious PDF Document
Executables (PE) Information
Understand Dynamic Malware Analysis
o Analyzing PE Files Using Python
Fundamentals and Approaches
▪ Static Malware Analysis: Identifying File
▪ Malware Analysis: Dynamic
Dependencies
o Dynamic Malware Analysis: Pre-Execution o Identifying File Dependencies Using
Preparation Python
▪ Static Malware Analysis: Malware
o Monitoring Host Integrity
Disassembly
o Monitoring Host Integrity Using ▪ Static Malware Analysis: Analyzing ELF
WhatChanged Portable Executable Files
▪ Static Malware Analysis: Analyzing Mach-O
o Observing Runtime Behavior
Executable Files
Analyze Malware Behavior on System
Analyzing Suspicious Documents
Properties in Real-time
▪ System Behavior Analysis: Monitoring
▪ Analyzing Suspicious MS Office Document
Registry Artifacts
o Windows AutoStart Registry Keys ▪ Analyzing Suspicious MS Excel Document
o Analyzing Windows AutoStart Registry
▪ Analyzing Suspicious PDF Document
Keys
▪ System Behavior Analysis: Monitoring o Analyzing Suspicious PDF Document Using
Processes YARA
▪ System Behavior Analysis: Monitoring
Perform System Behavior Analysis
Windows Services
▪ System Behavior Analysis: Monitoring Startup ▪ System Behavior Analysis: Monitoring
Programs Registry Artifacts
o Startup Programs Monitoring Tool:
o Windows AutoStart Registry Keys
AutoRuns for Windows
▪ System Behavior Analysis: Monitoring o Analyzing Windows AutoStart Registry
Windows Event Logs Keys
o Analyzing Windows AutoStart Registry
o Key Event IDs to Monitor
Keys Using Python
Page | 33 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ System Behavior Analysis: Monitoring
o Examining Windows Event logs
Processes
▪ System Behavior Analysis: Monitoring API o Analyzing Windows Processes Using
Calls Python
▪ System Behavior Analysis: Monitoring Device ▪ System Behavior Analysis: Monitoring
Drivers Windows Services
o Device Drivers Monitoring Tool:
o Analyzing Windows Services Using Python
DriverView
▪ System Behavior Analysis: Monitoring Files ▪ System Behavior Analysis: Monitoring Startup
and Folders Programs
o File and Folder Monitoring Tool: PA File o Startup Programs Monitoring Tool:
Sight AutoRuns for Windows
o File and Folder Integrity Checkers: FastSum ▪ System Behavior Analysis: Monitoring
and WinMD5 Windows Event Logs
Analyze Malware Behavior on Network in Real-
o Key Event IDs to Monitor
time
▪ Network Behavior Analysis: Monitoring
o Examining Windows Event logs
Network Activities
▪ System Behavior Analysis: Monitoring API
o Monitoring IP Addresses
Calls
▪ System Behavior Analysis: Monitoring Device
▪ Network Behavior Analysis: Monitoring Port
Drivers
o Device Drivers Monitoring Tool:
o Examining Open Ports
DriverView
o Port Monitoring Tools: TCPView and ▪ System Behavior Analysis: Monitoring
CurrPorts Installation
▪ System Behavior Analysis: Monitoring System
▪ Network Behavior Analysis: Monitoring DNS
Calls
▪ System Behavior Analysis: Monitoring
o Examining DNS Entries
Scheduled Tasks
▪ System Behavior Analysis: Monitoring Files
o DNS Monitoring Tool: DNSQuerySniffer
and Folders
Describe Fileless Malware Attacks and How
Perform Network Behavior Analysis
they Happen
▪ Network Behavior Analysis: Monitoring
▪ Introduction to Fileless Malware
Network Activities
▪ Infection Chain of Fileless Malware o Monitoring IP Addresses
▪ How Fileless Attack Works via Memory
▪ Network Behavior Analysis: Monitoring Port
Exploits
▪ How Fileless Attack Happens via Websites o Examining Open Ports
Page | 34 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ How Fileless Attack Happens via Documents o Port Monitoring Tools
Perform Fileless Malware Analysis - Emotet • TCPView
▪ Fileless Malware Analysis: Emotet ▪ Network Behavior Analysis: Monitoring DNS
▪ Emotet Malware Analysis o Examining DNS Entries
▪ Emotet Malware Analysis: Timeline of the
o DNS Monitoring Tools
Infection Chain
• DNSQuerySniffer
▪ Network Behavior Analysis: Monitoring
Browser Activity
Perform Ransomware Analysis
▪ Ransomware Analysis - BlackCat (ALPHV)
o BlackCat (ALPHV) Malware Analysis
• Initial Access
• Discovery, Credential Access, and
Privilege Escalation
• Defense Evasion, Persistence, and
Lateral Movement
• Data Exfiltration and Covering Tracks
• Encrypt and Create Ransom Note
o BlackCat Toolkit Analysis
Module 09: Investigating Web Attacks Module 10: Investigating Web Attacks
Understand Web Application Forensics Understand Web Application Forensics
▪ Introduction to Web Application Forensics ▪ Introduction to Web Application Forensics
▪ Challenges in Web Application Forensics ▪ Challenges in Web Application Forensics
▪ Indications of a Web Attack ▪ Indicators of a Web Attack
▪ OWASP Top 10 Application Security Risks -
▪ Web Application Threats
2021
▪ Web Attack Investigation Methodology ▪ Web Application Threats
Understand Internet Information Services (IIS)
▪ Web Attack Investigation Methodology
Logs
Understand Internet Information Services (IIS)
▪ IIS Web Server Architecture
Logs
▪ IIS Logs ▪ IIS Web Server Architecture
▪ Analyzing IIS Logs ▪ IIS Logs
Understand Apache Web Server Logs ▪ Analyzing IIS Logs
Page | 35 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Analyzing IIS HTTP Logs Using
▪ Apache Web Server Architecture
HttpLogBrowser
▪ Apache Web Server Logs ▪ Analyzing IIS Web Server Logs Using Python
▪ Apache Access Logs ▪ IIS Log Analysis Tools
o Analyzing Apache Access Logs Understand Apache Web Server Logs
▪ Apache Error Logs ▪ Apache Web Server Architecture
o Analyzing Apache Error Logs ▪ Apache Web Server Logs
Understand the Functionality of Intrusion
▪ Apache Access Logs
Detection System (IDS)
▪ Intrusion Detection System (IDS) o Analyzing Apache Access Logs
▪ How IDS Detects an Intrusion ▪ Apache Error Logs
▪ Intrusion Detection Tool: Snort o Analyzing Apache Error Logs
▪ Analyzing Apache Web Server Logs Using
▪ Snort Rules
Python
Understand the Functionality of Web
▪ Apache Log Analysis Tools
Application Firewall (WAF)
Detect and Investigate Various Attacks on Web
▪ Web Application Firewall (WAF)
Applications
▪ Benefits of WAF ▪ Investigating Cross-Site Scripting (XSS) Attack
o Investigating XSS: Using Regex to Search
▪ Limitations of WAF
XSS Strings
▪ WAF Tool: ModSecurity o Examining Apache Logs for XSS Attack
▪ Types of ModSecurity Data Formats o Examining IIS Logs for XSS Attack
o Analyzing ModSecurity Alerts o Examining Snort Alert Logs for XSS Attack
o Analyzing ModSecurity Audit Logs o Examining WAF Logs for XSS Attack
Investigate Web Attacks on Windows-based
o Examining SIEM Logs for XSS Attack
Servers
▪ Investigating Web Attacks on Windows-based o Examining Web Server Logs for XSS Attack
Servers Using Python
Detect and Investigate Various Attacks on Web
▪ Investigating SQL Injection Attack
Applications
o Investigating SQL Injection Attack: Using
▪ Investigating Cross-Site Scripting (XSS) Attack
Regex
o Investigating XSS: Using Regex to Search o Examining Apache Logs for SQL Injection
XSS Strings Attack
o Examining Apache Logs for XSS Attack o Examining IIS Logs for SQL Injection Attack
o Examining Snort Alert Logs for SQL
o Examining IIS Logs for XSS Attack
Injection Attack
Page | 36 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Examining WAF Logs for SQL Injection
o Examining Snort Alert Logs for XSS Attack
Attack
o Examining SIEM Logs for SQL Injection
o Examining WAF Logs for XSS Attack
Attack
o Examining SIEM Logs for XSS Attack ▪ Investigating Path/Directory Traversal Attack
o Examining Apache Logs for Path/Directory
▪ Investigating SQL Injection Attack
Traversal Attack
o Examining Web Server Logs for
o Investigating SQL Injection Attack: Using
Path/Directory Traversal Attack Using
Regex
Python
o Examining Apache Logs for SQL Injection
▪ Investigating Command Injection Attack
Attack
o Examining Apache Logs for
o Examining IIS Logs for SQL Injection Attack
Command Injection Attack
o Examining Snort Alert Logs for SQL o Examining Web Server Logs for Command
Injection Attack Injection Attack Using Python
o Examining WAF Logs for SQL Injection
▪ Investigating XML External Entity (XXE) Attack
Attack
o Examining SIEM Logs for SQL Injection
o Examining Apache Log File for XXE Attack
Attack
o Examining Web Server Logs for XXE Attack
▪ Investigating Path/Directory Traversal Attack
Using Python
o Examining Apache Logs for Path/Directory
▪ Investigating Brute-force Attack
Traversal Attack
o Examining Apache Log File for Brute-force
▪ Investigating Command Injection Attack
Attack
o Examining Apache Logs for o Examining Web Server Logs for Brute-force
Command Injection Attack Attack Using Python
▪ Scanning Web Application Directories and
▪ Investigating XML External Entity (XXE) Attack
Files with YARA Using Python
o Examining Apache Log File for XXE Attack
▪ Investigating Brute-force Attack
o Examining Apache Log File for Brute-force
Attack
Module 10: Dark Web Forensics Module 11: Dark Web Forensics
Understand the Dark Web and Dark Web
Understand the Dark Web
Forensics
▪ Understanding the Dark Web ▪ Understanding the Dark Web
▪ Tor Relays ▪ Tor Relays
Page | 37 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Working of the Tor Browser ▪ Working of the Tor Browser
▪ Tor Bridge Node ▪ Tor Bridge Node
Determine How to Identify the Traces of Tor
▪ Dark Web Forensics
Browser during Investigation
▪ Dark Web Forensics ▪ Dark Web Forensics Challenges
▪ Identifying Tor Browser Artifacts: Command Determine How to Identify the Traces of Tor
Prompt Browser during Investigation
▪ Identifying Tor Browser Artifacts: Windows ▪ Identifying Tor Browser Artifacts: Command
Registry Prompt
▪ Identifying Tor Browser Artifacts: Prefetch ▪ Identifying Tor Browser Artifacts: Windows
Files Registry
▪ Identifying Tor Browser Artifacts: Prefetch
Perform Tor Browser Forensics
Files
▪ Identifying Tor Browser Artifacts: places.sqlite
▪ Tor Browser Forensics: Memory Acquisition
File
▪ Collecting Memory Dumps Perform Tor Browser Forensics
▪ Memory Dump Analysis: Bulk Extractor ▪ Tor Browser Forensics: Memory Acquisition
▪ Forensic Analysis of Memory Dumps to
▪ Collecting Memory Dumps
Examine Email Artifacts (Tor Browser Open)
▪ Forensic Analysis of Storage to Acquire Email
▪ Memory Dump Analysis: Bulk Extractor
Attachments (Tor Browser Open)
▪ Forensic Analysis of Memory Dumps to ▪ Forensic Analysis of Memory Dumps to
Examine Email Artifacts (Tor Browser Closed) Examine Email Artifacts (Tor Browser Open)
▪ Forensic Analysis of Storage to Acquire Email ▪ Forensic Analysis of Storage to Acquire Email
Attachments (Tor Browser Closed) Attachments (Tor Browser Open)
▪ Forensic Analysis of Memory Dumps to
▪ Forensic Analysis: Tor Browser Uninstalled
Examine Email Artifacts (Tor Browser Closed)
▪ Forensic Analysis of Storage to Acquire Email
▪ Dark Web Forensics Challenges
Attachments (Tor Browser Closed)
▪ Forensic Analysis: Tor Browser Uninstalled
Module 11: Database Forensics
Understand Database Forensics and its
Importance
▪ Database Forensics and its Importance
Determine Data Storage and Database
Evidence Repositories in MSSQL Server
▪ Data Storage in SQL Server
▪ Database Evidence Repositories
Page | 38 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Collect Evidence Files on MSSQL Server
▪ Collecting Volatile Database Data
▪ Collecting Primary Data File and Active
Transaction Logs Using SQLCMD
▪ Collecting Primary Data File and Transaction
Logs
▪ Collecting Active Transaction Logs Using SQL
Server Management Studio
▪ Collecting Database Plan Cache
▪ Collecting Windows Logs
▪ Collecting SQL Server Trace Files
▪ Collecting SQL Server Error Logs
Perform MSSQL Forensics
▪ Database Forensics Using SQL Server
Management Studio
▪ Database Forensics Using ApexSQL DBA
Understand Internal Architecture of MySQL and
Structure of Data Directory
▪ Internal Architecture of MySQL
▪ Structure of Data Directory
Understand Information Schema and List
MySQL Utilities for Performing Forensic
Analysis
▪ MySQL Forensics
▪ Viewing the Information Schema
▪ MySQL Utility Programs for Forensic Analysis
Perform MySQL Forensics on WordPress Web
Application Database
▪ Common Scenario for Reference
▪ MySQL Forensics for WordPress Website
Database: Scenario 1
o Collect the Evidence
o Examine the Log Files
o Analyze the General Log
o Take Backup of the Database
o Create Evidence Database
o Select Database
o View Tables in the Database
Page | 39 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o View Users in the Database
o View Columns in the Table
o Collect Posts Made by the User
o Examine the Posts Made by the User
▪ MySQL Forensics for WordPress Website
Database: Scenario 2
o Collect the Database and All the Logs
o Examine the Binary Logs
o wp_users.ibd in WordPress Database
o wp_posts.ibd in WordPress Database
Module 12: Cloud Forensics Module 12: Cloud Forensics
Understand the Basic Cloud Computing
Understand Cloud Computing Concepts
Concepts
▪ Introduction to Cloud Computing ▪ Introduction to Cloud Computing
▪ Types of Cloud Computing Services ▪ Types of Cloud Computing Services
▪ Cloud Deployment Models ▪ Separation of Responsibilities in Cloud
▪ Cloud Computing Threats ▪ OWASP Top 10 Cloud Security Risks
▪ Cloud Computing Attacks ▪ Cloud Computing Threats
Understand Cloud Forensics ▪ Cloud Computing Attacks
▪ Introduction to Cloud Forensics Understand Cloud Forensics
▪ Usage of Cloud Forensics ▪ Introduction to Cloud Forensics
▪ Cloud Crimes ▪ Uses of Cloud Forensics
▪ Cloud Forensics: Stakeholders and their Roles ▪ Cyber Crime on Cloud Environment
▪ Cloud Forensics Challenges ▪ Cloud Forensics: Stakeholders and their Roles
o Architecture and Identification ▪ Cloud Forensics Challenges
o Data Collection o Architecture and Identification
o Logs o Data Collection
o Legal o Logs
o Analysis o Analysis
Understand the Fundamentals of Amazon Web
o Legal
Services (AWS)
▪ Introduction to Amazon Web Services o Role Management
▪ Division of Responsibilities in AWS o Standards
o Shared Responsibility Model for
o Training
Infrastructure Services
Page | 40 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Shared Responsibility Model for Container
o Anti-forensics
Services
o Shared Responsibility Model for
o Incident First Responders
Abstracted Services
Understand Amazon Web Services (AWS)
▪ Data Storage in AWS
Fundamentals
▪ Logs in AWS ▪ Introduction to Amazon Web Services
Determine How to Investigate Security
▪ Shared Responsibility Model for AWS
Incidents in AWS
▪ Forensic Acquisition of Amazon EC2 Instance:
▪ Data Storage in AWS
Methodology
o Step 1: Isolate the Compromised EC2
o AWS Cloud Storage Services
Instance
o Step 2: Take a Snapshot of the EC2
▪ Logs in AWS
Instance
o Step 3: Provision and Launch a Forensic
Perform AWS Forensics
Workstation
o Step 4: Create Evidence Volume from the ▪ Forensic Acquisition of Amazon EC2 Instance:
Snapshot Methodology
o Step 5: Attach the Evidence Volume to the o Step 1: Isolate the Compromised EC2
Forensic Workstation Instance
o Step 6: Mount the Evidence Volume on the o Step 2: Take a Snapshot of the EC2
Forensic Workstation Instance
▪ Investigating Log Files: CloudWatch Logs and o Step 3: Provision and Launch a Forensic
S3 Server Access Logs Workstation
Understand the Fundamentals of Microsoft o Step 4: Create Evidence Volume from the
Azure Snapshot
o Step 5: Attach the Evidence Volume to the
▪ Introduction to Microsoft Azure
Forensic Workstation
o Step 6: Mount the Evidence Volume on the
▪ Division of Responsibilities in Azure
Forensic Workstation
▪ Data Storage in Azure ▪ Collecting Information Using AWS-CLI
▪ Logs in Azure ▪ Investigating CloudWatch Logs
Determine How to Investigate Security
▪ Investigating S3 Server Access Logs
Incidents in Azure
▪ Forensic Acquisition of VMs in Azure: ▪ Investigating AWS CloudTrail for IAM-based
Methodology Incidents
o Forensic Acquisition of VMs in Azure: The ▪ Investigating Amazon VPC Flow Logs Using
Scenario AWS Management Console
Page | 41 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Step 1: Create a Snapshot of the OS Disk of
▪ Analyzing AWS Security Incidents Using
the Affected VM via Azure Portal and
GuardDuty
Azure CLI
o Step 2: Copy the Snapshot to a Storage
Understand Microsoft Azure Fundamentals
Account under a Different Resource Group
o Step 3: Delete the Snapshot from the
Source Resource Group and Create a ▪ Introduction to Microsoft Azure
Backup Copy
o Step 4: Mount the Snapshot onto the
▪ Division of Responsibilities in Azure
Forensic Workstation
o Analyze the Snapshot via Autopsy ▪ Data Storage in Azure
o Azure Data Storage Services
o Data Redundancy in Azure Storage
▪ Logs in Azure
o Azure Provisioning Logs
Perform Microsoft Azure Forensics
▪ Forensic Acquisition of VMs in Azure:
Methodology
o Forensic Acquisition of VMs in Azure: The
Scenario
o Step 1: Create a Snapshot of the OS Disk of
the Affected VM via Azure Portal and
Azure CLI
o Step 2: Copy the Snapshot to a Storage
Account under a Different Resource Group
o Step 3: Delete the Snapshot from the
Source Resource Group and Create a
Backup Copy
o Step 4: Mount the Snapshot onto the
Forensic Workstation
o Analyze the Snapshot via Autopsy
▪ Analyzing Azure Monitor Logs
▪ Collecting and Analyzing Logs In Azure AD
▪ Investigating Security Incidents using
Microsoft Azure Sentinel
Understand Google Cloud Fundamentals
▪ Introduction to Google Cloud
▪ Shared Responsibilities in Google Cloud
o Google Kubernetes Engine (GKE) Shared
Responsibility
Page | 42 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Data Storage in Google Cloud
o Google Cloud Storage classes
o Google Cloud Data Storage Services
▪ Logs in Google Cloud
Perform Google Cloud Forensics
▪ Forensic Acquisition of Persistent Disk
Volumes in GCP: Methodology
o Step 1: Create an Instant Snapshot of a
Persistent Disk Volume
o Step 2: View the Instant Snapshots for a
Disk
o Step 3: Copy an Instant Snapshot to a
Different Location
o Step 4: Delete an Instant Snapshot After
Creating Long-term Snapshot
▪ Analyzing Google Workspace Logs
▪ Analyzing Log Data using Google Cloud Log
Analytics
▪ Analyzing Google Cloud VPC Flow Logs
▪ Investigating Google Cloud Security Incidents
o Analyzing Access Attempts from
Anonymous Proxy
o Analyzing BigQuery Data Exfiltration
o Analyzing SSH Brute Force Attempts
o Analyzing Malware Incident
o Analyzing Persistent Anomalous IAM
Grants
▪ Investigating Google Cloud Container Security
Incidents
o Analyzing Malicious Script Executed
o Analyzing Reverse Shell
▪ Investigating Google Cloud VM-based Security
Incidents
o Analyzing Cryptocurrency Mining Hash
Match
o Analyzing Cryptocurrency Mining YARA
Rule
Page | 43 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module 13: Investigating Email Crimes Module 13: Email and Social Media Forensics
Understand Email Basics Understand Email Basics
▪ Introduction to an Email System ▪ Introduction to an Email System
▪ Components Involved in Email ▪ Components Involved in Email
Communication Communication
▪ How Email Communication Works? ▪ How Email Communication Works?
▪ Understanding the Parts of an Email Message ▪ Understanding the Parts of an Email Message
Understand Email Crime Investigation and its Understand Email Crime Investigation and its
Steps Steps
▪ Introduction to Email Crime Investigation ▪ Introduction to Email Crime Investigation
▪ Steps to Investigate Email Crimes ▪ Steps to Investigate Email Crimes
o Step 1: Seizing the Computer and Email o Step 1: Seizing the Computer and Email
Accounts Accounts
o Step 2: Acquiring the Email Data o Step 2: Acquiring the Email Data
• Acquiring Email Data from Desktop- • Acquiring Email Data from Desktop-
based Email Clients based Email Clients
➢ Local Email Files in Microsoft ➢ Local Email Files in Microsoft
Outlook Outlook
➢ Local Email Files in Mozilla ➢ Local Email Files in Mozilla
Thunderbird Thunderbird
➢ Acquiring Thunderbird Local Email ➢ Acquiring Thunderbird Local Email
Files via SysTools MailPro+ Files via SysTools MailPro+
➢ Acquiring Outlook Email Files: .ost to ➢ Acquiring Outlook Email Files: .ost to
.pst File Conversion .pst File Conversion
➢ Acquiring Outlook .pst File via ➢ Acquiring Outlook .pst File via
SysTools MailPro+ SysTools MailPro+
• Acquiring Email Data from Web-based • Acquiring Email Data from Web-based
Email Accounts Email Accounts
o Step 3: Examining Email Messages o Step 3: Examining Email Messages
o Step 4: Retrieving Email Headers o Step 4: Retrieving Email Headers
• Retrieving Email Headers in Microsoft • Retrieving Email Headers in Microsoft
Outlook Outlook
• Retrieving Email Headers in Microsoft • Retrieving Email Headers in Microsoft
Outlook.com outlook.live.com
• Retrieving Email Headers in AOL • Retrieving Email Headers in AOL
• Retrieving Email Headers in Apple Mail • Retrieving Email Headers in Apple Mail
• Retrieving Email Headers in Gmail • Retrieving Email Headers in Gmail
• Retrieving Email Headers in Yahoo Mail • Retrieving Email Headers in Yahoo Mail
Page | 44 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Step 5: Analyzing Email Headers o Step 5: Analyzing Email Headers
• Analyzing Email Headers: X-Headers • Analyzing Email Headers: X-Headers
• Analyzing Email Headers: Checking • Analyzing Email Headers: Checking
Email Authenticity Email Authenticity
• Analyzing Email Headers: Examining the • Analyzing Email Headers: Examining the
Originating IP Address Originating IP Address
• Analyzing Email Headers: Tracing Email
• Investigating a Suspicious Email
Origin
o Step 6: Recovering Deleted Email • Analyzing Email Headers: Tracing Back
Messages Web-based Email
• Recovering Deleted Email Messages
o Step 6: Recovering Deleted Email
from Outlook .pst Files Using Paraben’s
Messages
Electronic Evidence Examiner
• Recovering deleted Email Data from
• Recovering Deleted Email Messages
Thunderbird Using Paraben’s Electronic
from Outlook .pst Files Using Autopsy
Evidence Examiner
• Recovering deleted Email Data from
U.S. Laws Against Email Crime
Thunderbird Using Autopsy
• Recovering Deleted Emails from Gmail
▪ U.S. Laws Against Email Crime: CAN-SPAM Act
and Outlook
• Email Recovery Tools
o Extracting Information from EML Files
Using Python
o Parsing PST Mailboxes Using Python
U.S. Laws Against Email Crime
▪ U.S. Laws Against Email Crime: CAN-SPAM Act
Understand Social Media Forensics
▪ Introduction to Social Media Forensics
▪ Social Media Crimes
▪ Social Media Forensics Challenges
▪ Manually Collecting Data from Social Media
Platforms
▪ Collecting Evidence from Social Media
Platforms Using WebPreserver
▪ Extracting Footages from Social Media
Platforms
▪ Tracking Social Media User Activities Using
Social Searcher
Page | 45 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Constructing and Analyzing Social Network
Graphs
▪ Social Media Forensics Tools
Module 15: Mobile Forensics Module 14: Mobile Forensics
Understand the Importance of Mobile Device
Understand Mobile Device Forensics
Forensics
▪ Mobile Device Forensics ▪ Mobile Device Forensics
▪ Why Mobile Forensics? ▪ OWASP Top 10 Mobile Risks - 2016
▪ Top Threats Targeting Mobile Devices ▪ Mobile Attacks
▪ Mobile Hardware and Forensics ▪ Mobile Hardware and Forensics
▪ Mobile OS and Forensics ▪ Mobile OS and Forensics
Illustrate Architectural Layers and Boot
▪ Mobile Forensics Challenges
Processes of Android and iOS Devices
▪ Architectural Layers of Mobile Device Understand Android and iOS Architecture and
Environment Boot Process
▪ Android Architecture Stack ▪ Mobile Device Architecture
▪ Android Boot Process ▪ Android OS Architecture
▪ iOS Architecture ▪ Android Boot Process
▪ iOS Boot Process ▪ iOS Architecture
o Normal and DFU Mode Booting ▪ iOS Boot Process
o Booting iPhone in DFU Mode o DFU Mode Booting
o Booting iPhone in Recovery Mode o Booting iPhone in DFU Mode
Explain the Steps Involved in Mobile Forensics
o Booting iPhone in Recovery Mode
Process
▪ Mobile Forensics Process ▪ Android File System
o Collect the Evidence ▪ iOS File System
o Document the Evidence Understand Mobile Forensics Process
o Preserve the Evidence ▪ Mobile Forensics Process
o Mobile Storage and Evidence Locations o Collect the Evidence
o Data Acquisition Methods o Document the Evidence
Investigate Cellular Network Data o Preserve the Evidence
▪ Components of Cellular Network o Mobile Storage and Evidence Locations
▪ Different Cellular Networks o Data Acquisition Methods
▪ Cell Site Analysis: Analyzing Service Provider
▪ Android Forensics Process
Data
▪ CDR Contents ▪ iOS Forensics Process
Page | 46 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Understand SIM File System and its Data
Investigate Cellular Network Data
Acquisition Method
▪ Subscriber Identity Module (SIM) ▪ Components of Cellular Network
o SIM File System ▪ Different Cellular Networks
▪ Cell Site Analysis: Analyzing Service Provider
o Data Stored in a SIM
Data
o Integrated Circuit Card Identification
▪ CDR Contents
(ICCID)
o International Mobile Equipment Identifier
Perform File System Acquisition
(IMEI)
o SIM Cloning ▪ Subscriber Identity Module (SIM)
o SIM Data Acquisition Using Oxygen
o SIM File System
Forensic Extractor
o SIM Data Acquisition Tools o Data Stored in a SIM
Illustrate Phone Locks and Discuss Rooting of o Integrated Circuit Card Identification
Android and Jailbreaking of iOS Devices (ICCID)
o International Mobile Equipment Identifier
o Phone Locking on Android
(IMEI)
o Phone Locking on iOS o SIM Cloning
o SIM Data Acquisition Using Oxygen
o Rooting of Android Devices
Forensic Extractor
o Jailbreaking of iOS Devices o SIM Data Acquisition Tools
Understand Phone Locks, Rooting, and
o Risks of Jailbreaking
Jailbreaking of Mobile Devices
o Types of Jailbreaks ▪ Phone Locking on Android
o Semi-tethered Jailbreaking Using
▪ Bypassing Locked Android Devices
Checkra1n
Perform Logical Acquisition on Android and iOS
▪ Phone Locking on iOS
Devices
▪ Logical Acquisition ▪ Rooting of Android Devices
o Android Debug Bridge (ADB) ▪ Rooting Android Using KingoRoot
o Steps Involved in Android Forensics
▪ Accessing Root Files in Android
Process
o Logical Acquisition of Android Devices:
▪ Jailbreaking of iOS Devices
Using “adb pull” Command
o Logical Acquisition of Android Devices:
▪ Risks of Jailbreaking
Using Commercial Tools
o Logical Acquisition Tools ▪ Jailbreaking Techniques
o Steps Involved in iOS Forensics Process ▪ Jailbreaking iOS Using Hexxa Plus
Page | 47 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Logical Acquisition of iOS Devices: Using
Perform Logical Acquisition on Mobile Devices
iTunes Backup
o Logical Acquisition of iOS Devices: Using
▪ Logical Acquisition
Commercial Tools
▪ Cloud Data Acquisition on Android and iOS
o Android Debug Bridge (ADB)
Devices
▪ Cloud Data Acquisition: Using Commercial o Logical Acquisition of Android Devices:
Tools Using “adb pull” Command
Perform Physical Acquisition on Android and o Logical Acquisition of Android Devices:
iOS Devices Using Commercial Tools
o Logical Acquisition of iOS Devices: Using
▪ Physical Acquisition
Finder
o Physical Acquisition of Android Devices: o Logical Acquisition of iOS Devices: Using
Using DD Command Commercial Tools
o Physical Acquisition of Android Devices: ▪ Extracting Data from Android Devices Using
Using ADB, Busybox, Netcat Magnet ACQUIRE
o Physical Acquisition of Android Devices: ▪ Cloud Data Acquisition on Android and iOS
Using Commercial Tools Devices
o Android Forensic Analysis: Using ▪ Cloud Data Acquisition: Using Commercial
Commercial Tools Tools
o Physical Acquisition of iOS Devices: Using
Perform Physical Acquisition on Mobile Devices
SSH, Netcat
o Physical Acquisition of iOS Devices: Using
▪ Physical Acquisition
Commercial Tools
o iOS Forensic Analysis: Using Commercial o Physical Acquisition of Android Devices:
Tools Using dd Command
o Physical Acquisition of Android Devices:
▪ SQLite Database Extraction
Using ADB, Busybox, Netcat
o SQLite Database Browsing Tools: Oxygen o Physical Acquisition of Android Devices:
Forensics SQLite Viewer Using Commercial Tools
o Physical Acquisition of iOS Devices: Using
o SQLite Database Browsing Tools
SSH, Netcat
o Physical Acquisition of iOS Devices: Using
▪ JTAG Forensics
Commercial Tools
▪ Chip-off Forensics ▪ SQLite Database Extraction
o Chip-off Forensics Process o SQLite Database Browsing Tools
o Chip-off Forensic Equipment o SQLite Forensics Using Belkasoft X
▪ Flasher Boxes ▪ JTAG Forensics
Discuss Mobile Forensics Challenges and
▪ Chip-off Forensics
Prepare Investigation Report
Page | 48 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
▪ Challenges in Mobile Forensics o Chip-off Forensics Process
▪ Generate Investigation Report o Chip-off Forensic Equipment
▪ Mobile Forensics Report Template ▪ Flasher Boxes
▪ Sample Mobile Forensic Analysis Worksheet Perform Android and iOS Forensic Analysis
▪ Cellebrite UFED Touch Sample Mobile ▪ Static Analysis and Dynamic Analysis of
Forensics Report Snapshot Android Package Kit (APK)
▪ Android Logs
▪ Examining Android Logs Using Logcat
▪ Android Log Analysis Tools
▪ Collecting WhatsApp Artifacts from Android
Devices
▪ Analyzing Android Chrome Artifacts
▪ Android Forensic Analysis: Using Commercial
Tools
▪ Extracting iOS Signal Data Using Belkasoft
Evidence Center
▪ Analyzing iOS Safari Artifacts
▪ Decrypting and Analyzing iOS Keychains
▪ iOS Forensic Analysis: Using Commercial Tools
Module 16: IoT Forensics Module 15: IoT Forensics
Understand IoT and IoT Security Problems Understand IoT Concepts
▪ What is IoT? ▪ What is the IoT?
▪ IoT Architecture ▪ IoT Architecture
▪ IoT Security Problems ▪ IoT Security Problems
▪ OWASP Top 10 IoT Vulnerabilities ▪ OWASP Top 10 IoT Threats
▪ IoT Attack Surface Areas ▪ OWASP IoT Attack Surface Areas
Recognize Different Types of IoT Threats ▪ IoT Attacks
▪ IoT Threats Perform Forensics on IoT Devices
o DDoS Attack ▪ Introduction to IoT Forensics
o Attack on HVAC Systems ▪ IoT Forensics Process
o Rolling Code Attack ▪ IoT Forensics Challenges
o BlueBorne Attack ▪ Wearable IoT Device: Smartwatch
o Wearable IoT Device Forensics:
o Jamming Attack
Smartwatch
o Hacking Smart Grid/Industrial Devices: o Steps Involved in Data Acquisition and
Remote Access Using Backdoor Analysis of Android Wear
Page | 49 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
o Other IoT Attacks o Logical Acquisition of Android Wear
Understand IoT Forensics o Physical Acquisition of Android Wear
o Forensic Examination of Evidence File:
▪ Introduction to IoT Forensics
Android Wear
o Recovered Forensic Artifacts: Android
▪ IoT Forensics Process
Wear
▪ Case Study: Default Passwords Aid Satori IoT
o Forensic Data Extraction of Apple Watch
Botnet Attacks
▪ IoT Device Forensics: Smart Speaker—
▪ IoT Forensics Challenges
Amazon Echo
o Amazon Alexa Forensics: Client-based
Perform Forensics on IoT Devices
Analysis
o Amazon Alexa Forensics: Cloud-based
▪ Wearable IoT Device: Smartwatch
Analysis
o Wearable IoT Device Forensics: ▪ Hardware Level Analysis: JTAG and Chip-off
Smartwatch Forensics
o Steps Involved in Data Acquisition and ▪ Extracting and Analyzing Data from
Analysis of Android Wear Drone/UAVs
o Logical Acquisition of Android Wear ▪ IoT Forensics Tools
o Physical Acquisition of Android Wear
o Forensic Examination of Evidence File:
Android Wear
o Recovered Forensic Artifacts: Android
Wear
▪ IoT Device Forensics: Smart Speaker—
Amazon Echo
o Amazon Alexa Forensics: Client-based
Analysis
o Amazon Alexa Forensics: Cloud-based
Analysis
o List of Amazon Alexa APIs
▪ Hardware Level Analysis: JTAG and Chip-off
Forensics
Page | 50 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Labs Comparison
The notations used:
1. Red points are new labs in CHFIv11
2. Blue points are substantially modified labs in CHFIv11
3. Striked labs are removed from CHFIv10
CHFIv10 CHFIv11
Module 01: Computer Forensics in Today's Module 01: Computer Forensics in Today's
World World
Module 02: Computer Forensics Investigation Module 02: Computer Forensics Investigation
Process Process
1. Recovering Data from a Windows Hard Disk 1. Recover Data from a Windows Hard Disk
2. Performing Hash, or HMAC Calculations 2. Perform Hash or HMAC Calculations
3. Comparing Hash Values of Files for 3. Compare Hash Values of Files for Checking
Checking their Integrity their Integrity
4. Viewing Files of Various Formats 4. View Files of Various Formats
5. Handling Evidence Data 5. Handle Evidence Data
6. Creating a Disk Image File of a Hard Disk 6. Create a Disk Image File of a Hard Disk
Partition Partition
Module 03: Understanding Hard Disks and File Module 03: Understanding Hard Disks and File
Systems Systems
1. Analyzing File System of a Linux Image 1. Analyze File System of a Linux Image
2. Analyzing File System of Windows Images 2. Analyze File System of Windows Images
3. Recovering Deleted Files from Hard Disks 3. Recover Deleted Files from Hard Disks
4. File System Timeline Creation and Analysis
Using The Sleuth Kit (TSK)
5. Analyze Popular File Formats Using Hex
Editor
Module 04: Data Acquisition and Duplication Module 04: Data Acquisition and Duplication
1. Creating a dd Image of a System Drive 1. Create a dd Image of a System Drive
Page | 51 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
2. Converting Image File from E01 Format to 2. Convert Image File from E01 Format to dd
dd Format Format
3. Mounting Images on a Linux Forensic 3. Mount Images on a Linux Forensic
Workstation Workstation
4. Converting Acquired Image File to a 4. Acquire RAM from Windows and Linux
Bootable Virtual Machine Workstations
5. Acquiring RAM from Windows and Linux 5. Create Customized Images from an Image
Workstations Containing NTFS File System
6. Creating Customized Images from an Image
6. View Contents of Forensic Image File
Containing NTFS File System
7. Viewing Contents of Forensic Image File 7. Access a Disk Image Using PyTSK Tool
Module 05: Defeating Anti-forensics Module 05: Defeating Anti-forensics
Techniques Techniques
1. SSD File Carving on a Windows File System 1. SSD File Carving on a Windows File System
2. SSD File Carving on Linux File System 2. SSD File Carving on a Linux File System
3. Recovering Data from Lost / Deleted Disk 3. Recover Data from Lost/Deleted Disk
Partition Partition
4. Recovering Data from a Partition that is 4. Recover Data from a Partition that is
Deleted and Merged into another Partition Deleted and Merged into another Partition
5. Extract Password Hashes from the Target
5. Cracking Application Passwords
System using pwdump
6. Detecting Steganography 6. Crack Application Passwords
7. Detecting Alternate Data Streams 7. Detect Steganography
8. Detecting File Extension Mismatch 8. Detect Alternate Data Streams
9. Unpacking Program Packers 9. Detect File Extension Mismatch
10. Unpack Program Packers
Module 06: Windows Forensics Module 06: Windows Forensics
1. Acquiring Volatile Information from a Live 1. Acquire Volatile Information from a Live
Windows System Windows System
2. Investigating Forensic Image of Windows 2. Investigate Forensic Image of Windows
RAM RAM
3. Extract and Analyze Windows RAM Dump
3. Examining Web Browser Artifacts
Files using MemProcFS
Page | 52 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
4. Discovering and Extracting Forensic Data 4. Capture and Examine Windows Registry
from Computers Files on a Live System
5. Extracting Information about Loaded
5. Examine Web Browser Artifacts
Processes on a Computer
6. Viewing, Monitoring, and Analyzing Events 6. Recover InPrivate Browsing Data and
Occurred on a Windows Machine Browser Artifacts
7. Performing Digital Forensic Investigation on 7. Carve and Analyze the Browser SQLite3
a Computer Database Files
8. Collecting and Parsing Forensic Artifacts on 8. Extract and Rebuild Cached Web Pages of
a Live Windows Machine Google Chrome
9. Discover and Extract Forensic Data from
Computers
10. Extract Information about Loaded
Processes on a Computer
11. View, Monitor, and Analyze Events
Occurred on a Windows Machine
Module 07: Linux and Mac Forensics Module 07: Linux and Mac Forensics
1. Acquiring Volatile Data in Linux System 1. Acquire Volatile Data in a Linux System
2. Investigating Forensic Image of Linux and
2. Acquire Non-Volatile Data in Linux System
Mac
3. Performing Forensic Investigation on a 3. Investigate Forensic Images of Linux and
Linux Memory Dump Mac Systems
4. Recovering Data from a Linux Memory 4. Perform Forensic Investigation on a Linux
Dump Memory Dump
5. Recover Data from a Linux Memory Dump
Module 08: Network Forensics Module 08: Network Forensics
1. Investigating an FTP Brute Force Attack 1. Identify and Investigate an FTP Brute Force
using SIEM Tool Attack using Splunk
2. Investigating Network Attacks using Kiwi 2. Investigate Network Attacks using Kiwi Log
Log Viewer Viewer
3. Investigating Various Network Attacks using 3. Identify and Investigate Various Network
Wireshark Attacks using Wireshark
4. Analyze SSH Logs
5. Capture and Analyze Raw Packets Using
Python
Page | 53 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
Module 13: Malware Forensics Module 09: Malware Forensics
1. Performing Static Analysis on a Suspicious
1. Perform Static Analysis on a Suspicious File
File
2. Perform Static Analysis on a Suspicious File
2. Forensic Examination of Suspicious PDF file
using Python Scripts
3. Forensic Examination of a Suspicious 3. Forensic Examination of a Suspicious PDF
Microsoft Office document File
4. Examining a Suspicious File using Online 4. Forensic Examination of a Suspicious
Resources Microsoft Office Document
5. Examine a Suspicious File Using Online
5. Emotet Malware Analysis
Resources
6. Emotet Malware Analysis
7. Examine Windows Event Logs
Module 09: Investigating Web Attacks Module 10: Investigating Web Attacks
1. Identifying and Investigating Web 1. Identify and Investigate Web Application
Application Attacks Using Splunk Attacks Using Splunk
2. Identify and Investigate Web Application
Attacks Using Python
Module 10: Dark Web Forensics Module 11: Dark Web Forensics
1. Detect Tor Browser Activity on Windows
1. Detecting TOR Browser on a Machine
Machine
2. Analyzing RAM dump and Examining TOR 2. Analyze RAM Dumps to Retrieve Tor
Browser Artifacts Browser Artifacts
Module 11: Database Forensics
1. Analyzing SQLite Databases
2. Performing Forensic Investigation on a
MySQL Database
Module 12: Cloud Forensics Module 12: Cloud Forensics
1. Examining Log Data on Amazon 1. Forensically Acquire and Examine Amazon
CloudWatch Console EC2 Instance
2. Forensically Acquiring and Examining an 2. Forensically Acquire and Examine an Azure
Amazon EC2 instance Virtual Machine
Page | 54 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator Exam 312-49
Version Change Document
3. Forensically Acquiring and Examining an 3. Forensically Acquire and Examine a GCP
Azure VM Virtual Machine
Module 14: Investigating Email Crimes Module 13: Email and Social Media Forensics
1. Investigating a Suspicious Email 1. Investigate a Suspicious Email
2. Recovering Deleted Email Messages using 2. Recover Deleted Email Messages Using
Recover My Email Recover My Email
3. Recovering Deleted Email Messages Using 3. Recover Deleted Email Messages Using
Paraben’s E3: Universal Recovery Toolbox for Outlook
4. Extract Information from EML Files Using
Python
Module 15: Mobile Forensics Module 14: Mobile Forensics
1. Performing Data Acquisition on Android 1. Analyze an Android Forensic Image and
Mobile Device Carve Deleted Files
2. Analyzing Android Forensic Image and
Carving Deleted Files
Module 16: IOT Forensics Module 15: IOT Forensics
1. Performing Data Acquisition on an Android
Wear Device
Page | 55 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
You might also like
- P G Dip in Digital and Cyber Forensic & Related Law Sem - INo ratings yetP G Dip in Digital and Cyber Forensic & Related Law Sem - I1 page
- Fiscalía Federal Testigos Caso Crimen de Odio AlexaNo ratings yetFiscalía Federal Testigos Caso Crimen de Odio Alexa102 pages
- CHFI Computer Hacking Forensic Investigator Certification All in One Exam Guide 1st Edition by Charles Brooks ISBN 0071831568 9780071831567 downloadNo ratings yetCHFI Computer Hacking Forensic Investigator Certification All in One Exam Guide 1st Edition by Charles Brooks ISBN 0071831568 9780071831567 download81 pages
- 31501957-OptiX OSN 7500 Installation Guide (V100R007 - 01)No ratings yet31501957-OptiX OSN 7500 Installation Guide (V100R007 - 01)284 pages
- McAfee - McAfee Web Gateway 8.x Essentials ExamNo ratings yetMcAfee - McAfee Web Gateway 8.x Essentials Exam19 pages
- How To Conduct A Computer Forensic Investigation0% (1)How To Conduct A Computer Forensic Investigation4 pages
- Digital Forensic Analysis of Ransomwares For Identification and Binary Extraction of Cryptographic KeysNo ratings yetDigital Forensic Analysis of Ransomwares For Identification and Binary Extraction of Cryptographic Keys8 pages
- Guide To Computer Forensics and Investigations Fourth EditionNo ratings yetGuide To Computer Forensics and Investigations Fourth Edition44 pages
- A Road Map For Digital Forensic ResearchNo ratings yetA Road Map For Digital Forensic Research48 pages
- Block-1 Cyber Crime and Cyber ForensicsNo ratings yetBlock-1 Cyber Crime and Cyber Forensics70 pages
- M.SC - IT Paert II CBCS Cyber Forensicssemester IV 2No ratings yetM.SC - IT Paert II CBCS Cyber Forensicssemester IV 2280 pages
- Palo Alto Networks Product Summary SpecsheetNo ratings yetPalo Alto Networks Product Summary Specsheet3 pages
- Computer Hacking Forensic Investigator (CHFI)No ratings yetComputer Hacking Forensic Investigator (CHFI)6 pages
- Computer Hacking Forensic Investigator - Another Summary100% (2)Computer Hacking Forensic Investigator - Another Summary150 pages
- Digital Forensics Investigation Jurisprudence: Issues of Admissibility of Digital EvidenceNo ratings yetDigital Forensics Investigation Jurisprudence: Issues of Admissibility of Digital Evidence9 pages
- 31501956-OptiX OSN 7500 Commissioning Guide (V100R007 - 01)No ratings yet31501956-OptiX OSN 7500 Commissioning Guide (V100R007 - 01)112 pages
- The Challenges of Digital Forensics InveNo ratings yetThe Challenges of Digital Forensics Inve7 pages
- Install Fortigate Firewall On Eve-Ng:: WinscpNo ratings yetInstall Fortigate Firewall On Eve-Ng:: Winscp5 pages
- Intro To Report Writing For Digital Forensics - SANS InstituteNo ratings yetIntro To Report Writing For Digital Forensics - SANS Institute4 pages
- TT710 (4GE+CATV+2WIFI xPON ONU) Datasheet-V1.0No ratings yetTT710 (4GE+CATV+2WIFI xPON ONU) Datasheet-V1.07 pages
- Computer Hacking Forensic Investigator v8: Công Ty Cổ Phần Trường Cntt Tân ĐứcNo ratings yetComputer Hacking Forensic Investigator v8: Công Ty Cổ Phần Trường Cntt Tân Đức5 pages
- Understanding IGMP Snooping and Multicast Forwarding - Technical Documentation - Support - Juniper NetworksNo ratings yetUnderstanding IGMP Snooping and Multicast Forwarding - Technical Documentation - Support - Juniper Networks4 pages
- Mobile Phone Forensics Challenges, Analysis and Tools ClassificationNo ratings yetMobile Phone Forensics Challenges, Analysis and Tools Classification10 pages
- The Ultimate Kali Linux Book - Supplementary Materials67% (3)The Ultimate Kali Linux Book - Supplementary Materials360 pages
- ISO27k ISMS 2 ISO27k Standards Listing 2022No ratings yetISO27k ISMS 2 ISO27k Standards Listing 202210 pages
- In Depth Security Vol. III: Proceedings of the DeepSec ConferencesFrom EverandIn Depth Security Vol. III: Proceedings of the DeepSec ConferencesNo ratings yet
- Check Point License Guide: General Pricelist (Software Blades and NGX)No ratings yetCheck Point License Guide: General Pricelist (Software Blades and NGX)13 pages
- SAC Integration Guide F5 Big-IP APM CBANo ratings yetSAC Integration Guide F5 Big-IP APM CBA36 pages
- Python-Powered Ethical Hacking: Building Advanced Cybersecurity ToolsFrom EverandPython-Powered Ethical Hacking: Building Advanced Cybersecurity ToolsNo ratings yet
- 1-Build A Fortinet FW Lab Using Eve-NG: SkillNo ratings yet1-Build A Fortinet FW Lab Using Eve-NG: Skill24 pages
- Computer Hacking Forensic Investigator Chfi v90% (2)Computer Hacking Forensic Investigator Chfi v95 pages
- CyberOps v1.1 Instructor Game InstructionsNo ratings yetCyberOps v1.1 Instructor Game Instructions6 pages
- Check Point Cyber Security Engineering (Ccse) : Course Topics Course ObjectivesNo ratings yetCheck Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives1 page
- FortiGate Security Study Guide For FortiOS5.6.2No ratings yetFortiGate Security Study Guide For FortiOS5.6.2666 pages
- Cybrary - Computer and Hacking ForensicsNo ratings yetCybrary - Computer and Hacking Forensics3 pages
- CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide (Nazmul Rajib) (Z-Library)100% (2)CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide (Nazmul Rajib) (Z-Library)684 pages
- CompTIA Security+ SY0-701 Last Minute Cram100% (7)CompTIA Security+ SY0-701 Last Minute Cram84 pages
- CCNP Switch Final Exam - 58 of 60 - 96.7 - 2010122593% (56)CCNP Switch Final Exam - 58 of 60 - 96.7 - 2010122542 pages
- Configure Oracle 10g or 11g For Syslog AuditingNo ratings yetConfigure Oracle 10g or 11g For Syslog Auditing2 pages
- Lab Guide - Pan-Edu-210 10.2 Version A - Lab100% (2)Lab Guide - Pan-Edu-210 10.2 Version A - Lab352 pages
- CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide PDF100% (7)CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide PDF1,569 pages
- Ciscopress CCNP Security Identity Management SISE 300 715 Official100% (7)Ciscopress CCNP Security Identity Management SISE 300 715 Official1,827 pages
- Nmap Network Discovery III Reduced Size PDF100% (5)Nmap Network Discovery III Reduced Size PDF937 pages
- Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf100% (3)Palo Alto Student Manual - c3226cb5 595e 49e0 B5a9 Acb7d1f067bf229 pages
- Kali Linux Advanced Methods and Strategies To Learn Kali Linux (BooxRack)100% (8)Kali Linux Advanced Methods and Strategies To Learn Kali Linux (BooxRack)110 pages
- The Complete Cyber Security Course, Hacking Exposed96% (28)The Complete Cyber Security Course, Hacking Exposed282 pages
- Kali Linux - The Beginners Guide On Ethical Hacking With Kali100% (10)Kali Linux - The Beginners Guide On Ethical Hacking With Kali75 pages