1. Module II: Digital Incident Response
1.1. Digital Incident Assessment
1.1.1. Type of Inicident
1.1.1.1. Upon notification of an incident, you must determine the following on the digital device involved:a) whether it is considered to be "Contraband" or "the fruits of the crime" of the offence. b) does it contain evidence of the incident or the offence. c) was used as a tool of the offence. d) was used as a stotrage device
1.1.2. Parties Involved
1.1.2.1. Complainants
1.1.2.2. Victims
1.1.2.3. Witnesses
1.1.2.4. Informants
1.1.2.5. Suspects
1.1.3. Incident/ Equipements
1.1.4. Available Response Resources
1.2. Securing Digital Evidence
1.3. Chain of Custody
2. Module I: Computer Forensic Incidents
2.1. The Legal System
2.2. Criminal Incidents
2.2.1. Types
2.2.1.1. Identity Theft
2.2.1.2. Telecommunications fraud
2.2.1.3. Online Auction Fraud
2.2.1.4. Trafficking in Contraband
2.2.1.5. Network Intrusions
2.2.1.6. Cyber Threats
2.2.1.7. Pirating Intellectual Property
2.3. Civil Incidents
2.3.1. Types
2.3.1.1. Theft of Proprietory Data
2.3.1.2. Misuse of Corporate IT assets
2.3.1.3. Sexual Harassment Lawsuits
2.3.1.4. Compliance wit SOX
2.3.1.5. Compliance with Gramm-Leach-Biley Act
2.4. Internal Threat
2.4.1. Employee wrongful termination lawsuits
2.5. External Threat
2.6. Investigative Challenges
2.7. Comp Fraud
3. Module IV - Digital Evidence Protocol
3.1. Digital Forensic Science tool, technique, Approach, analysis and Process the digital evidence
3.1.1. These evidence help reconstruct the Incident
3.1.2. Proof in court of Law
3.2. Data File – Active Data, Archival data, Backup Data, Residual Data (Free Space, File Slack, RAM Slack, Swap Files, Temp File, Unallocated Space, E-Mail, Background Data (Audit Trail, Access control, Metadata)
3.2.1. Active Data
3.2.1.1. word, spreadsheet, datbase
3.2.1.2. Photographs, calander
3.2.2. Archival Data
3.2.2.1. Not an active data but is stored in fee Space on HDD, media
3.2.3. Backup data
3.2.3.1. Data copied in safe area/media
3.2.3.2. Win95/98 - c:\windows\sysbackp\rb001-5.cab
3.2.3.3. WinNT/XP/2K - c:\document setting\username\ntuser.dat
3.2.4. Residual Data
3.2.4.1. May be deleted file on file structure
3.2.4.2. RAM, File Slack (unallocated cluster space), swap file (hidden), temp file, unallocated space
3.3. The Court and Rule of Evidence – US Federal Rules of Procedure (Data compaliation, Data Duplication/Authentication by Expert
3.3.1. Data Compilation
3.3.2. Information Discoverable
3.3.3. Verification/validation, Standard followed
4. Module - VII. Digital Evidence Presentation
4.1. Admissible Digital Evidence
4.1.1. Inculpatory Evidence
4.1.2. Exculpatory Evidence
4.1.3. Evidence of Tampering
4.2. The Best Evidence Rule
4.3. Layman's Analogies
4.4. Digital Evidence- Hearsay
4.5. Authenticity & Alteration
5. Module VI
6. Module V: Forensic Examination Protocol
6.1. Forensic Scinence – The Applcation of Science to law
6.2. It utilized for Identifying, recovering, reconstructing or analyzing evidence during a criminal and civil investigation.
6.3. It diverges from traditional area because of rate of advancement of technologies
6.4. Analyze available evidence Create hypothesis,Perform test This process will lead to Strong possibility about what have occurred
6.5. Cardinal Rules of Digital forensic
6.5.1. Never mishandled Evidence
6.5.2. Never work on original evidence
6.5.3. Never trust the system Document
6.5.4. Document all action.
6.6. Alpha 5
6.6.1. Assessment
6.6.2. Acquisition
6.6.3. Authentication - may use MD5, SHA1
6.6.4. Analysis & Reporting
6.6.5. Archives
6.7. Keyword search is the most important aspect of digital forensic
6.8. Examine executable files & run suspicious application in a standalone environment
7. Module III - OS /Disk Storage Concepts
7.1. Disk Based Operating System
7.1.1. DOS
7.1.1.1. DOS 1.x
7.1.1.2. DOS 2.x
7.1.1.3. DOS 3.x
7.1.1.4. DOS 6.x
7.1.1.4.1. DOS 6.22
7.1.1.5. DOS 7.0
7.1.1.6. DOS 7.1
7.1.2. FAT
7.1.2.1. FAT 12
7.1.2.2. FAT 16
7.1.2.3. VFAT
7.1.2.4. FAT32
7.1.3. NTFS