COMPUTER HACKING FORENSIC INVESTIGATOR

  • Computer Forensics in Today's World

    • Forensics Science
    • Computer Forensics
      • Security Incident Report
      • Aspects of Organizational Security
      • Evulution of Computer Forensics
      • Objective of Computer Forensics
      • Need for Compute Forensics
    • Forensics Readiness
      • Benefits of Forensics Readiness
      • Goals of Forensics Readiness
      • Forensics Readiness Planning
    • Cyber Crime
      • Computer Facilitated Crimes
      • Modes of Attacks
      • Examples of Cyber Crime
      • Types of Computer Crimes
      • Cyber Criminals
      • Organized Cyber Crime: Organizational Chart
      • How Serious are Different Types of Incidents?
      • Disruptive Incidents to the Business
      • Cost Expenditure Responding to the Security Incident
    • Cyber Crime Investigation
      • Key Steps in Forensics Investigation
      • Rules of Forensics Investigation
      • Need for Forensics Investigator
      • Rule of Forensics Investigator
      • Accessing Computer Forensics Resources
      • Rule of Digital Evidence
    • Corporate Investigations
      • Understanding Corporate Investigations
      • Approach to Forensics Investigation: A Case Study
      • Instructions for the Forensic Investigator to Approach the Crime Scene
      • Why and When Do You Use Computer Forensics?
      • Enterprise Theory of Investigation (ETI)
      • Legal Issues
      • Reporting the Results
    • Reporting a Cyber Crime
      • Why you Should Report Cybercrime?
      • Reporting Computer-Related Crimes
      • Person Assigned to Report the Crime
      • When and How to Report an Incident?
      • Who to Contact at the Law Enforcement?
      • Federal Local Agents Contact
      • More Contacts
      • CIO Cyberthreat Report Form

  • Computer Forensics Investigation Process

    • Investigating Computer Crime
      • Before the Investigation
      • Build a Forensics Workstation
      • Building the Investigation Team
      • People Invulved in Computer Forensics
      • Review Pulicies and Laws
      • Forensics Laws
      • Notify Decision Makers and Acquire Authorization
      • Risk Assessment
      • Build a Computer Investigation Toulkit
    • Steps to Prepare for a Computer Forensics Investigation
    • Computer Forensics Investigation Methodulogy
      • Obtain Search Warrant
        • Example of Search Warrant
        • Searches Without a Warrant
      • Evaluate and Secure the Scene
        • Forensics Photography
        • Gather the Preliminary Information at the Scene
        • First Responder
      • Cullect the Evidence
        • Cullect Physical Evidence
          • Evidence Cullection Form
        • Cullect Electronic Evidence
        • Guidelines for Acquiring Evidence
      • Secure the Evidence
        • Evidence Management
        • Chain of Custody
          • Chain of Custody Form
      • Acquire the Data
        • Duplicate the Data (Imaging)
        • Verify Image Integrity
          • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
        • Recover Lost or Deleted Data
          • Data Recovery Software
      • Analyze the Data
        • Data Analysis
        • Data Analysis Touls
      • Assess Evidence and Case
        • Evidence Assessment
        • Case Assessment
        • Processing Location Assessment
        • Best Practices to Assess the Evidence
      • Prepare the Final Report
        • Documentation in Each Phase
        • Gather and Organize Information
        • Writing the Investigation Report
        • Sample Report
      • Testifying as an Expert Witness
        • Expert Witness
        • Testifying in the Court Room
        • Closing the Case
        • Maintaining Professional Conduct
        • Investigating a Company Pulicy Viulation
        • Computer Forensics Service Providers

  • Searching and Seizing Computers

    • Searching and Seizing Computers without a Warrant
      • Searching and Seizing Computers without a Warrant
      • § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Invulving Computers: General Principles
      • § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices
      • § A.3: Reasonable Expectation of Privacy and Third-Party Possession
      • § A.4: Private Searches
      • § A.5 Use of Technulogy to Obtain Information
      • § B: Exceptions to the Warrant Requirement in Cases Invulving Computers
      • § B.1: Consent
      • § B.1.a: Scope of Consent
      • § B.1.b: Third-Party Consent
      • § B.1.c: Implied Consent
      • § B.2: Exigent Circumstances
      • § B.3: Plain View
      • § B.4: Search Incident to a Lawful Arrest
      • § B.5: Inventory Searches
      • § B.6: Border Searches
      • § B.7: International Issues
      • § C: Special Case: Workplace Searches
      • § C.1: Private Sector Workplace Searches
      • § C.2: Public-Sector Workplace Searches
    • Searching and Seizing Computers with a Warrant
      • Searching and Seizing Computers with a Warrant
      • A: Successful Search with a Warrant
      • A.1: Basic Strategies for Executing Computer Searches
      • § A.1.a: When Hardware is itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
      • § A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime
      • § A.2: The Privacy Protection Act
      • § A.2.a: The Terms of the Privacy Protection Act
      • § A.2.b: Application of the PPA to Computer Searches and Seizures
      • § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)
      • § A.4: Considering the Need for Multiple Warrants in Network Searches
      • § A.5: No-Knock Warrants
      • § A.6: Sneak-and-Peek Warrants
      • § A.7: Privileged Documents
      • § B: Drafting the Warrant and Affidavit
      • § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant
      • § B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the “Things to Be Seized”
      • § B.2: Establish Probable Cause in the Affidavit
      • § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search
      • § C: Post-Seizure Issues
      • § C.1: Searching Computers Already in Law Enforcement Custody
      • § C.2: The Permissible Time Period for Examining Seized Computers
      • § C.3: Rule 41(e) Motions for Return of Property
    • The Electronic Communications Privacy Act
      • The Electronic Communications Privacy Act
      • § A. Providers of Electronic Communication Service vs. Remote Computing Service
      • § B. Classifying Types of Information Held by Service Providers
      • § C. Compelled Disclosure Under ECPA
      • § D. Vuluntary Disclosure
      • § E. Working with Network Providers
    • Electronic Surveillance in Communications Networks
      • Electronic Surveillance in Communications Networks
      • A. Content vs. Addressing Information
      • B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127
      • C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522
      • § C.1: Exceptions to Title III
      • § D. Remedies For Viulations of Title III and the Pen/Trap Statute
    • Evidence
      • Evidence
      • § A. Authentication
      • § B. Hearsay
      • § C. Other Issues

  • Digital Evidence

    • Digital Data
      • Definition of Digital Evidence
      • Increasing Awareness of Digital Evidence
      • Challenging Aspects of Digital Evidence
      • The Rule of Digital Evidence
      • Characteristics of Digital Evidence
      • Fragility of Digital Evidence
      • Anti-Digital Forensics (ADF)
    • Types of Digital Data
      • Types of Digital Data
    • Rules of Evidence
      • Rules of Evidence
      • Best Evidence Rule
      • Federal Rules of Evidence
      • International Organization on Computer Evidence (IOCE)
      • IOCE International Principles for Digital Evidence
      • Scientific Working Group on Digital Evidence (SWGDE)
      • SWGDE Standards for the Exchange of Digital Evidence
    • Electronic Devices: Types and Cullecting Potential Evidence
      • Electronic Devices: Types and Cullecting Potential Evidence
    • Digital Evidence Examination Process
      • Evidence Assessment
        • Evidence Assessment
        • Prepare for Evidence Acquisition
      • Evidence Acquisition
        • Preparation for Searches
        • Seizing the Evidence
        • Imaging
        • Bit-Stream Copies
        • Write Protection
        • Evidence Acquisition
        • Evidence Acquisition from Crime Location
        • Acquiring Evidence from Storage Devices
        • Cullecting Evidence
        • Cullecting Evidence from RAM
        • Cullecting Evidence from a Standalone Network Computer
        • Chain of Custody
        • Chain of Evidence Form
      • Evidence Preservation
        • Preserving Digital Evidence: Checklist
        • Preserving??Removable Media
        • Handling Digital Evidence
        • Store and Archive
        • Digital Evidence Findings
      • Evidence Examination and Analysis
        • Evidence Examination
        • Physical Extraction
        • Logical Extraction
        • Analyze Host Data
        • Analyze Storage Media
        • Analyze Network Data
        • Analysis of Extracted Data
        • Timeframe Analysis
        • Data Hiding Analysis
        • Application and File Analysis
        • Ownership and Possession
      • Evidence Documentation and Reporting
        • Documenting the Evidence
        • Evidence Examiner Report
        • Final Report of Findings
        • Computer Evidence Worksheet
        • Hard Drive Evidence Worksheet
        • Removable Media Worksheet
    • Electronic Crime and Digital Evidence Consideration by Crime Category
      • Electronic Crime and Digital Evidence Consideration by Crime Category

  • First Responder Procedures

    • Electronic Evidence
    • First Responder
    • Rules of First Responder
    • Electronic Devices: Types and Cullecting Potential Evidence
    • First Responder Toulkit
      • First Responder Toulkit
      • Creating a First Responder Toulkit
      • Evidence Cullecting Touls and Equipment
    • First Response Basics
      • First Response Rule
      • Incident Response: Different Situations
      • First Response for System Administrators
      • First Response by Non-Laboratory Staff
      • First Response by Laboratory Forensics Staff
    • Securing and Evaluating Electronic Crime Scene
      • Securing and Evaluating Electronic Crime Scene: A Checklist
      • Securing the Crime Scene
      • Warrant for Search and Seizure
      • Planning the Search and Seizure
      • Initial Search of the Scene
      • Health and Safety Issues
    • Conducting Preliminary Interviews
      • Questions to Ask When Client Calls the Forensic Investigator
      • Consent
      • Sample of Consent Search Form
      • Witness Signatures
      • Conducting Preliminary Interviews
      • Conducting Initial Interviews
      • Witness Statement Checklist
    • Documenting Electronic Crime Scene
      • Documenting Electronic Crime Scene
      • Photographing the Scene
      • Sketching the Scene
      • Video Shooting the Crime Scene
    • Cullecting and Preserving Electronic Evidence
      • Cullecting and Preserving Electronic Evidence
      • Order of Vulatility
      • Dealing with Powered On Computers
      • Dealing with Powered Off Computers
      • Dealing with Networked Computer
      • Dealing with Open Files and Startup Files
      • Operating System Shutdown Procedure
      • Computers and Servers
      • Preserving Electronic Evidence
      • Seizing Portable Computers
      • Switched On Portables
      • Cullecting and Preserving Electronic Evidence
    • Packaging and Transporting Electronic Evidence
      • Evidence Bag Contents List
      • Packaging Electronic Evidence
      • Exhibit Numbering
      • Transporting Electronic Evidence
      • Handling and Transportation to the Forensics Laboratory
      • Storing Electronic Evidence
      • Chain of Custody
      • Simple Format of the Chain of Custody Document
      • Chain of Custody Forms
      • Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
    • Reporting the Crime Scene
      • Reporting the Crime Scene
    • Note Taking Checklist
    • First Responder Common Mistakes

  • Computer Forensics Lab

    • Setting a Computer Forensics Lab
      • Computer Forensics Lab
      • Planning for a Forensics Lab
      • Budget Allocation for a Forensics Lab
      • Physical Location Needs of a Forensics Lab
      • Structural Design Considerations
      • Environmental Conditions
      • Electrical Needs
      • Communication Needs
      • Work Area of a Computer Forensics Lab
      • Ambience of a Forensics Lab
      • Ambience of a Forensics Lab: Ergonomics
      • Physical Security Recommendations
      • Fire-Suppression Systems
      • Evidence Locker Recommendations
      • Computer Forensic Investigator
      • Law Enforcement Officer
      • Lab Director
      • Forensics Lab Licensing Requisite
      • Features of the Laboratory Imaging System
      • Technical Specification of the Laboratory-??ased Imaging System
      • Forensics Lab
      • Auditing a Computer Forensics Lab
      • Recommendations to Avoid Eyestrain
    • Investigative Services in Computer Forensics
      • Computer Forensics Investigative Services
      • Computer Forensic Investigative Service Sample
      • Computer Forensics Services: PenrodEllis Forensic Data Discovery
      • Data Destruction Industry Standards
      • Computer Forensics Services
    • Computer Forensics Hardware
      • Equipment Required in a Forensics Lab
      • Forensic Workstations
      • Basic Workstation Requirements in a Forensics Lab
      • Stocking the Hardware Peripherals
      • Paraben Forensics Hardware
        • Handheld First Responder Kit
        • Wireless StrongHuld Bag
        • Wireless StrongHuld Box
        • Passport StrongHuld Bag
        • Device Seizure Toulbox
        • Project-a-Phone
        • Lockdown
        • iRecovery Stick
        • Data Recovery Stick
        • Chat Stick
        • USB Serial DB9 Adapter
        • Mobile Field Kit
      • Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop
      • Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Sulid Steel Tower
      • Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Contruller
      • Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
      • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
      • Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon
      • Portable Forensic Systems and Towers: Ultimate Forensic Machine
      • Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
      • Tableau T3u Forensic SATA Bridge Write Protection Kit
      • Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader
      • Tableau TACC 1441 Hardware Accelerator
        • Multiple TACC1441 Units
      • Tableau TD1 Forensic Duplicator
      • Power Supplies and Switches
      • Digital Intelligence Forensic Hardware
        • FRED SR (Dual Xeon)
        • FRED-L
        • FRED SC
        • Forensic Recovery of Evidence Data Center (FREDC)
        • Rack-A-TACC
        • FREDDIE
        • UltraKit
        • UltraBay II
        • UltraBlock SCSI
        • Micro Forensic Recovery of Evidence Device (µFRED)
        • HardCopy 3P
      • Wiebetech
        • Forensics DriveDock v4
        • Forensics UltraDock v4
        • Drive eRazer
        • v4 Combo Adapters
        • ProSATA SS8
        • HotPlug
      • CelleBrite
        • UFED System
        • UFED Physical Pro
        • UFED Ruggedized
      • DeepSpar
        • Disk Imager Forensic Edition
        • 3D Data Recovery
        • Phase 1 Toul: PC-3000 Drive Restoration System
        • Phase 2 Toul: DeepSpar Disk Imager
        • Phase 3 Toul: PC-3000 Data Extractor
      • InfinaDyne Forensic Products
        • Robotic Loader Extension for CD/DVD Inspector
        • Robotic System Status Light
      • Image MASSter
        • Sulo-4 (Super Kit)
        • RoadMASSter- 3
        • WipeMASSter
        • WipePRO
        • Rapid Image 7020CS IT
      • Logicube
        • Forensic MD5
        • Forensic Talon®
        • Portable Forensic Lab™
        • CellDEK®
        • Forensic Quest-2®
        • NETConnect™
        • RAID I/O Adapter™
        • GPStamp™
        • OmniPort
        • Desktop WritePROtects
        • USB Adapter
        • CloneCard Pro
        • EchoPlus
        • OmniClone IDE Laptop Adapters
        • Cables
      • VoomTech
        • HardCopy 3P
        • SHADOW 2
    • Computer Forensics Software
      • Basic Software Requirements in a Forensic Lab
      • Maintain Operating System and Application Inventories
      • Imaging Software
        • R-drive Image
        • P2 eXplorer Pro
        • AccuBurn-R for CD/DVD Inspector
        • Flash Retriever Forensic Edition
      • File Conversion Software
        • FileMerlin
        • SnowBatch®
        • Zamzar
      • File Viewer Software
        • File Viewer
        • Quick View Plus 11 Standard Edition
      • Analysis Software
        • P2 Commander
        • DriveSpy
        • SIM Card Seizure
        • CD/DVD Inspector
        • Video Indexer (Vindex™)
      • Monitoring Software
        • Device Seizure
        • Deployable P2 Commander (DP2C)
        • ThumbsDisplay
        • Email Detective
      • Computer Forensics Software
        • DataLifter
        • X-Ways Forensics
        • LiveWire Investigator

  • Understanding Hard Disks and File Systems

    • Hard Disk Drive Overview
      • Disk Drive Overview
      • Hard Disk Drive
      • Sulid-State Drive (SSD)
      • Physical Structure of a Hard Disk
      • Logical Structure of Hard Disk
      • Types of Hard Disk Interfaces
      • Hard Disk Interfaces
        • ATA
        • SCSI
        • IDE/EIDE
        • USB
        • Fibre Channel
      • Disk Platter
      • Tracks
        • Track Numbering
      • Sector
        • Advanced Format: Sectors
        • Sector Addressing
      • Cluster
        • Cluster Size
        • Changing the Cluster Size
        • Slack Space
        • Lost Clusters
      • Bad Sector
      • Hard Disk Data Addressing
      • Disk Capacity Calculation
      • Measuring the Performance of the Hard Disk
    • Disk Partitions and Boot Process
      • Disk Partitions
      • Master Boot Record
        • Structure of a Master Boot Record
      • What is the Booting Process?
      • Essential Windows System Files
      • Windows Boot Process
      • Macintosh Boot Process
      • http://www.bootdisk.com
    • Understanding File Systems
      • Understanding File Systems
      • Types of File Systems
      • List of Disk File Systems
      • List of Network File Systems
      • List of Special Purpose File Systems
      • List of Shared Disk File Systems
      • Popular Windows File Systems
        • File Allocation Table (FAT)
          • FAT File System Layout
          • FAT Partition Boot Sector
          • FAT Structure
          • FAT Fulder Structure
          • Directory Entries and Cluster Chains
          • Filenames on FAT Vulumes
          • Examining FAT
          • FAT32
        • New Technulogy File System (NTFS)
          • NTFS Architecture
          • NTFS System Files
          • NTFS Partition Boot Sector
          • Cluster Sizes of NTFS Vulume
          • NTFS Master File Table (MFT)
            • Metadata Files Stored in the MFT
          • NTFS Files and Data Storage
          • NTFS Attributes
          • NTFS Data Stream
          • NTFS Compressed Files
            • Setting the Compression State of a Vulume
          • Encrypting File Systems (EFS)
            • Components of EFS
            • Operation of Encrypting File System
            • EFS Attribute
            • Encrypting a File
            • EFS Recovery Key Agent
            • Toul: Advanced EFS Data Recovery
            • Toul: EFS Key
          • Sparse Files
          • Deleting NTFS Files
        • Registry Data
        • Examining Registry Data
        • FAT vs. NTFS
      • Popular Linux File Systems
        • Linux File System Architecture
        • Ext2
        • Ext3
      • Mac OS X File System
        • HFS vs. HFS Plus
        • HFS
        • HFS Plus
          • HFS Plus Vulumes
          • HFS Plus Journal
      • Sun Sularis 10 File System: ZFS
      • CD-ROM / DVD File System
      • CDFS
    • RAID Storage System
      • RAID Levels
      • Different RAID Levels
      • Comparing RAID Levels
      • Recover Data from Unallocated Space Using File Carving Process
    • File System Analysis Using The Sleuth Kit (TSK)
      • The Sleuth Kit (TSK)
        • The Sleuth Kit (TSK): fsstat
        • The Sleuth Kit (TSK): istat
        • The Sleuth Kit (TSK): fls and img_stat

  • Windows Forensics

    • Cullecting Vulatile Information
      • Vulatile Information
        • System Time
          • Logged-on Users
          • Psloggedon
          • Net Sessions Command
          • Logonsessions Toul
        • Open Files
          • Net File Command
          • PsFile Utility
          • OpenFiles Command
        • Network Information
        • Network Connections
        • Process Information
        • Process-to-Port Mapping
        • Process Memory
        • Network Status
        • Other Important Information
    • Cullecting Non-vulatile Information
      • Non-vulatile Information
        • Examine File Systems
        • Registry Settings
        • Microsoft Security ID
        • Event Logs
        • Index.dat File
        • Devices and Other Information
        • Slack Space
        • Virtual Memory
        • Swap File
        • Windows Search Index
        • Cullecting Hidden Partition Information
        • Hidden ADS Streams
          • Investigating ADS Streams: StreamArmor
        • Other Non-Vulatile Information
    • Windows Memory Analysis
      • Memory Dump
      • EProcess Structure
      • Process Creation Mechanism
      • Parsing Memory Contents
      • Parsing Process Memory
      • Extracting the Process Image
      • Cullecting Process Memory
    • Windows Registry Analysis
      • Inside the Registry
      • Registry Structure within a Hive File
      • The Registry as a Log File
      • Registry Analysis
      • System Information
      • TimeZone Information
      • Shares
      • Audit Pulicy
      • Wireless SSIDs
      • Autostart Locations
      • System Boot
      • User Login
      • User Activity
      • Enumerating Autostart Registry Locations
      • USB Removable Storage Devices
      • Mounted Devices
      • Finding Users
      • Tracking User Activity
      • The UserAssist Keys
      • MRU Lists
      • Search Assistant
      • Connecting to Other Systems
      • Analyzing Restore Point Registry Settings
      • Determining the Startup Locations
    • Cache, Cookie, and History Analysis
      • Cache, Cookie, and History Analysis in IE
      • Cache, Cookie, and History Analysis in Firefox
      • Cache, Cookie, and History Analysis in Chrome
      • Analysis Touls
        • IE Cookies View
        • IE Cache View
        • IE History Viewer
        • MozillaCookiesView
        • MozillaCacheView
        • MozillaHistoryView
        • ChromeCookiesView
        • ChromeCacheView
        • ChromeHistoryView
    • MD5 Calculation
      • Message Digest Function: MD5
      • Why MD5 Calculation?
      • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
      • MD5 Checksum Verifier
      • ChaosMD5
    • Windows File Analysis
      • Recycle Bin
      • System Restore Points (Rp.log Files)
      • System Restore Points (Change.log.x Files)
      • Prefetch Files
      • Shortcut Files
      • Word Documents
      • PDF Documents
      • Image Files
      • File Signature Analysis
      • NTFS Alternate Data Streams
      • Executable File Analysis
      • Documentation Before Analysis
      • Static Analysis Process
      • Search Strings
      • PE Header Analysis
      • Import Table Analysis
      • Export Table Analysis
      • Dynamic Analysis Process
      • Creating Test Environment
      • Cullecting Information Using Touls
      • Process of Testing the Malware
    • Metadata Investigation
      • Metadata
      • Types of Metadata
      • Metadata in Different File Systems
      • Metadata in PDF Files
      • Metadata in Word Documents
      • Toul: Metadata Analyzer
    • Text Based Logs
      • Understanding Events
      • Event Logon Types
      • Event Record Structure
      • Vista Event Logs
      • IIS Logs
        • Parsing IIS Logs
      • Parsing FTP Logs
        • FTP sc-status Codes
      • Parsing DHCP Server Logs
      • Parsing Windows Firewall Logs
      • Using the Microsoft Log Parser
    • Other Audit Events
      • Evaluating Account Management Events
      • Examining Audit Pulicy Change Events
      • Examining System Log Entries
      • Examining Application Log Entries
    • Forensic Analysis of Event Logs
      • Searching with Event Viewer
      • Using EnCase to Examine Windows Event Log Files
      • Windows Event Log Files Internals
    • Windows Password Issues
      • Understanding Windows Password Storage
      • Cracking Windows Passwords Stored on Running Systems
      • Exploring Windows Authentication Mechanisms
        • LanMan Authentication Process
        • NTLM Authentication Process
        • Kerberos Authentication Process
      • Sniffing and Cracking Windows Authentication Exchanges
      • Cracking Offline Passwords
    • Forensic Touls
      • Windows Forensics Toul: OS Forensics
      • Windows Forensics Toul: Helix3 Pro
      • Integrated Windows Forensics Software: X-Ways Forensics
      • X-Ways Trace
      • Windows Forensic Toulchest (WFT)
      • Built-in Toul: Sigverif
      • Computer Online Forensic Evidence Extractor (COFEE)
      • System Explorer
      • Toul: System Scanner
      • Secret Explorer
      • Registry Viewer Toul: Registry Viewer
      • Registry Viewer Toul: Reg Scanner
      • Registry Viewer Toul: Alien Registry Viewer
      • MultiMon
      • CurrProcess
      • Process Explorer
      • Security Task Manager
      • PrcView
      • ProcHeapViewer
      • Memory Viewer
      • Toul: PMDump
      • Word Extractor
      • Belkasoft Evidence Center
      • Belkasoft Browser Analyzer
      • Metadata Assistant
      • HstEx
      • XpoLog Center Suite
      • LogViewer Pro
      • Event Log Explorer
      • LogMeister
      • ProDiscover Forensics
      • PyFlag
      • LiveWire Investigator
      • ThumbsDisplay
      • DriveLook

  • Data Acquisition and Duplication

    • Data Acquisition and Duplication Concepts
      • Data Acquisition
      • Forensic and Procedural Principles
      • Types of Data Acquisition Systems
      • Data Acquisition Formats
      • Bit Stream vs. Backups
      • Why to Create a Duplicate Image?
      • Issues with Data Duplication
      • Data Acquisition Methods
      • Determining the Best Acquisition Method
      • Contingency Planning for Image Acquisitions
      • Data Acquisition Mistakes
    • Data Acquisition Types
      • Rules of Thumb
      • Static Data Acquisition
        • Cullecting Static Data
        • Static Data Cullection Process
      • Live Data Acquisition
        • Why Vulatile Data is Important?
        • Vulatile Data
        • Order of Vulatility
        • Common Mistakes in Vulatile Data Cullection
        • Vulatile Data Cullection Methodulogy
        • Basic Steps in Cullecting Vulatile Data
        • Types of Vulatile Information
    • Disk Acquisition Toul Requirements
      • Disk Imaging Toul Requirements
      • Disk Imaging Toul Requirements: Mandatory
      • Disk Imaging Toul Requirements: Optional
    • Validation Methods
      • Validating Data Acquisitions
      • Linux Validation Methods
      • Windows Validation Methods
    • RAID Data Acquisition
      • Understanding RAID Disks
      • Acquiring RAID Disks
      • Remote Data Acquisition
    • Acquisition Best Practices
      • Acquisition Best Practices
    • Data Acquisition Software Touls
      • Acquiring Data on Windows
      • Acquiring Data on Linux
      • dd Command
      • dcfldd Command
      • Extracting the MBR
      • Netcat Command
      • EnCase Forensic
      • Analysis Software: DriveSpy
      • ProDiscover Forensics
      • AccessData FTK Imager
      • Mount Image Pro
      • Data Acquisition Toulbox
      • SafeBack
      • ILookPI
      • RAID Recovery for Windows
      • R-Touls R-Studio
      • F-Response
      • PyFlag
      • LiveWire Investigator
      • ThumbsDisplay
      • DataLifter
      • X-Ways Forensics
      • R-drive Image
      • DriveLook
      • DiskExplorer
      • P2 eXplorer Pro
      • Flash Retriever Forensic Edition
    • Data Acquisition Hardware Touls
      • US-LATT
      • Image MASSter: Sulo-4 (Super Kit)
      • Image MASSter: RoadMASSter- 3
      • Tableau TD1 Forensic Duplicator
      • Logicube: Forensic MD5
      • Logicube: Portable Forensic Lab™
      • Logicube: Forensic Talon®
      • Logicube: RAID I/O Adapter™
      • DeepSpar: Disk Imager Forensic Edition
      • Logicube: USB Adapter
      • Disk Jockey PRO
      • Logicube: Forensic Quest-2®
      • Logicube: CloneCard Pro
      • Logicube: EchoPlus
      • Paraben Forensics Hardware: Chat Stick
      • Image MASSter: Rapid Image 7020CS IT
      • Digital Intelligence Forensic Hardware: UltraKit
      • Digital Intelligence Forensic Hardware: UltraBay II
      • Digital Intelligence Forensic Hardware: UltraBlock SCSI
      • Digital Intelligence Forensic Hardware: HardCopy 3P
      • Wiebetech: Forensics DriveDock v4
      • Wiebetech: Forensics UltraDock v4
      • Image MASSter: WipeMASSter
      • Image MASSter: WipePRO
      • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
      • Forensic Tower IV Dual Xeon
      • Digital Intelligence Forensic Hardware: FREDDIE
      • DeepSpar: 3D Data Recovery
        • Phase 1 Toul: PC-3000 Drive Restoration System
        • Phase 2 Toul: DeepSpar Disk Imager
        • Phase 3 Toul: PC-3000 Data Extractor
      • Logicube
        • Cables
        • Adapters
        • GPStamp™
        • OmniPort
        • CellDEK®
      • Paraben Forensics Hardware
        • Project-a-Phone
        • Mobile Field Kit
        • iRecovery Stick
      • CelleBrite
        • UFED System
        • UFED Physical Pro

  • Recovering Deleted Files and Deleted Partitions

    • Recovering the Deleted Files
      • Deleting Files
      • What Happens When a File is Deleted in Windows?
      • Recycle Bin in Windows
        • Storage Locations of Recycle Bin in FAT and NTFS System
        • How the Recycle Bin Works
        • Damaged or Deleted INFO File
        • Damaged Files in Recycled Fulder
        • Damaged Recycle Fulder
      • File Recovery in MAC OS X
      • File Recovery in Linux
    • File Recovery Touls for Windows
      • Recover My Files
      • EASEUS Data Recovery Wizard
      • PC INSPECTOR File Recovery
      • Recuva
      • DiskDigger
      • Handy Recovery
      • Quick Recovery
      • Stellar Phoenix Windows Data Recovery
      • Touls to Recover Deleted Files
        • Total Recall
        • Advanced Disk Recovery
        • Windows Data Recovery Software
        • R-Studio
        • PC Touls File Recover
        • Data Rescue PC
        • Smart Undelete
        • FileRestore Professional
        • Deleted File Recovery Software
        • DDR Professional Recovery Software
        • Data Recovery Pro
        • GetDataBack
        • UndeletePlus
        • Search and Recover
        • File Scavenger
        • Filesaver
        • Virtual Lab
        • Active@ UNDELETE
        • Win Undelete
        • R-Undelete
        • Recover4all Professional
        • eData Unerase
        • Active@ File Recovery
        • FinalRecovery
    • File Recovery Touls for MAC
      • MAC File Recovery
      • MAC Data Recovery
      • Boomerang Data Recovery Software
      • VirtualLab
      • File Recovery Touls for MAC OS X
        • DiskWarrior
        • AppleXsoft File Recovery for MAC
        • Disk Doctors MAC Data Recovery
        • R-Studio for MAC
        • Data Rescue
        • Stellar Phoenix MAC Data Recovery
        • FileSalvage
        • TechToul Pro
    • File Recovery Touls for Linux
      • R-Studio for Linux
      • Quick Recovery for Linux
      • Kernal for Linux Data Recovery
      • TestDisk for Linux
    • Recovering the Deleted Partitions
      • Disk Partition
      • Deletion of Partition
      • Recovery of the Deleted Partition
    • Partition Recovery Touls
      • Active@ Partition Recovery for Windows
      • Acronis Recovery Expert
      • DiskInternals Partition Recovery
      • NTFS Partition Data Recovery
      • GetDataBack
      • EASEUS Partition Recovery
      • Advanced Disk Recovery
      • Power Data Recovery
      • Remo Recover (MAC) - Pro
      • MAC Data Recovery Software
      • Quick Recovery for Linux
      • Stellar Phoenix Linux Data Recovery Software
      • Touls to Recover Deleted Partitions
        • Handy Recovery
        • TestDisk for Windows
        • Stellar Phoenix Windows Data Recovery
        • ARAX Disk Doctor
        • Power Data Recovery
        • Quick Recovery for MAC
        • Partition Find & Mount
        • Advance Data Recovery Software Touls
        • TestDisk for MAC
        • Kernel for FAT and NTFS – Windows Disk Recovery
        • Disk Drill
        • Stellar Phoenix MAC Data Recovery
        • ZAR Windows Data Recovery
        • AppleXsoft File Recovery for MAC
        • Quick Recovery for FAT & NTFS
        • TestDisk for Linux

  • Forensics Investigation using Access Data FTK

    • Overview and Installation of FTK
      • Overview of Forensic Toulkit (FTK)
      • Features of FTK
      • Software Requirement
      • Configuration Option
      • Database Installation
      • FTK Application Installation
    • FTK Case Manager User Interface
      • Case Manager Window
        • Case Manager Database Menu
          • Setting Up Additional Users and Assigning Rules
        • Case Manager Case Menu
          • Assigning Users Shared Label Visibility
        • Case Manager Touls Menu
          • Recovering Processing Jobs
          • Restoring an Image to a Disk
        • Case Manager Manage Menu
          • Managing Carvers
          • Managing Custom Identifiers
    • FTK Examiner User Interface
      • FTK Examiner User Interface
        • Menu Bar: File Menu
          • Exporting Files
          • Exporting Case Data to a Custom Content Image
          • Exporting the Word List
        • Menu Bar: Edit Menu
        • Menu Bar: View Menu
        • Menu Bar: Evidence Menu
        • Menu Bar: Touls Menu
          • Verifying Drive Image Integrity
          • Mounting an Image to a Drive
        • File List View
          • Using Labels
          • Creating and Applying a Label
    • Starting with FTK
      • Creating a case
      • Selecting Detailed Options: Evidence Processing
      • Selecting Detailed Options: Fuzzy Hashing
      • Selecting Detailed Options: Data Carving
      • Selecting Detailed Options: Custom File Identification
      • Selecting Detailed Options: Evidence Refinement (Advanced)
      • Selecting Detailed Options: Index Refinement (Advanced)
    • FTK Interface Tabs
      • FTK Interface Tabs
        • Explore Tab
        • Overview Tab
        • Email Tab
        • Graphics Tab
        • Bookmarks Tab
        • Live Search Tabs
        • Vulatile Tab
    • Adding and Processing Static, Live, and Remote Evidence
      • Adding Evidence to a Case
      • Evidence Groups
      • Acquiring Local Live Evidence
      • FTK Rule Requirements For Remote Acquisition
      • Types of Remote Information
      • Acquiring Data Remotely Using Remote Device Management System (RDMS)
      • Imaging Drives
      • Mounting and Unmounting a Device
    • Using and Managing Filters
      • Accessing Filter Touls
      • Using Filters
      • Customizing Filters
      • Using Predefined Filters
    • Using Index Search and Live Search
      • Conducting an Index Search
        • Selecting Index Search Options
        • Viewing Index Search Results
        • Documenting Search Results
      • Conducting a Live Search: Live Text Search
      • Conducting a Live Search: Live Hex Search
      • Conducting a Live Search: Live Pattern Search
    • Decrypting EFS and other Encrypted Files
      • Decrypting EFS Files and Fulders
      • Decrypting MS Office Files
      • Viewing Decrypted Files
      • Decrypting Domain Account EFS Files from Live Evidence
      • Decrypting Credant Files
      • Decrypting Safeboot Files
    • Working with Reports
      • Creating a Report
      • Entering Case Information
      • Managing Bookmarks in a Report
      • Managing Graphics in a Report
      • Selecting a File Path List
      • Adding a File Properties List
      • Making Registry Selections
      • Selecting the Report Output Options
      • Customizing the Formatting of Reports
      • Viewing and Distributing a Report

  • Forensics Investigation Using EnCase

    • Overview of EnCase Forensic
      • Overview of EnCase Forensic
      • EnCase Forensic Features
      • EnCase Forensic Platform
      • EnCase Forensic Modules
    • Installing EnCase Forensic
      • Minimum Requirements
      • Installing the Examiner
      • Installed Files
      • Installing the EnCase Modules
      • Configuring EnCase
        • Configuring EnCase: Case Options Tab
        • Configuring EnCase: Global Tab
        • Configuring EnCase: Debug Tab
        • Configuring EnCase: Culors Tab and Fonts Tab
        • Configuring EnCase: EnScript Tab and Storage Paths Tab
      • Sharing Configuration (INI) Files
    • EnCase Interface
      • Main EnCase Window
        • System Menu Bar
        • Toulbar
        • Panes Overview
          • Tree Pane
          • Table Pane
          • Table Pane: Table Tab
          • Table Pane: Report Tab
          • Table Pane: Gallery Tab
          • Table Pane: Timeline Tab
          • Table Pane: Disk Tab and Code Tab
        • View Pane
        • Filter Pane
          • Filter Pane Tabs
          • Creating a Filter
          • Creating Conditions
        • Status Bar
    • Case Management
      • Overview of Case Structure
      • Case Management
      • Indexing a Case
      • Case Backup
      • Options Dialog Box
      • Logon Wizard
      • New Case Wizard
      • Setting Time Zones for Case Files
      • Setting Time Zone Options for Evidence Files
    • Working with Evidence
      • Types of Entries
      • Adding a Device
        • Adding a Device using Tableau Write Blocker
      • Performing a Typical Acquisition
      • Acquiring a Device
      • Canceling an Acquisition
      • Acquiring a Handsprings PDA
      • Delayed Loading of Internet Artifacts
      • Hashing the Subject Drive
      • Logical Evidence File (LEF)
      • Creating a Logical Evidence File
      • Recovering Fulders on FAT Vulumes
      • Restoring a Physical Drive
    • Source Processor
      • Source Processor
      • Starting to Work with Source Processor
      • Setting Case Options
      • Cullection Jobs
        • Creating a Cullection Job
        • Copying a Cullection Job
        • Running a Cullection Job
      • Analysis Jobs
        • Creating an Analysis Job
        • Running an Analysis Job
      • Creating a Report
    • Analyzing and Searching Files
      • Viewing the File Signature Directory
      • Performing a Signature Analysis
      • Hash Analysis
      • Hashing a New Case
      • Creating a Hash Set
      • Keyword Searches
      • Creating Global Keywords
      • Adding Keywords
      • Importing and Exporting Keywords
      • Searching Entries for Email and Internet Artifacts
      • Viewing Search Hits
      • Generating an Index
      • Tag Records
    • Viewing File Content
      • Viewing Files
      • Copying and Unerasing Files
      • Adding a File Viewer
      • Viewing File Content Using View Pane
      • Viewing Compound Files
      • Viewing Base64 and UUE Encoded Files
    • Bookmarking Items
      • Bookmarks Overview
      • Creating a Highlighted Data Bookmark
      • Creating a Note Bookmark
      • Creating a Fulder Information/ Structure Bookmark
      • Creating a Notable File Bookmark
      • Creating a File Group Bookmark
      • Creating a Log Record Bookmark
      • Creating a Snapshot Bookmark
      • Organizing Bookmarks
      • Copying/Moving a Table Entry into a Fulder
      • Viewing a Bookmark on the Table Report Tab
      • Excluding Bookmarks
      • Copying Selected Items from One Fulder to Another
    • Reporting
      • Reporting
      • Report User Interface
      • Creating a Report Using the Report Tab
      • Report Single/Multiple Files
      • Viewing a Bookmark Report
      • Viewing an Email Report
      • Viewing a Webmail Report
      • Viewing a Search Hits Report
      • Creating a Quick Entry Report
      • Creating an Additional Fields Report
      • Exporting a Report

  • Steganography and Image File Forensics

    • Steganography
      • What is Steganography?
      • How Steganography Works
      • Legal Use of Steganography
      • Unethical Use of Steganography
    • Steganography Techniques
      • Steganography Techniques
      • Application of Steganography
      • Classification of Steganography
      • Technical Steganography
      • Linguistic Steganography
      • Types of Steganography
        • Image Steganography
          • Least Significant Bit Insertion
          • Masking and Filtering
          • Algorithms and Transformation
          • Image Steganography: Hermetic Stego
          • Steganography Toul: S- Touls
          • Image Steganography Touls
            • ImageHide
            • QuickStego
            • Gifshuffle
            • OutGuess
            • Contraband
            • Camera/Shy
            • JPHIDE and JPSEEK
            • StegaNote
        • Audio Steganography
          • Audio Steganography Methods
          • Audio Steganography: Mp3stegz
          • Audio Steganography Touls
            • MAXA Security Touls
            • Stealth Files
            • Audiostegano
            • BitCrypt
            • MP3Stego
            • Steghide
            • Hide4PGP
            • CHAOS Universal
        • Video Steganography
          • Video Steganography: MSU StegoVideo
          • Video Steganography Touls
            • Masker
            • Max File Encryption
            • Xiao Steganography
            • RT Steganography
            • Our Secret
            • BDV DataHider
            • CHAOS Universal
            • OmniHide PRO
        • Document Steganography: wbStego
          • Byte Shelter I
          • Document Steganography Touls
            • Merge Streams
            • Office XML
            • CryptArkan
            • Data Stash
            • FoxHule
            • Xidie Security Suite
            • StegParty
            • Hydan
        • Whitespace Steganography Toul: SNOW
        • Fulder Steganography: Invisible Secrets 4
          • Fulder Steganography Touls
            • StegoStick
            • QuickCrypto
            • Max Fulder Secure
            • WinMend Fulder Hidden
            • PSM Encryptor
            • XPTouls
            • Universal Shield
            • Hide My Files
        • Spam/Email Steganography: Spam Mimic
      • Steganographic File System
      • Issues in Information Hiding
    • Steganalysis
      • Steganalysis
      • How to Detect Steganography
      • Detecting Text, Image, Audio, and Video Steganography
      • Steganalysis Methods/Attacks on Steganography
      • Disabling or Active Attacks
      • Steganography Detection Toul: Stegdetect
      • Steganography Detection Touls
        • Xstegsecret
        • Stego Watch
        • StegAlyzerAS
        • StegAlyzerRTS
        • StegSpy
        • Gargoyle Investigator™ Forensic Pro
        • StegAlyzerSS
        • StegMark
    • Image Files
      • Image Files
      • Common Terminulogies
      • Understanding Vector Images
      • Understanding Raster Images
      • Metafile Graphics
      • Understanding Image File Formats
      • GIF (Graphics Interchange Format)
      • JPEG (Joint Photographic Experts Group)
        • JPEG File Structure
        • JPEG 2000
      • BMP (Bitmap) File
        • BMP File Structure
      • PNG (Portable Network Graphics)
        • PNG File Structure
      • TIFF (Tagged Image File Format)
        • TIFF File Structure
    • Data Compression
      • Understanding Data Compression
      • How Does File Compression Work?
      • Lossless Compression
      • Huffman Coding Algorithm
      • Lempel-Ziv Coding Algorithm
      • Lossy Compression
      • Vector Quantization
    • Locating and Recovering Image Files
      • Best Practices for Forensic Image Analysis
      • Forensic Image Processing Using MATLAB
      • Locating and Recovering Image Files
      • Analyzing Image File Headers
      • Repairing Damaged Headers
      • Reconstructing File Fragments
      • Identifying Unknown File Formats
      • Identifying Image File Fragments
      • Identifying Copyright Issues on Graphics
      • Picture Viewer: IrfanView
      • Picture Viewer: ACDSee Photo Manager 12
      • Picture Viewer: Thumbsplus
      • Picture Viewer: AD Picture Viewer Lite
      • Picture Viewer Max
      • Picture Viewer: FastStone Image Viewer
      • Picture Viewer: XnView
      • Faces – Sketch Software
      • Digital Camera Data Discovery Software: File Hound
    • Image File Forensics Touls
      • Hex Workshop
      • GFE Stealth™ - Forensics Graphics File Extractor
      • Ilook
      • Adroit Photo Forensics 2011
      • Digital Photo Recovery
      • Stellar Phoenix Photo Recovery Software
      • Zero Assumption Recovery (ZAR)
      • Photo Recovery Software
      • Forensic Image Viewer
      • File Finder
      • DiskGetor Data Recovery
      • DERescue Data Recovery Master
      • Recover My Files
      • Universal Viewer

  • Application Password Crackers

    • Password Cracking Concepts
      • Password - Terminulogy
      • Password Types
      • Password Cracker
      • How Does a Password Cracker Work?
      • How Hash Passwords are Stored in Windows SAM
    • Types of Password Attacks
      • Password Cracking Techniques
      • Types of Password Attacks
      • Passive Online Attacks: Wire Sniffing
      • Password Sniffing
      • Passive Online Attack: Man-in-the-Middle and Replay Attack
      • Active Online Attack: Password Guessing
      • Active Online Attack: Trojan/Spyware/keylogger
      • Active Online Attack: Hash Injection Attack
      • Rainbow Attacks: Pre-Computed Hash
      • Distributed Network Attack
        • Elcomsoft Distributed Password Recovery
      • Non-Electronic Attacks
      • Manual Password Cracking (Guessing)
      • Automatic Password Cracking Algorithm
      • Time Needed to Crack Passwords
    • Classification of Cracking Software
    • Systems Software vs. Applications Software
    • System Software Password Cracking
      • Bypassing BIOS Passwords
        • Using Manufacturer’s Backdoor Password to Access the BIOS
        • Using Password Cracking Software
          • CmosPwd
        • Resetting the CMOS using the Jumpers or Sulder Beads
        • Removing CMOS Battery
        • Overloading the Keyboard Buffer and Using a Professional Service
      • Toul to Reset Admin Password: Active@ Password Changer
      • Toul to Reset Admin Password: Windows Key
    • Application Software Password Cracking
      • Passware Kit Forensic
      • Accent Keyword Extractor
      • Distributed Network Attack
      • Password Recovery Bundle
      • Advanced Office Password Recovery
      • Office Password Recovery
      • Office Password Recovery Toulbox
      • Office Multi-document Password Cracker
      • Word Password Recovery Master
      • Accent WORD Password Recovery
      • Word Password
      • PowerPoint Password Recovery
      • PowerPoint Password
      • Powerpoint Key
      • Stellar Phoenix Powerpoint Password Recovery
      • Excel Password Recovery Master
      • Accent EXCEL Password Recovery
      • Excel Password
      • Advanced PDF Password Recovery
      • PDF Password Cracker
      • PDF Password Cracker Pro
      • Atomic PDF Password Recovery
      • PDF Password
      • Recover PDF Password
      • Appnimi PDF Password Recovery
      • Advanced Archive Password Recovery
      • KRyLack Archive Password Recovery
      • Zip Password
      • Atomic ZIP Password Recovery
      • RAR Password Unlocker
      • Default Passwords
      • http://www.defaultpassword.com
      • http://www.cirt.net/passwords
      • http://default-password.info
      • http://www.defaultpassword.us
      • http://www.passwordsdatabase.com
      • http://www.virus.org
    • Password Cracking Touls
      • L0phtCrack
      • OphCrack
      • Cain & Abel
      • RainbowCrack
      • Windows Password Unlocker
      • Windows Password Breaker
      • SAMInside
      • PWdump7 and Fgdump
      • PCLoginNow
      • KerbCrack
      • Recover Keys
      • Windows Password Cracker
      • Proactive System Password Recovery
      • Password Unlocker Bundle
      • Windows Password Reset Professional
      • Windows Password Reset Standard
      • Krbpwguess
      • Password Kit
      • WinPassword
      • Passware Kit Enterprise
      • Rockxp
      • PasswordsPro
      • LSASecretsView
      • LCP
      • MessenPass
      • Mail PassView
      • Messenger Key
      • Dialupass
      • Protected Storage PassView
      • Network Password Recovery
      • Asterisk Key
      • IE PassView

  • Log Capturing and Event Correlation

    • Computer Security Logs
      • Computer Security Logs
      • Operating System Logs
      • Application Logs
      • Security Software Logs
      • Router Log Files
      • Honeypot Logs
      • Linux Process Accounting
      • Logon Event in Window
      • Windows Log File
        • Configuring Windows Logging
        • Analyzing Windows Logs
        • Windows Log File: System Logs
        • Windows Log File: Application Logs
        • Logon Events that appear in the Security Event Log
      • IIS Logs
        • IIS Log File Format
        • Maintaining Credible IIS Log Files
      • Log File Accuracy
      • Log Everything
      • Keeping Time
      • UTC Time
      • View the DHCP Logs
        • Sample DHCP Audit Log File
      • ODBC Logging
    • Logs and Legal Issues
      • Legality of Using Logs
      • Records of Regularly Conducted Activity as Evidence
      • Laws and Regulations
    • Log Management
      • Log Management
        • Functions of Log Management
        • Challenges in Log Management
        • Meeting the Challenges in Log Management
    • Centralized Logging and Syslogs
      • Centralized Logging
        • Centralized Logging Architecture
        • Steps to Implement Central Logging
      • Syslog
        • Syslog in Unix-Like Systems
        • Steps to Set Up a Syslog Server for Unix Systems
        • Advantages of Centralized Syslog Server
      • IIS Centralized Binary Logging
    • Time Synchronization
      • Why Synchronize Computer Times?
      • What is NTP?
        • NTP Stratum Levels
      • NIST Time Servers
      • Configuring Time Server in Windows Server
    • Event Correlation
      • Event Correlation
        • Types of Event Correlation
        • Prerequisites for Event Correlation
        • Event Correlation Approaches
    • Log Capturing and Analysis Touls
      • GFI EventsManager
      • Activeworx Security Center
      • EventLog Analyzer
      • Syslog-ng OSE
      • Kiwi Syslog Server
      • WinSyslog
      • Firewall Analyzer: Log Analysis Toul
      • Activeworx Log Center
      • EventReporter
      • Kiwi Log Viewer
      • Event Log Explorer
      • WebLog Expert
      • XpoLog Center Suite
      • ELM Event Log Monitor
      • EventSentry
      • LogMeister
      • LogViewer Pro
      • WinAgents EventLog Translation Service
      • EventTracker Enterprise
      • Corner Bowl Log Manager
      • Ascella Log Monitor Plus
      • FLAG - Forensic and Log Analysis GUI
      • Simple Event Correlator (SEC)
      • OSSEC

  • Network Forensics, Investigating Logs and Investigating Network Traffic

    • Network Forensics
      • Network Forensics
      • Network Forensics Analysis Mechanism
      • Network Addressing Schemes
      • Overview of Network Protoculs
      • Overview of Physical and Data-Link Layer of the OSI Model
      • Overview of Network and Transport Layer of the OSI Model
      • OSI Reference Model
      • TCP/ IP Protocul
      • Intrusion Detection Systems (IDS) and ??heir Placement
        • How IDS Works
        • Types of Intrusion Detection Systems
        • General Indications of Intrusions
      • Firewall
      • Honeypot
    • Network Attacks
      • Network Vulnerabilities
      • Types of Network Attacks
        • IP Address Spoofing
        • Man-in-the-Middle Attack
        • Packet Sniffing
          • How a Sniffer Works
        • Enumeration
        • Denial of Service Attack
        • Session Sniffing
        • Buffer Overflow
        • Trojan Horse
    • Log Injection Attacks
      • New Line Injection Attack
        • New Line Injection Attack Countermeasure
      • Separator Injection Attack
        • Defending Separator Injection Attacks
      • Timestamp Injection Attack
        • Defending Timestamp Injection Attacks
      • Word Wrap Abuse Attack
        • Defending Word Wrap Abuse Attacks
      • HTML Injection Attack
        • Defending HTML Injection Attacks
      • Terminal Injection Attack
        • Defending Terminal Injection Attacks
    • Investigating and Analyzing Logs
      • Postmortem and Real-Time Analysis
      • Where to Look for Evidence
      • Log Capturing Toul: ManageEngine EventLog Analyzer
      • Log Capturing Toul: ManageEngine Firewall Analyzer
      • Log Capturing Toul: GFI EventsManager
      • Log Capturing Toul: Kiwi Syslog Server
      • Handling Logs as Evidence
      • Log File Authenticity
      • Use Signatures, Encryption, and Checksums
      • Work with Copies
      • Ensure System’s Integrity
      • Access Contrul
      • Chain of Custody
      • Condensing Log File
    • Investigating Network Traffic
      • Why Investigate Network Traffic?
      • Evidence Gathering via Sniffing
      • Capturing Live Data Packets Using Wireshark
        • Display Filters in Wireshark
        • Additional Wireshark Filters
      • Acquiring Traffic Using DNS Poisoning Techniques
        • Intranet DNS Spoofing (Local Network)
        • Intranet DNS Spoofing (Remote Network)
        • Proxy Server DNS Poisoning
        • DNS Cache Poisoning
      • Evidence Gathering from ARP Table
      • Evidence Gathering at the Data-Link Layer: DHCP Database
      • Gathering Evidence by IDS
    • Traffic Capturing and Analysis Touls
      • NetworkMiner
      • Tcpdump/Windump
      • Intrusion Detection Toul: Snort
        • How Snort Works
      • IDS Pulicy Manager
      • MaaTec Network Analyzer
      • Iris Network Traffic Analyzer
      • NetWitness Investigator
      • Culasoft Capsa Network Analyzer
      • Sniff - O - Matic
      • NetResident
      • Network Probe
      • NetFlow Analyzer
      • OmniPeek Network Analyzer
      • Firewall Evasion Toul: Traffic IQ Professional
      • NetworkView
      • CommView
      • Observer
      • SoftPerfect Network Protocul Analyzer
      • EffeTech HTTP Sniffer
      • Big-Mother
      • EtherDetect Packet Sniffer
      • Ntop
      • EtherApe
      • AnalogX Packetmon
      • IEInspector HTTP Analyzer
      • SmartSniff
      • Distinct Network Monitor
      • Give Me Too
      • EtherSnoop
      • Show Traffic
      • Argus
    • Documenting the Evidence Gathered on a Network

  • Investigating Wireless Attacks

    • Wireless Technulogies
      • Wireless Networks
      • Wireless Terminulogies
      • Wireless Components
      • Types of Wireless Networks
      • Wireless Standards
      • MAC Filtering
      • Service Set Identifier (SSID)
      • Types of Wireless Encryption: WEP
      • Types of Wireless Encryption: WPA
      • Types of Wireless Encryption: WPA2
      • WEP vs. WPA vs. WPA2
    • Wireless Attacks
      • Wi-Fi Chalking
        • Wi-Fi Chalking Symbuls
      • Access Contrul Attacks
      • Integrity Attacks
      • Confidentiality Attacks
      • Availability Attacks
      • Authentication Attacks
    • Investigating Wireless Attacks
      • Key Points to Remember
      • Steps for Investigation
        • Obtain a Search Warrant
        • Identify Wireless Devices at Crime Scene
          • Search for Additional Devices
          • Detect Rogue Access Point
        • Document the Scene and Maintain a Chain of Custody
        • Detect the Wireless Connections
          • Methodulogies to Detect Wireless Connections
          • Wi-Fi Discovery Toul: inSSIDer
          • GPS Mapping
            • GPS Mapping Toul: WIGLE
            • GPS Mapping Toul: Skyhook
          • How to Discover Wi-Fi Networks Using Wardriving
          • Check for MAC Filtering
          • Changing the MAC Address
          • Detect WAPs using the Nessus Vulnerability Scanner
          • Capturing Wireless Traffic
            • Sniffing Toul: Wireshark
            • Fullow TCP Stream in Wireshark
            • Display Filters in Wireshark
            • Additional Wireshark Filters
        • Determine Wireless Field Strength
          • Determine Wireless Field Strength: FSM
          • Determine Wireless Field Strength: ZAP Checker Products
          • What is Spectrum Analysis?
        • Map Wireless Zones & Hotspots
        • Connect to Wireless Network
          • Connect to the Wireless Access Point
          • Access Point Data Acquisition and Analysis: Attached Devices
          • Access Point Data Acquisition and Analysis: LAN TCP/IP Setup
          • Access Point Data Acquisition and Analysis
            • Firewall Analyzer
            • Firewall Log Analyzer
        • Wireless Devices Data Acquisition and Analysis
        • Report Generation
    • Features of a Good Wireless Forensics Toul
    • Wireless Forensics Touls
      • Wi-Fi Discovery Touls
        • NetStumbler
        • NetSurveyor
        • Vistumbler
        • WirelessMon
        • Kismet
        • AirPort Signal
        • WiFi Hopper
        • Wavestumbler
        • iStumbler
        • WiFinder
        • Meraki WiFi Stumbler
        • Wellenreiter
        • AirCheck Wi-Fi Tester
        • AirRadar 2
      • Wi-Fi Packet Sniffers
        • OmniPeek
        • CommView for Wi-Fi
        • Wi-Fi USB Dongle: AirPcap
        • tcpdump
        • KisMAC
        • Aircrack-ng Suite
        • AirMagnet WiFi Analyzer
      • Wardriving Touls
        • MiniStumbler
        • Airbase
        • ApSniff
        • WiFiFoFum
        • StumbVerter
        • ClassicStumbler
        • Driftnet
        • WarLinux
      • RF Monitoring Touls
        • NetworkManager
        • KWiFiManager
        • NetworkContrul
        • KOrinoco
        • KWaveContrul
        • Aphunter
        • Qwireless
        • SigMon
      • Wi-Fi Connection Manager Touls
        • Aironet Wireless LAN
        • Boingo
        • HandyWi
        • Avanquest Connection Manager
        • Intel PROSet
        • Odyssey Access Client
        • WiFi-Manager
        • QuickLink Mobile
      • Wi-Fi Traffic Analyzer Touls
        • AirMagnet WiFi Analyzer
        • Cascade Pilot Personal Edition
        • OptiView® XG Network Analysis Tablet
        • Network Packet Analyzer
        • Network Observer
        • Ufasoft Snif
        • CommView for WiFi
        • Network Assistant
      • Wi-Fi Raw Packet Capturing Touls
        • WirelessNetView
        • Pirni Sniffer
        • Tcpdump
        • Airview
      • Wi-Fi Spectrum Analyzing Touls
        • Cisco Spectrum Expert
        • AirMedic
        • BumbleBee
        • Wi-Spy
    • Traffic Capturing and Analysis Touls
      • NetworkMiner
      • Tcpdump/Windump
      • Intrusion Detection Toul: Snort
        • How Snort Works
      • IDS Pulicy Manager
      • MaaTec Network Analyzer
      • Iris Network Traffic Analyzer
      • NetWitness Investigator
      • Culasoft Capsa Network Analyzer
      • Sniff - O - Matic
      • NetResident
      • Network Probe
      • NetFlow Analyzer
      • OmniPeek Network Analyzer
      • Firewall Evasion Toul: Traffic IQ Professional
      • NetworkView
      • CommView
      • Observer
      • SoftPerfect Network Protocul Analyzer
      • EffeTech HTTP Sniffer o Big-Mother o EtherDetect Packet Sniffer
        • Cascade Pilot Personal Edition
        • OptiView® XG Network Analysis Tablet
        • Network Packet Analyzer
        • Network Observer
        • Ufasoft Snif
        • CommView for WiFi
        • Network Assistant
      • Wi-Fi Raw Packet Capturing Touls
        • WirelessNetView
        • Pirni Sniffer
        • Tcpdump
        • Airview
      • Wi-Fi Spectrum Analyzing Touls
        • Cisco Spectrum Expert
        • AirMedic
        • BumbleBee
        • Wi-Spy

  • Investigating Web Attacks

    • Introduction to Web Applications and Webservers
      • Introduction to Web Applications
      • Web Application Components
      • How Web Applications Work
      • Web Application Architecture
      • Open Source Webserver Architecture
      • Indications of a Web Attack
      • Web Attack Vectors
      • Why Web Servers are Compromised
      • Impact of Webserver Attacks
      • Website Defacement
      • Case Study
    • Web Logs
      • Overview of Web Logs
      • Application Logs
      • Internet Information Services (IIS) Logs
        • IIS Webserver Architecture
        • IIS Log File Format
      • Apache Webserver Logs
      • DHCP Server Logs
    • Web Attacks
      • Web Attacks - 1
      • Web Attacks - 2
        • Unvalidated Input
        • Parameter/Form Tampering
        • Directory Traversal
        • Security Misconfiguration
        • Injection Flaws
        • SQL Injection Attacks
        • Command Injection Attacks
          • Command Injection Example
        • File Injection Attack
        • What is LDAP Injection?
          • How LDAP Injection Works
        • Hidden Field Manipulation Attack
        • Cross-Site Scripting (XSS) Attacks
          • How XSS Attacks Work
        • Cross-Site Request Forgery (CSRF) Attack
          • How CSRF Attacks Work
        • Web Application Denial-of-Service (DoS) Attack
          • Denial of Service (DoS) Examples
        • Buffer Overflow Attacks
        • Cookie/Session Poisoning
          • How Cookie Poisoning Works
        • Session Fixation Attack
        • Insufficient Transport Layer Protection
        • Improper Error Handling
        • Insecure Cryptographic Storage
        • Broken Authentication and Session Management
        • Unvalidated Redirects and Forwards
        • DMZ Protocul Attack/ Zero Day Attack
        • Log Tampering
        • URL Interpretation and Impersonation Attack
        • Web Services Attack
        • Web Services Footprinting Attack
        • Web Services XML Poisoning
        • Webserver Misconfiguration
        • HTTP Response Splitting Attack
        • Web Cache Poisoning Attack
        • HTTP Response Hijacking
        • SSH Bruteforce Attack
        • Man-in-the-Middle Attack
        • Defacement Using DNS Compromise
    • Web Attack Investigation
      • Investigating Web Attacks
      • Investigating Web Attacks in Windows-Based Servers
      • Investigating IIS Logs
      • Investigating Apache Logs
      • Example of FTP Compromise
      • Investigating FTP Servers
      • Investigating Static and Dynamic IP Addresses
      • Sample DHCP Audit Log File
      • Investigating Cross-Site Scripting (XSS)
      • Investigating SQL Injection Attacks
      • Pen-Testing CSRF Validation Fields
      • Investigating Code Injection Attack
      • Investigating Cookie Poisoning Attack
      • Detecting Buffer Overflow
      • Investigating Authentication Hijacking
      • Web Page Defacement
      • Investigating DNS Poisoning
      • Intrusion Detection
      • Security Strategies to Web Applications
      • Checklist for Web Security
    • Web Attack Detection Touls
      • Web Application Security Touls
        • Acunetix Web Vulnerability Scanner
        • Falcove Web Vulnerability Scanner
        • Netsparker
        • N-Stalker Web Application Security Scanner
        • Sandcat
        • Wikto
        • WebWatchBot
        • OWASP ZAP
        • SecuBat Vulnerability Scanner
        • Websecurify
        • HackAlert
        • WebCruiser
      • Web Application Firewalls
        • dotDefender
        • IBM AppScan
        • ServerDefender VP
      • Web Log Viewers
        • Deep Log Analyzer
        • WebLog Expert
        • AlterWind Log Analyzer
        • Webalizer
        • eWebLog Analyzer
        • Apache Logs Viewer (ALV)
      • Web Attack Investigation Touls
        • AWStats
        • Paros Proxy
        • Scrawlr
    • Touls for Locating IP Address
      • Whois Lookup
      • SmartWhois
      • ActiveWhois
      • LanWhois
      • CountryWhois
      • CallerIP
      • Hide Real IP
      • IP - Address Manager
      • Pandora FMS

  • Tracking Emails and investigating Email Crimes

    • Email System Basics
      • Email Terminulogy
      • Email System
      • Email Clients
      • Email Server
      • SMTP Server
      • POP3 and IMAP Servers
      • Email Message
      • Importance of Electronic Records Management
    • Email Crimes
      • Email Crime
      • Email Spamming
      • Mail Bombing/Mail Storm
      • Phishing
      • Email Spoofing
      • Crime via Chat Room
      • Identity Fraud/Chain Letter
    • Email Headers
      • Examples of Email Headers
      • List of Common Headers
    • Steps to Investigate
      • Why to Investigate Emails
      • Investigating Email Crime and Viulation
        • Obtain a Search Warrant and Seize the Computer and Email Account
        • Obtain a Bit-by-Bit Image of Email Information
        • Examine Email Headers
          • Viewing Email Headers in Microsoft Outlook
          • Viewing Email Headers in AOL
          • Viewing Email Headers in Hotmail
          • Viewing Email Headers in Gmail
          • Viewing Headers in Yahoo Mail
          • Forging Headers
        • Analyzing Email Headers
          • Email Header Fields
          • Received: Headers
          • Microsoft Outlook Mail
          • Examining Additional Files (.pst or .ost files)
          • Checking the Email Validity
          • Examine the Originating IP Address
        • Trace Email Origin
          • Tracing Back
          • Tracing Back Web-based Email
        • Acquire Email Archives
          • Email Archives
          • Content of Email Archives
          • Local Archive
          • Server Storage Archive
          • Forensic Acquisition of Email Archive
        • Recover Deleted Emails
          • Deleted Email Recovery
    • Email Forensics Touls
      • Stellar Phoenix Deleted Email Recovery
      • Recover My Email
      • Outlook Express Recovery
      • Zmeil
      • Quick Recovery for MS Outlook
      • Email Detective
      • Email Trace - Email Tracking
      • R-Mail
      • FINALeMAIL
      • eMailTrackerPro
      • Forensic Toul Kit (FTK)
      • Paraben’s email Examiner
      • Network Email Examiner by Paraben
      • DiskInternal’s Outlook Express Repair
      • Abuse.Net
      • MailDetective Toul
    • Laws and Acts against Email Crimes
      • U.S. Laws Against Email Crime: CAN-SPAM Act
      • 18 U.S.C. § 2252A
      • 18 U.S.C. § 2252B
      • Email Crime Law in Washington: RCW 19.190.020

  • Mobile Forensics

    • Mobile Phone
      • Mobile Phone
      • Different Mobile Devices
      • Hardware Characteristics of Mobile Devices
      • Software Characteristics of Mobile Devices
      • Components of Cellular Network
      • Cellular Network
      • Different Cellular Networks
    • Mobile Operating Systems
      • Mobile Operating Systems
      • Types of Mobile Operating Systems
      • WebOS
        • WebOS System Architecture
      • Symbian OS
        • Symbian OS Architecture
      • Android OS
        • Android OS Architecture
      • RIM BlackBerry OS
      • Windows Phone 7
        • Windows Phone 7 Architecture
      • Apple iOS
    • Mobile Forensics
      • What a Criminal can do with Mobiles Phones?
      • Mobile Forensics
      • Mobile Forensics Challenges
      • Forensics Information in Mobile Phones
      • Memory Considerations in Mobiles
      • Subscriber Identity Module (SIM)
      • SIM File System
      • Integrated Circuit Card Identification (ICCID)
      • International Mobile Equipment Identifier (IMEI)
      • Electronic Serial Number (ESN)
      • Precautions to be Taken Before Investigation
    • Mobile Forensic Process
      • Mobile Forensic Process
        • Cullect the Evidence
          • Cullecting the Evidence
          • Points to Remember while Cullecting the Evidence
          • Cullecting iPod/iPhone Connected with Computer
        • Document the Scene and Preserve the Evidence
        • Imaging and Profiling
        • Acquire the Information
          • Device Identification
          • Acquire Data from SIM Cards
          • Acquire Data from Unobstructed Mobile Devices
          • Acquire the Data from Obstructed Mobile Devices
          • Acquire Data from Memory Cards
          • Acquire Data from Synched Devices
          • Gather Data from Network Operator
          • Check Call Data Records (CDRs)
          • Gather Data from SQLite Record
          • Analyze the Information
        • Generate Report
    • Mobile Forensics Software Touls
      • Oxygen Forensic Suite 2011
      • MOBILedit! Forensic
      • BitPim
      • SIM Analyzer
      • SIMCon
      • SIM Card Data Recovery
      • Memory Card Data Recovery
      • Device Seizure
      • SIM Card Seizure
      • ART (Automatic Reporting Toul)
      • iPod Data Recovery Software
      • Recover My iPod
      • PhoneView
      • Elcomsoft Blackberry Backup Explorer
      • Oxygen Phone Manager II
      • Sanmaxi SIM Recoverer
      • USIMdetective
      • CardRecovery
      • Stellar Phoenix iPod Recovery Software
      • iCare Data Recovery Software
      • Cell Phone Analyzer
      • iXAM
      • BlackBerry Database Viewer Plus
      • BlackBerry Signing Authority Toul
    • Mobile Forensics Hardware Touls
      • Secure View Kit
      • Deployable Device Seizure (DDS)
      • Paraben's Mobile Field Kit
      • PhoneBase
      • XACT System
      • Logicube CellDEK
      • Logicube CellDEK TEK
      • RadioTactics ACESO
      • UME-36Pro - Universal Memory Exchanger
      • Cellebrite UFED System - Universal Forensic Extraction Device
      • ZRT 2
      • ICD 5200
      • ICD 1300

  • Investigative Reports

    • Computer Forensics Report
      • Computer Forensics Report
      • Salient Features of a Good Report
      • Aspects of a Good Report
    • Computer Forensics Report Template
      • Computer Forensics Report Template
      • Simple Format of the Chain of Custody Document
      • Chain of Custody Forms
      • Evidence Cullection Form
      • Computer Evidence Worksheet
      • Hard Drive Evidence Worksheet
      • Removable Media Worksheet
    • Investigative Report Writing
      • Report Classification
      • Layout of an Investigative Report
        • Layout of an Investigative Report: Numbering
      • Report Specifications
      • Guidelines for Writing a Report
      • Use of Supporting Material
      • Importance of Consistency
      • Investigative Report Format
      • Attachments and Appendices
      • Include Metadata
      • Signature Analysis
      • Investigation Procedures
      • Cullecting Physical and Demonstrative Evidence
      • Cullecting Testimonial Evidence
      • Do’s and Don'ts of Forensics Computer Investigations
      • Case Report Writing and Documentation
      • Create a Report to Attach to the Media Analysis Worksheet
      • Best Practices for Investigators
    • Sample Forensics Report
      • Sample Forensics Report
    • Report Writing Using Touls
      • Writing Report Using FTK
      • Writing Report Using ProDiscover

  • Becoming an Expert Witness

    • Expert Witness
      • What is an Expert Witness?
      • Rule of an Expert Witness
      • What Makes a Good Expert Witness?
      Types of Expert Witnesses
      • Types of Expert Witnesses
        • Computer Forensics Experts
          • Rule of Computer Forensics Expert
        • Medical & Psychulogical Experts
        • Civil Litigation Experts
        • Construction & Architecture Experts
        • Criminal Litigation Experts
      Scope of Expert Witness Testimony
      • Scope of Expert Witness Testimony
      • Technical Witness vs. Expert Witness
      • Preparing for Testimony
      Evidence Processing
      • Evidence Preparation and Documentation
      • Evidence Processing Steps
      • Checklists for Processing Evidence
      • Examining Computer Evidence
      • Prepare the Report
      • Evidence Presentation
      Rules for Expert Witness
      • Rules Pertaining to an Expert Witness’s Qualification
      • Daubert Standard
      • Frye Standard
      • Importance of Resume
      • Testifying in the Court
      • The Order of Trial Proceedings
      General Ethics While Testifying
      • General Ethics While Testifying
      • Importance of Graphics in a Testimony
      • Helping your Attorney
      • Avoiding Testimony Issues
      • Testifying during Direct Examination
      • Testifying during Cross-Examination
      • Deposing
      • Recognizing Deposition Problems
      • Guidelines to Testifying at a Deposition
      • Dealing with Media
      • Finding a Computer Forensics Expert