Course Code: 829

EC-Council Computer Hacking Forensic Investigator v9.0 (CHFI) - Virtual Delivery

Class Dates:
5 Days
Class Time:
Virtual Instructor-Led Training, Instructor-Led Training


  • Course Overview
  • Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information.

    Students attending this course will take exam ECO-349 to achieve their CHFI certification.
  • Audience
  • The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

    Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases. Electronic evidence is critical in the following situations:

    Disloyal employees
    Computer break-ins
    Possession of pornography
    Breach of contract
    Industrial espionage
    E-mail Fraud
    Disputed dismissals
    Web page defacements
    Theft of company documents


  • It is strongly recommended that you attend the CEH class before enrolling into CHFI program.

    A foundational knowledge of computers Operating Systems and Networking protocols.
  • Recommended Courses:

  • EC-Council Certified Ethical Hacker v9 CEH

Course Details

  • Lesson 1: Computer Forensics in Today’s World
  • Understanding Computer Forensics
  • Why and When Do You Use Computer Forensics?
  • Cyber Crime (Types of Computer Crimes)
  • Case Study
  • Challenges Cyber Crimes Present For Investigators
  • Cyber Crime Investigation-Civil v Ciminal , Case Studies, Admin Investigation
  • Rules of Forensics Investigation - Enterprise Theory of Investigation (ETI)
  • Understanding Digital Evidence
  • Types of Digital Evidence
  • Characteristics of Digital Evidence, Types of Digital Evidence
  • Role of Digital Evidence
  • Rules of Evidence, Forensics Readiness,Incident Response Plan
  • Lesson 2: Computer Forensics Investigation Process
  • Importance of Computer Forensics Process
  • Phases Involved in the Computer Forensics Investigation Process
  • Pre-investigation Phase, Setting Up a Computer Forensics Lab
  • Planning and Budgeting, Physical Location and Structural Design Considerations
  • Work Area Considerations, Physical Security Recommendations, Fire-Suppression Systems
  • Evidence Locker Recommendations, Auditing the Security of a Forensics Lab
  • Human Resource Considerations, Build a Forensics Workstation
  • Basic Workstation Requirements in a Forensics Lab, Build a Computer Forensics Toolkit
  • Forensics Hardware, Forensics Software (Cont’d)
  • Build the Investigation Team, Forensic Practitioner Certification and Licensing
  • Review Policies and Laws, Forensics Laws
  • Establish Quality Assurance Processes, Quality Assurance Practices in Digital Forensics
  • Lesson 3: Understanding Hard Disks and File Systems
  • Hard Disk Drive Overview, Disk, Hard Disk Drive (HDD) Solid State Drive (SSD)
  • Physical Structure of a Hard Disk, Logical Structure of Hard Disk
  • Types of Hard Disk Interfaces, Hard Disk Interfaces, ATA, SCSI, IDE/EIDE, USB, Fibre Channel,
  • Tracks, Track Numbering
  • Sector, Sector Addressing, Advanced Format Sectors
  • Cluster, Cluster Size, Slack Space, Lost Clusters
  • Bad Sectors, Understanding Bit, Byte, and Nibble
  • Hard Disk Data Addressing
  • Data Densities on a Hard Disk
  • Disk Capacity Calculation
  • Measuring the Performance of the Hard Disk
  • Disk Partitions and Boot Process, Disk Partitions
  • Lesson 4: Data Acquisition and Duplication
  • Data Acquisition and Duplication Concepts
  • Static Acquisition
  • Validate Data Acquisitions
  • Acquisition Best Practices
  • Lesson 5: Defeating Anti-forensics Techniques
  • What is Anti-Forensics?
  • Anti-Forensics techniques
  • Recycle Bin in Windows
  • File Recovery in MAC OS X
  • Recovering the Deleted Partitions
  • Password Protection
  • Steganography
  • Data Hiding in File System Structures
  • Trail Obfuscation, Rootkits
  • Artifact Wiping, Minimize Footprint, Tools Bugs, Coutermeasures
  • Overwriting Data/Metadata, Anti-forensics Tools
  • Encryption, Encrypted Network Protocols, Program Packers
  • Lesson 6: Operating System Forensics (Windows, Mac, Linux)
  • Introduction to OS Forensics
  • Windows Forensics, Collecting Volatile Information
  • System Time, Logged-On Users, Open Files, Network Information & Connections
  • Process Information, Process-to-Port Mapping, Process Memory, Network Status, Print spool files,
  • Collecting Non-Volatile Information
  • Analyze the Windows thumbcaches
  • Windows Memory Analysis
  • Windows Registry Analysis
  • Cache, Cookie, and History Analysis
  • Windows File Analysis, Other Audit Events
  • Metadata Investigation, Text Based Logs
  • Forensic Analysis of Event Logs, Linux Forensics, MAC Forensics
  • Lesson 7: Network Forensics
  • Introduction to Network Forensics
  • Fundamental Logging Concepts
  • Event Correlation Concepts
  • Network Forensic Readiness
  • Network Forensics Steps
  • Network Traffic Investigation
  • Why Investigate Network Traffic?
  • Evidence Gathering via Sniffing, Sniffing Tool: Wireshark
  • Packet Sniffing Tool: Capsa Network Analyzer
  • Network Packet Analyzer: OmniPeek Network Analyzer, & Observer
  • Network Packet Analyzer: Capsa Portable Network Analyzer
  • Documenting the Evidence
  • Lesson 8: Investigating Web Attacks
  • Introduction to Web Application Forensics
  • Web Attack Investigation
  • Investigating Web Server Logs, Internet Information Services (IIS) Logs
  • Investigating Apache Logs, Investigating Cross-Site Scripting (XSS)
  • Investigating XSS: Using Regex to Search XSS Strings
  • Pen-Testing CSRF Validation Fields
  • Web Attack Detection Tools
  • Tools for Locating IP Address
  • IP Address Locating Tools
  • WHOIS Lookup Tools
  • Lesson 9: Database Forensics
  • Database Forensics and Its Importance
  • MSSQL Forensics, Structure of the Data Directory
  • MySQL Forensics, Viewing the Information Schema
  • MySQL Utility Programs For Forensic Analysis
  • Common Scenario for Reference
  • MySQL Forensics for WordPress Website Database: Scenario 1
  • Collect the Evidences, Examine the Log Files, Take a Backup of the Database
  • Create an Evidence Database, Select the Database
  • View the Tables & Users in the Database
  • View Columns in the Table, Collect the Posts Made by the User
  • MySQL Forensics for WordPress Website Database: Scenario 2
  • Collect the Database and all the Logs,Examine the .frm Files & Binary Logs
  • Lesson 10: Cloud Forensics
  • Introduction to Cloud Computing
  • Cloud Forensics, Cloud Forensics: Stakeholders and their Roles
  • Cloud Crimes
  • Cloud Forensics Challenges
  • Investigating Cloud Storage Services
  • Investigating Dropbox Cloud Storage Service
  • Investigating Google Drive Cloud Storage Service
  • Lesson 11: Malware Forensics
  • Introduction to Malware
  • Introduction to Malware Forensics
  • Supporting Tools for Malware Analysis
  • General Rules for Malware Analysis
  • Documentation Before Analysis
  • Types of Malware Analysis
  • Malware Analysis: Dynamic
  • Installation & Process Monitor
  • Files and Folder Monitor, Registry Monitor, Network Activity Monitor
  • Port Monitor, DNS Monitoring/Resolution, API Calls Monitor
  • Device Drivers Monitor, Startup Programs Monitor
  • Windows Services Monitor, Analysis of Malicious Documents, Malware Analysis Challenges
  • Lesson 12: Investigating Email Crimes
  • Email System, Clients, Server, SMTP Server, POP3 Server, IMAP Server
  • Importance of Electronic Records Management
  • Email Crimes (Email Spamming, Mail Bombing/Mail Storm, Phishing, Email Spoofing, Crime via Chat Room, Identity Fraud/Chain Letter)
  • Email Message, Steps to Investigate Email Crimes and Violation
  • Examine E-mail Messages, Acquire Email Archives
  • Recover Deleted Emails
  • Examining Email Logs
  • Examining Linux E-mail Server Logs
  • Examining Microsoft Exchange E-mail Server Logs
  • Email Forensics Tools
  • Laws and Acts against Email Crimes
  • U.S. Laws Against Email Crime: CAN-SPAM Act
  • Lesson 13: Mobile Phone Forensics
  • Mobile Device Forensics, Why Mobile Forensics?
  • Top Threats Targeting Mobile Devices, Mobile Hardware and Forensics
  • Mobile OS and Forensics,
  • Page | 28 Computer Hacking Forensic Investigator Copyright c by EC-Council
  • Mobile Forensics Process
  • Packing, Transporting, and Storing the Evidence
  • Forensics Imaging, Phone Locking, Enabling USB Debugging
  • Platform Security Removal Techniques: Jailbreaking/Rooting
  • Mobile Evidence Acquisition, Cellular Network, Subscriber Identity Module (SIM)
  • Logical , Physical & File System Acquisition
  • File Carving, SQLite Database Extraction, Android Forensics Analysis
  • Android Forensics Analysis, iPhone Data Extraction, Examination and Analysis
  • Lesson 14: Forensics Report Writing and Presentation
  • Writing Investigation Reports
  • Expert Witness Testimony
  • Deposition
  • Dealing with Media