IFCI 500 - Cybercrime Investigators Course - $150 USD

Module 1: Computer Forensics Core Concepts

Module 2: Forensic Acquisitions; Theory & Practice

Module 2 is an in-depth study of the forensic acquisition stage of the incident response process. This is often considered the most important aspect of any computer forensic investigation because all future analysis relies on a proper, legal, and complete acquisition of digital evidence. This module will introduce students to a variety of real-life incident response situations and provide expert strategies to adapt and overcome challenges they may face during on-site acquisitions. This module teaches volatile memory acquisition, hard disk acquisition, and system monitoring, and also teaches the Order of Volatility as a methodology for response procedure decision making.

In addition, this module introduces key concepts such as:

Hash algorithms and how they can be used as digital fingerprints to verify evidence integrity or identify suspect files
Modern (live) and traditional (dead) theories of acquisition and when to use both
Strategies for acquisition of business critical servers
Examination of system footprints left by live acquisition and volatile memory acquisition

Lab #1 - Hashing: Creating, understanding, and using digital fingerprints

Lab #2 - Digital Crime Scene Incident Response: Forensic Acquisition of Volatile Memory and Hard Drives

Module 2 Videos

Module 2_1 (Incident Response Triage and Forensic Acquisitons).mp4 (00:15:26.17)

Module 2_2 (Hashes - Digital Fingerprints).mp4 (00:11:53.20)

Module 2_3 (Lab1 - Hashing).mp4 (00:20:21.93)

Module 2_4 (Incident Responder's Forensic Acquisition Process).mp4 (00:16:54.76 )

Module 2_5 (Different Approaches to Forensic Acquisition).mp4 (00:09:51.23)

Module 2_6 (Volatile Memory Acquisition).mp4 (00:12:01.54)

Module 2_7 (Lab2 - Forensic Acquisition Lab).mp4 (00:11:24.73)

Module 3 - File Systems, Data Structures & File Deletion Recovery

Description: Module 3 introduces students to the concept of how data exists, in its many forms, on a computer hard drive. Students will become intimately familiar with digital data in binary, hex, ASCII, and Unicode formats and they will come to understand that data is inherently the same but just presented in different formats so computers and humans can understand it. Students will learn about various file systems and their limitations, as well as how the file systems interact with different operating systems. Finally students will be introduced to the concepts of slack space, unallocated space, file carving, file fragmentation, and the core concept of computer forensics: when a file is deleted, it can still be recovered by forensic analysis. This will be reinforced by a hands-on lab requiring students to manually recover a deleted file from unallocated space.

In addition, this module introduces key concepts such as:

Sectors and clusters and their relationship to computer’s file systems
Detailed organizational structure of NTFS and FAT file systems and the forensic evidence that can be drawn from them
Resident vs non-resident files

Lab # 3 - Manual Recovery of Deleted Files

Module 3 Videos

Module 3_1 (Introduction to File Systems and Operating Systems).mp4 (00:07:42.50)

Module 3_2 (Data Structures).mp4 (00:22:37.62)

Module 3_3 (Slack Space and Deleted Files).mp4 (00:10:02.37)

Module 3_4 (File System Limitations).mp4 (00:04:26.33)

Module 3_5 (FAT File Systems).mp4 (00:03:34.92)

Module 3_6 (NTFS File Systems).mp4 (00:04:06.46)

Module 3_7 (File Carving and File Fragmentation).mp4 (00:05:40.96)

Mod 3_8_LAB3(Deleted File Recovery).mp4 (00:14:54.06)

Module 4 - Email & Internet History Analysis

Module 4 is of vital importance to computer forensic investigations because almost every crime involves suspect email or Internet usage. Both are primary malware attack vectors and can be maliciously used by social engineers. Email analysis allows forensic analysts to recover all email sent and received (and often deleted) by a suspect, and it enables analysts to identify co-conspirators or criminal rings communicating with the suspect. Internet activity analysis will show the analyst every website the suspect visited, files downloaded, web searches conducted, maps and directions searched for, chat rooms logged into, and much more. People use the Internet for nearly every aspect of their lives and the Internet activity forensic analysis taught in Module 4 will allow an investigator to recreate these aspects and gain a deep understanding of their suspect.

In addition, this module introduces key concepts such as:

Web email recovery
Email header analysis
Base64 encoding
Chrome & Mozilla SQLite History database parsing
Recovery of History, Cache, Cookies, and Favorites/Bookmarks
URL obfuscation techniques

Lab #4 - Email Analysis

Lab #5 - Internet Activity Analysis

Module 4 Videos

Module 4_1 (Email Analysis).mp4 (00:07:19.51)

Module 4_2 (Host and Web based Email Extraction).mp4 (00:07:09.29)

Module 4_3 (Email Header Analyisis and Base64 Encoding).mp4 (00:07:02.00)

Module 4_4 (LAB 4 - Email Analysis).mp4 (00:20:22.39)

Module 4_5 (Internet Activity Analysis Introduction).mp4 (00:03:19.69)

Module 4_6 (Chrome and Firefox Analysis).mp4 (00:06:00.79)

Module 4_7 (Internet Explorer Analysis).mp4 (00:05:52.04)

Module 4_8 (Cookies, Cache, and IE Artifacts).mp4 (00:06:16.77)

Module 4_9 (URL Obfuscation).mp4 (00:07:09.20)

Module 4_10 (LAB5 - Internet Activity Analysis).mp4 (00:15:01.91)

Module 5 - Windows System Forensic Artifacts 1

Skilled computer forensic analysts do much more than just recover deleted files. They determine what hidden data exists (or previously existed) on a computer; they can determine if the data was accessed, what user accessed it, and at what time. Forensic analysis will show if the suspect actually had knowledge of sensitive data and if they purposefully used it for their benefit. IFCI teaches much more than basic data identification; we teach methods to determine how that data got on the computer, who accessed it and what they used it for. Module 5 introduces the skills and techniques requisite to determine this information and how to interpret it.

In addition, this module introduces key concepts such as:

Timeline analysis and reconstruction
Recycle Bin reconstitution
User profiles and user activity attribution
Link file parsing and content interpretation

Lab #6 - Recycle Bin & INFO2 Analysis

Lab #7 - Link File Analysis

Module 5 Videos

Module 5_1 (Timeline Analysis).mp4 (00:12:59.70)

Module 5_2 (Time Zone Issues).mp4 (00:05:16.63)

Module 5_3 (Time Stamps).mp4 (00:08:12.87)

Module 5_4 (Nonstandard timestamps and timeline antiforensics).mp4 (00:07:14.14)

Module 5_5 (MAC Time Triangulation).mp4 (00:05:26.40)

Module 5_6 (User Attribution and Analysis).mp4 (00:07:40.10)

Module 5_7 (Recycle Bin Analysis).mp4 (00:08:10.13)

Module 5_8 (Lab6 - Recycle Bin Analysis).mp4 (00:13:44.61)

Module 5_9 (Link File Analysis).mp4 (00:05:51.11)

Module 5_10 (Other Locations of Interest).mp4 (00:02:54.59)

Module 5_11 (Lab 7 - Link File Analysis).mp4 (00:10:51.88)

Module 6 - Windows System Forensic Artifacts 2 & File Signature Analysis

Module 6 continues to teach the skills necessary to fully understand how a Windows system was used and if it contains indications of criminal activity. Students will learn the skills necessary to create technical profiles of suspects and to report detailed suspect activity on the system. Module 6 also introduces skills necessary to determine malware activity on victim computers, including methods to identify names, locations, indicators of compromise, and a deep understanding of when the malware was first executed and if it downloaded additional viruses or attempted to steal victim information.

In addition, this module introduces key concepts such as:

Extracting latitude & longitude information from exif data to determine the exact location pictures were taken. (potentially of key importance in kidnapping or child exploitation cases)
Recovering hidden and deleted picture files via Thumbs.db & Thumbcache.db analysis
Reconstructing program execution history via prefetch file analysis
Hard drive persistent RAM analysis using pagefile.sys and hiberfil.sys
Recovering previously deleted / wiped data via System Restore Point and Volume Shadow Copy analysis

Lab #8 - Prefetch File Analysis

Lab #9 - File Signature Analysis

Lab #10 - Exif Data Analysis

Module 6 Videos

Module 6_1 (Thumbs.db and Thumbcache Analysis).mp4 (00:05:38.83)

Module 6_2 (Prefetch File Analysis).mp4 (00:07:01.21)

Module 6_3 (Lab 8 - Prefetch File Analysis).mp4 (00:16:07.90)

Module 6_4 (Persistent RAM Files and System Restore Functions).mp4 (00:08:28.54)

Module 6_5 (File Signature Analysis).mp4 (00:07:03.14)

Module 6_6 (Lab 9 - File Signature Analysis).mp4 (00:10:10.80)

Module 6_7 (Metadata Analysis).mp4 (00:08:13.17)

Module 6_8 (Exif Data Analysis).mp4 (00:10:13.31)

Module 6_9 (Lab 10 - Exif Data Analysis).mp4 (00:13:53.06)

Module 7 - Windows System Logs & Registry Analysis

Windows computers automatically maintain internal databases and logs that contain vast and detailed information specific to both individual computer users and general system activity. These databases, known as the Registry, can show what files specific users opened, what programs they ran, and website URLs that they typed into an Internet browser. Other areas of the registry show what files existed on external USB devices plugged into the system and can identify every USB device ever used on that particular system. This type of information can be vital to intellectual property theft and espionage cases where the investigator must know when and how valuable data left a certain organization. Module 7 dives in-depth into the many forensic artifacts contained in the Registry, as well as the many different types of logs that Windows maintains on the system.

In addition, this module introduces key concepts such as:

Identifying attacking IP addresses via RDP logins in the Security Event log
Identifying malicious processes via Dr. Watson log analysis
Understanding and decoding basic Microsoft Registry encryption mechanisms
Autostart locations used by malware to survive system reboots

Lab #11 - Event Log Analysis

Lab #12 - Registry Analysis

Module 7 Videos

Module 7_1 (Windows Log Analysis).mp4 (00:04:57.96)

Module 7_2 (System and Application Event Log Analysis).mp4 (00:05:27.24)

Module 7_3 (Security Event Log Analysis).mp4 (00:05:47.53)

Module 7_4 (Dr Watson Logs).mp4 (00:03:19.06)

Module 7_5 (Lab 11 - Event Log Analysis).mp4 (00:10:11.54)

Module 7_6 (Introduction to the Windows Registry).mp4 (00:05:28.96)

Module 7_7 (Registry Analysis -USB Devices).mp4 (00:03:52.83)

Module 7_8 (Registry Analysis - NTUser_dat).mp4 (00:07:58.49)

Module 7_9 (Registry Analysis -NTUser_dat 2).mp4 (00:08:25.03)

Module 7_10 (Registry Analysis - Autostarts).mp4 (00:06:03.39)

Module 7_11 (Lab 12 - Registry Analysis).mp4 (00:12:14.47)

Module 8 - Introduction to Malware and Network Intrusions

Module 9 - Network Data Analysis

Module 10 - Cybercrime, Cyber Terror, & Cyber Espionage Investigations

The lines of demarcation between cybercrime, cyber terror and cyber espionage are no longer clear. Nation states are using massive cyber attacks in conjunction with simultaneous physical attacks to paralyze their opponent’s ability to communicate or even use the Internet when their bombs begin to drop.

Furthermore, in some countries, the most sophisticated cyber-attack capabilities are controlled by the local cyber mafia, resulting in nation states working directly with their own cyber-criminal underground. How does this affect cybercrime investigator’s ability to pursue and prosecute international cybercrime? Module 10 explores these topics in-depth.

Module 10 also studies how International cybercrime has evolved over the last 2 decades. It is now a multibillion dollar business and it is vitally important to understand how these organizations work. For example, what does Target’s loss of 110 million credit cards really mean? How is this information transformed into real income for cybercriminals? This process has become very sophisticated and will be taught in detail in Module 10.

In addition, this module introduces key concepts such as:

Bullet-proof hosters and how they hinder cybercrime investigations
How supply chain interdiction is used to poison hardware and network devices before they are even purchased by end-customers
Real-life methodologies for identifying and investigating malicious domains and IP addresses
An in-depth discussion of the Stuxnet malware, how it was used to physically attack a Nuclear Power Plant, and the implications this may hold for the future of cyberwar
A deep and technical discussion of Point-of-Sale attacks, like Target, and real methodologies to analyze this attack, identify & decode the data exfiltration containers and determine what credit cards were lost, and to identify the actual attackers.

Lab #13 - Online Investigations - Tracking Criminal Malicious Domains

Module 10 Videos

Module 10_1 (The Blurred Lines Between Cybercrime, Cyberwar, and Cyberespionage).mp4 (00:08:03.60)

Module 10_2 (The Intersection of Cybercrime and Cyberwar).mp4 (00:08:02.07)

Module 10_3 (Russian Organized Cybercrime).mp4 (00:15:45.56)

Module 10_4 (Supply Chain Interdiction).mp4 (00:04:45.47)

Module 10_5 (Criminal Domain Investigations).mp4 (00:06:54.89)

Module 10_6 (Domain and IP Address Investigation Tools).mp4 (00:08:30.63)

Module 10_7 (Lab 13 - Criminal Domain Investigations).mp4 (00:21:00.03)

Module 10_8 (Stuxnet).mp4 (00:10:14.84)

Module 10_9 (Point of Sale Server Attacks).mp4 (00:10:31.03)

Module 10_10 (Point of Sale Server- Malware).mp4 (00:08:28.17)

Module 10_11 (Point of Sale Server- Exfiltration).mp4 (00:03:46.56)

Module 10_12 (Point of Sale Server- Advanced Investigative Techniques).mp4 (00:07:14.03)

Module 11 - Volatile Memory Analysis

Volatile memory analysis is one of the most exciting and cutting edge developments in modern computer forensic cybercrime investigations. This type of analysis requires the acquisition of live RAM running on a computer and enables investigators to extract a wide variety of information that can be vital to any investigation. Module 11 teaches Volatile Memory Analysis using the open source tool, Volatility. Volatility enables users to extract passwords, web chats, open and previously closed network connections, running processes, and so much more. Often, skilled memory analysis can reduce the time of an investigation from weeks to minutes because the evidence is clearly and easily preserved in memory, for those who know how to extract it. This module will not only teach students to extract suspect information and user activity from volatile memory but also to identify malware, profile its capabilities, and extract it to the hard drive for additional analysis.

In addition, this module introduces key concepts such as:

Some malware is memory resident only and never touches the hard drive – Module 10 will teach how to identify and extract this kind of malware
Using ZeuS as an attack template, Module 10 walks students through a full analysis of a malicious attack on a victim computer
Using Yara rules to identify malware characteristics and classify them into families

Lab #14 - Using Volatile Memory Analysis to Identify Network Intrusions and Analyze Malware

Module 11 Videos

Module 11_1 (Volatile Memory Analysis Introduction).mp4 (00:09:21.27)

Module 11_2 (Volatility Introduction).mp4 (00:15:33.02)

Module 11_3 (Analyzing ZeuS Malware with Volatility).mp4 (00:09:09.24)

Module 11_4 (Malware Analysis Using Volatility).mp4 (00:05:38.06)

Module 11_5 (Malware Analysis Using Volatility 2).mp4 (00:08:06.06)

Module 11_6 (Volatility - Additional Capabilities).mp4 (00:04:43.56)

Module 11_7 (Lab 14_1 Volatile Memory Analysis of IRC Malware and VNC Attack).mp4 (00:16:14.56)

Module 11_8 (Lab 14_2 Volatile Memory Analysis of SilentBanker Malware).mp4 (00:10:53.48)

Module 12 - Dynamic Malware Analysis

Malware was designed to do something evil, but when you find it on your network you may have no idea why its there, or what data it is trying to steal. Dynamic malware analysis is simply setting up an environment where the malware can be executed and then watching everything it does to determine its purpose.

Module 12 teaches how to set up a dynamic malware analysis lab and the tools and techniques required to quickly and efficiently analyze malicious code. In addition, this module introduces key concepts such as:

The differences between static and dynamic malware analysis
Techniques to boot directly into forensic images
Full demonstrations of real-life malware analysis

Lab #15 - Basic IRC Trojan Malware Analysis

Lab #16 - Advanced Rootkit Malware Analysis

Module 12 Videos

Module 12_1 (Introduction to Dynamic Malware Analysis).mp4 (00:07:34.07)

Module 12_2 (Virtual Malware Analysis Environment Setup).mp4 (00:05:15.03)

Module 12_3 (Virtual Malware Analysis Environment Setup 2).mp4 (00:04:50.53)

Module 12_4 (IRC Malware Analysis).mp4 (00:06:16.02)

Module 12_5 (IRC Malware Analysis 2).mp4 (00:02:26.56)

Module 12_6 (Lab 15 - Basic Malware Analysis - IRC Bot).mp4 (00:15:11.87)

Module 12_7 (Lab 16-1 Advanced Malware Analysis - Rootkits).mp4 (00:08:12.10)

Module 12_8 (Lab 16-2 Advanced Malware Analysis - Rootkits).mp4 (00:18:13.00)

Module 12_9 (Lab 16-3 Advanced Malware Analyis - Rootkits).mp4 (00:08:50.47)

Module 12_10 (Lab 16-4 Advanced Malware Analysis - Rootkits).mp4 (00:06:24.60)

IFCI 500 - Cybercrime Investigators Course - $150 USD

Module Description