​​​​​​​​​​​​​​​​​​​​​​​C|HFI V11 Course Objectives:

• Perform incident response and forensics.

• Conduct electronic evidence collection.

• Perform digital forensic acquisitions.

• Perform bit-stream imaging/acquisition of digital media seized during an investigation.

• Examine and analyze text, graphics, multimedia, and digital images.

• Conduct examinations of hard drives and other data storage media.

• Recover information and data from hard drives and other storage devices.

• Follow strict data and evidence handling procedures.

• Maintain audit trails and chain-of-custody while ensuring evidence integrity.

• Conduct technical examinations, analysis, and reporting of computer-based evidence.

• Prepare and maintain case files.

• Use forensic tools and investigation methods to find electronic data, including internet usage history, word processing documents, images, and other files.

• Gather volatile and non-volatile information from Windows, MAC, and Linux.

• Recover deleted files and partitions on Windows, Mac OS X, and Linux.

• Perform keyword searches, including the use of targeted words or phrases.

• Investigate events for evidence of threats or attacks.

• Assist in generating incident reports and others.

• Investigate and analyze all cyber incident response-related activities.

• Plan, coordinate, and direct recovery activities and incident analysis tasks.

• Examine available information and supporting evidence or artifacts related to an incident/event.

• Collect data using forensic technology methods following evidence handling procedures, including gathering printed and electronic documents.

• Perform reverse engineering on known and suspected malware files.

• Conduct detailed data analysis and evidence of activity to assess all circumstances and implications of the event.

• Identify data, images, and/or activities that may be the subject of an internal investigation.

• Establish threat intelligence and key learning points to support proactive profiling and scenario modeling.

• Search slack space where PC-type technologies are employed.

• View MAC (Modify, Access, Create) files as evidence of access and event sequences.

• Examine file types and file header information.

• Review email communications, including webmail and instant messaging programs.

• Examine internet browsing history.

• Generate reports that detail the approach and a chain of custody documenting actions taken to support the integrity of the internal investigation process.

• Recover active, system, and hidden files with date/time stamp information.

• Crack (or attempt to crack) password-protected files.

• Perform anti-forensics detection.

• Maintain awareness and follow laboratory evidence handling, examination, and security policies and procedures.

• Act as a first responder, securing and assessing a cybercrime scene, conducting preliminary interviews, documenting the crime scene, collecting and preserving, packaging, and transporting electronic evidence, reporting the crime scene.

• Perform post-intrusion analysis of media, determining who, where, what, when, and how the intrusion occurred.

• Apply advanced forensic tools and attack reconstruction techniques.

• Perform basic forensic activities and establish a foundation for advanced forensics.

• Identify and verify the possible origin/source of an incident.

• Perform event correlation.

• Extract and analyze logs from devices such as proxies, firewalls, IPSes, IDSes, desktops, laptops, servers, SIM tools, routers, switches, AD servers, DHCP servers, Access Control Systems.

• Ensure confidentiality regarding the incident, suspect weaknesses, malfunction, and deviation.

• Assist in preparing search warrants, court orders, and subpoenas.

• Provide expert testimony in support of forensic examinations conducted by the examiner.