Page 1

CHFI 9.0 Syllabus

Module 01: Computer Forensics in Today's World 2 Hours - 7 Topics

Forensics Science (Day 1)

Computer Forensics (Day 1)

o Security Incident Report

o Aspects of Organizational Security

o Evolution of Computer Forensics

o Objective of Computer Forensics

o Need for Compute Forensics

Forensics Readiness (Day 1)

o Benefits of Forensics Readiness

o Goals of Forensics Readiness

o Forensics Readiness Planning

Cyber Crime (Day 1)

o Computer Facilitated Crimes

o Modes of Attacks

o Examples of Cyber Crime

o Types of Computer Crimes

o Cyber Criminals

o Organized Cyber Crime: Organizational Chart

o How Serious are Different Types of Incidents?

o Disruptive Incidents to the Business

o Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation (Day 1)

o Key Steps in Forensics Investigation

o Rules of Forensics Investigation

o Need for Forensics Investigator

o Role of Forensics Investigator

o Accessing Computer Forensics Resources

o Role of Digital Evidence

Corporate Investigations (Day 1)

o Understanding Corporate Investigations

o Approach to Forensics Investigation: A Case Study

o Instructions for the Forensic Investigator to Approach the Crime Scene

o Why and When Do You Use Computer Forensics?

o Enterprise Theory of Investigation (ETI)

o Legal Issues

o Reporting the Results

Reporting a Cyber Crime (Day 1)

o Why you Should Report Cybercrime?

o Reporting Computer-Related Crimes

o Person Assigned to Report the Crime

Page 2

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o Federal Local Agents Contact

o More Contacts

o CIO Cyberthreat Report Form

Module 2: Computer Forensic Investigation Understanding Hard disk and file systems

2 Hours - 3 Topics

Investigating Computer Crime (Day 2)

o Before the Investigation

o Build a Forensics Workstation

o Building the Investigation Team

o People Involved in Computer Forensics

o Review Policies and Laws

o Forensics Laws

o Notify Decision Makers and Acquire Authorization

o Risk Assessment

o Build a Computer Investigation Toolkit

Steps to Prepare for a Computer Forensics Investigation (Day 2)

Computer Forensics Investigation Methodology (Day 2)

o Obtain Search Warrant

Example of Search Warrant

Searches Without a Warrant

o Evaluate and Secure the Scene

Forensics Photography

Gather the Preliminary Information at the Scene

First Responder

o Collect the Evidence

Collect Physical Evidence

Evidence Collection Form

Collect Electronic Evidence

Guidelines for Acquiring Evidence

o Secure the Evidence

Evidence Management

Chain of Custody

Chain of Custody Form

o Acquire the Data

Duplicate the Data (Imaging)

Verify Image Integrity

MD5 Hash Calculators: HashCalc, MD5 Calculator and

HashMyFiles

Recover Lost or Deleted Data

Data Recovery Software

o Analyze the Data

Data Analysis

Page 3

Data Analysis Tools

o Assess Evidence and Case

Evidence Assessment

Case Assessment

Processing Location Assessment

Best Practices to Assess the Evidence

o Prepare the Final Report

Documentation in Each Phase

Gather and Organize Information

Writing the Investigation Report

Sample Report

o Testifying as an Expert Witness

Expert Witness

Testifying in the Court Room

Closing the Case

Maintaining Professional Conduct

Investigating a Company Policy Violation

Computer Forensics Service Providers

Module 3: Data Acquisition and Duplication 2 Hours - 8 Topics

Data Acquisition and Duplication Concepts (Day 3)

o Data Acquisition

o Forensic and Procedural Principles

o Types of Data Acquisition Systems

o Data Acquisition Formats

o Bit Stream vs. Backups

o Why to Create a Duplicate Image?

o Issues with Data Duplication

o Data Acquisition Methods

o Determining the Best Acquisition Method

o Contingency Planning for Image Acquisitions

o Data Acquisition Mistakes

Data Acquisition Types (Day 3)

o Rules of Thumb

o Static Data Acquisition

Collecting Static Data

Static Data Collection Process

o Live Data Acquisition

Why Volatile Data is Important?

Volatile Data

Order of Volatility

Common Mistakes in Volatile Data Collection

Volatile Data Collection Methodology

Basic Steps in Collecting Volatile Data

Types of Volatile Information

Page 4

Disk Acquisition Tool Requirements (Day 3)

o Disk Imaging Tool Requirements

o Disk Imaging Tool Requirements: Mandatory

o Disk Imaging Tool Requirements: Optional

Validation Methods (Day 3)

o Validating Data Acquisitions

o Linux Validation Methods

o Windows Validation Methods

RAID Data Acquisition (Day 3)

o Understanding RAID Disks

o Acquiring RAID Disks

o Remote Data Acquisition

Acquisition Best Practices (Day 3)

o Acquisition Best Practices

Data Acquisition Software Tools (Day 3)

o Acquiring Data on Windows

o Acquiring Data on Linux

o dd Command

o dcfldd Command

o Extracting the MBR

o Netcat Command

o EnCase Forensic

o Analysis Software: DriveSpy

o ProDiscover Forensics

o AccessData FTK Imager

o Mount Image Pro

o Data Acquisition Toolbox

o SafeBack

o ILookPI

o RAID Recovery for Windows

o R-Tools R-Studio

o F-Response

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DataLifter

o X-Ways Forensics

o R-drive Image

o DriveLook

o DiskExplorer

o P2 eXplorer Pro

o Flash Retriever Forensic Edition

Data Acquisition Hardware Tools (Day 3)

o US-LATT

o Image MASSter: Solo-4 (Super Kit)

Page 5

o Image MASSter: RoadMASSter- 3

o Tableau TD1 Forensic Duplicator

o Logicube: Forensic MD5

o Logicube: Portable Forensic Lab™

o Logicube: Forensic Talon®

o Logicube: RAID I/O Adapter™

o DeepSpar: Disk Imager Forensic Edition

o Logicube: USB Adapter

o Disk Jockey PRO

o Logicube: Forensic Quest-2®

o Logicube: CloneCard Pro

o Logicube: EchoPlus

o Paraben Forensics Hardware: Chat Stick

o Image MASSter: Rapid Image 7020CS IT

o Digital Intelligence Forensic Hardware: UltraKit

o Digital Intelligence Forensic Hardware: UltraBay II

o Digital Intelligence Forensic Hardware: UltraBlock SCSI

o Digital Intelligence Forensic Hardware: HardCopy 3P

o Wiebetech: Forensics DriveDock v4

o Wiebetech: Forensics UltraDock v4

o Image MASSter: WipeMASSter

o Image MASSter: WipePRO

o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

o Forensic Tower IV Dual Xeon

o Digital Intelligence Forensic Hardware: FREDDIE

o DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor

o Logicube

Cables

Adapters

GPStamp™

OmniPort

CellDEK®

o Paraben Forensics Hardware

Project-a-Phone

Mobile Field Kit

iRecovery Stick

o CelleBrite

UFED System

UFED Physical Pro

Module 4: Volatile Memory Forensic 2 Hours - Day 4

Page 6

Module 5: Defeating Anti forensic technique 4 Hours - Day 5 & 6

Module 6: Operating system Forensic 2 Hours - Day 7

Module 7: Windows forensic 3 Hours - 13 Topics

Collecting Volatile Information (Day 8)

o Volatile Information

System Time

Logged-on Users

Psloggedon

Net Sessions Command

Logonsessions Tool

Open Files

Net File Command

PsFile Command

OpenFiles Command

Network Information

Network Connections

Process Information

Process-to-Port Mapping

Process Memory

Network Status

Other Important Information

Collecting Non-volatile Information (Day 8)

o Non-volatile Information

Examine File Systems

Registry Settings

Microsoft Security ID

Event Logs

Index.dat File

Devices and Other Information

Slack Space

Virtual Memory

Swap File

Windows Search Index

Collecting Hidden Partition Information

Hidden ADS Streams

Investigating ADS Streams: StreamArmor

Other Non-Volatile Information

Windows Memory Analysis (Day 8)

o Memory Dump

o EProcess Structure

o Process Creation Mechanism

o Parsing Memory Contents

o Parsing Process Memory

Page 7

o Extracting the Process Image

o Collecting Process Memory

Windows Registry Analysis (Day 8)

o Inside the Registry

o Registry Structure within a Hive File

o The Registry as a Log File

o Registry Analysis

o System Information

o TimeZone Information

o Shares

o Audit Policy

o Wireless SSIDs

o Autostart Locations

o System Boot

o User Login

o User Activity

o Enumerating Autostart Registry Locations

o USB Removable Storage Devices

o Mounted Devices

o Finding Users

o Tracking User Activity

o The UserAssist Keys

o MRU Lists

o Search Assistant

o Connecting to Other Systems

o Analyzing Restore Point Registry Settings

o Determining the Startup Locations

Cache, Cookie, and History Analysis (Day 8)

o Cache, Cookie, and History Analysis in IE

o Cache, Cookie, and History Analysis in Firefox

o Cache, Cookie, and History Analysis in Chrome

o Analysis Tools

IE Cookies View

IE Cache View

IE History Viewer

MozillaCookiesView

MozillaCacheView

MozillaHistoryView

ChromeCookiesView

ChromeCacheView

ChromeHistoryView

MD5 Calculation (Day 8)

o Message Digest Function: MD5

o Why MD5 Calculation?

o MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

Page 8

o MD5 Checksum Verifier

o ChaosMD5

Windows File Analysis (Day 8)

o Recycle Bin

o System Restore Points (Rp.log Files)

o System Restore Points (Change.log.x Files)

o Prefetch Files

o Shortcut Files

o Word Documents

o PDF Documents

o Image Files

o File Signature Analysis

o NTFS Alternate Data Streams

o Executable File Analysis

o Documentation Before Analysis

o Static Analysis Process

o Search Strings

o PE Header Analysis

o Import Table Analysis

o Export Table Analysis

o Dynamic Analysis Process

o Creating Test Environment

o Collecting Information Using Tools

o Process of Testing the Malware

Metadata Investigation (Day 8)

o Metadata

o Types of Metadata

o Metadata in Different File Systems

o Metadata in PDF Files

o Metadata in Word Documents

o Tool: Metadata Analyzer

Text Based Logs (Day 8)

o Understanding Events

o Event Logon Types

o Event Record Structure

o Vista Event Logs

o IIS Logs

Parsing IIS Logs

o Parsing FTP Logs

FTP sc-status Codes

o Parsing DHCP Server Logs

o Parsing Windows Firewall Logs

o Using the Microsoft Log Parser

Other Audit Events (Day 8)

o Evaluating Account Management Events

Page 9

o Examining Audit Policy Change Events

o Examining System Log Entries

o Examining Application Log Entries

Forensic Analysis of Event Logs (Day 9)

o Searching with Event Viewer

o Using EnCase to Examine Windows Event Log Files

o Windows Event Log Files Internals

Windows Password Issues (Day 9)

o Understanding Windows Password Storage

o Cracking Windows Passwords Stored on Running Systems

o Exploring Windows Authentication Mechanisms

LanMan Authentication Process

NTLM Authentication Process

Kerberos Authentication Process

o Sniffing and Cracking Windows Authentication Exchanges

o Cracking Offline Passwords

Forensic Tools (Day 9)

o Windows Forensics Tool: OS Forensics

o Windows Forensics Tool: Helix3 Pro

o Integrated Windows Forensics Software: X-Ways Forensics

o X-Ways Trace

o Windows Forensic Toolchest (WFT)

o Built-in Tool: Sigverif

o Computer Online Forensic Evidence Extractor (COFEE)

o System Explorer

o Tool: System Scanner

o SecretExplorer

o Registry Viewer Tool: Registry Viewer

o Registry Viewer Tool: RegScanner

o Registry Viewer Tool: Alien Registry Viewer

o MultiMon

o CurrProcess

o Process Explorer

o Security Task Manager

o PrcView

o ProcHeapViewer

o Memory Viewer

o Tool: PMDump

o Word Extractor

o Belkasoft Evidence Center

o Belkasoft Browser Analyzer

o Metadata Assistant

o HstEx

o XpoLog Center Suite

o LogViewer Pro

Page 10

o Event Log Explorer

o LogMeister

o ProDiscover Forensics

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DriveLook

Module 8: Linux Forensic 1 Hour - Day 9

Module 9: Deleted file recovery 1 Hour - Day 10

Module 10: Metadata Extraction 1 Hour - Day 10

Module 11: Event log Analysis 1 Hour - Day 11

Module 12: Registry Analysis 1 Hour - Day 12

Module 13: Network Forensics 2 Hours - 7 Topics

Network Forensics (Day 12)

o Network Forensics

o Network Forensics Analysis Mechanism

o Network Addressing Schemes

o Overview of Network Protocols

o Overview of Physical and Data-Link Layer of the OSI Model

o Overview of Network and Transport Layer of the OSI Model

o OSI Reference Model

o TCP/ IP Protocol

o Intrusion Detection Systems (IDS) and ??heir Placement

How IDS Works

Types of Intrusion Detection Systems

General Indications of Intrusions

o Firewall

o Honeypot

Network Attacks (Day 12)

o Network Vulnerabilities

o Types of Network Attacks

IP Address Spoofing

Man-in-the-Middle Attack

Packet Sniffing

How a Sniffer Works

Enumeration

Denial of Service Attack

Session Sniffing

Buffer Overflow

Page 11

Trojan Horse

Log Injection Attacks (Day 12)

o New Line Injection Attack

New Line Injection Attack Countermeasure

o Separator Injection Attack

Defending Separator Injection Attacks

o Timestamp Injection Attack

Defending Timestamp Injection Attacks

o Word Wrap Abuse Attack

Defending Word Wrap Abuse Attacks

o HTML Injection Attack

Defending HTML Injection Attacks

o Terminal Injection Attack

Defending Terminal Injection Attacks

Investigating and Analyzing Logs (Day 12)

o Postmortem and Real-Time Analysis

o Where to Look for Evidence

o Log Capturing Tool: ManageEngine EventLog Analyzer

o Log Capturing Tool: ManageEngine Firewall Analyzer

o Log Capturing Tool: GFI EventsManager

o Log Capturing Tool: Kiwi Syslog Server

o Handling Logs as Evidence

o Log File Authenticity

o Use Signatures, Encryption, and Checksums

o Work with Copies

o Ensure System’s Integrity

o Access Control

o Chain of Custody

o Condensing Log File

Investigating Network Traffic (Day 12)

o Why Investigate Network Traffic?

o Evidence Gathering via Sniffing

o Capturing Live Data Packets Using Wireshark

Display Filters in Wireshark

Additional Wireshark Filters

o Acquiring Traffic Using DNS Poisoning Techniques

Intranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)

Proxy Server DNS Poisoning

DNS Cache Poisoning

o Evidence Gathering from ARP Table

o Evidence Gathering at the Data-Link Layer: DHCP Database

o Gathering Evidence by IDS

Traffic Capturing and Analysis Tools (Day 13)

o NetworkMiner

Page 12

o Tcpdump/Windump

o Intrusion Detection Tool: Snort

How Snort Works

o IDS Policy Manager

o MaaTec Network Analyzer

o Iris Network Traffic Analyzer

o NetWitness Investigator

o Colasoft Capsa Network Analyzer

o Sniff - O - Matic

o NetResident

o Network Probe

o NetFlow Analyzer

o OmniPeek Network Analyzer

o Firewall Evasion Tool: Traffic IQ Professional

o NetworkView

o CommView

o Observer

o SoftPerfect Network Protocol Analyzer

o EffeTech HTTP Sniffer

o Big-Mother

o EtherDetect Packet Sniffer

o Ntop

o EtherApe

o AnalogX Packetmon

o IEInspector HTTP Analyzer

o SmartSniff

o Distinct Network Monitor

o Give Me Too

o EtherSnoop

o Show Traffic

o Argus

Documenting the Evidence Gathered on a Network (Day 13)

Module 14: Investigating Web Attacks 2 Hours - 6 Topics

Introduction to Web Applications and Webservers (Day 13)

o Introduction to Web Applications

o Web Application Components

o How Web Applications Work

o Web Application Architecture

o Open Source Webserver Architecture

o Indications of a Web Attack

o Web Attack Vectors

o Why Web Servers are Compromised

o Impact of Webserver Attacks

o Website Defacement

Page 13

o Case Study

Web Logs (Day 13)

o Overview of Web Logs

o Application Logs

o Internet Information Services (IIS) Logs

IIS Webserver Architecture

IIS Log File Format

o Apache Webserver Logs

o DHCP Server Logs

Web Attacks (Day 13)

o Web Attacks - 1

o Web Attacks - 2

Unvalidated Input

Parameter/Form Tampering

Directory Traversal

Security Misconfiguration

Injection Flaws

SQL Injection Attacks

Command Injection Attacks

Command Injection Example

File Injection Attack

What is LDAP Injection?

How LDAP Injection Works

Hidden Field Manipulation Attack

Cross-Site Scripting (XSS) Attacks

How XSS Attacks Work

Cross-Site Request Forgery (CSRF) Attack

How CSRF Attacks Work

Web Application Denial-of-Service (DoS) Attack

Denial of Service (DoS) Examples

Buffer Overflow Attacks

Cookie/Session Poisoning

How Cookie Poisoning Works

Session Fixation Attack

Insufficient Transport Layer Protection

Improper Error Handling

Insecure Cryptographic Storage

Broken Authentication and Session Management

Unvalidated Redirects and Forwards

DMZ Protocol Attack/ Zero Day Attack

Log Tampering

URL Interpretation and Impersonation Attack

Web Services Attack

Web Services Footprinting Attack

Web Services XML Poisoning

Page 14

Webserver Misconfiguration

HTTP Response Splitting Attack

Web Cache Poisoning Attack

HTTP Response Hijacking

SSH Bruteforce Attack

Man-in-the-Middle Attack

Defacement Using DNS Compromise

Web Attack Investigation (Day 14)

o Investigating Web Attacks

o Investigating Web Attacks in Windows-Based Servers

o Investigating IIS Logs

o Investigating Apache Logs

o Example of FTP Compromise

o Investigating FTP Servers

o Investigating Static and Dynamic IP Addresses

o Sample DHCP Audit Log File

o Investigating Cross-Site Scripting (XSS)

o Investigating SQL Injection Attacks

o Pen-Testing CSRF Validation Fields

o Investigating Code Injection Attack

o Investigating Cookie Poisoning Attack

o Detecting Buffer Overflow

o Investigating Authentication Hijacking

o Web Page Defacement

o Investigating DNS Poisoning

o Intrusion Detection

o Security Strategies to Web Applications

o Checklist for Web Security

Web Attack Detection Tools (Day 14)

o Web Application Security Tools

Acunetix Web Vulnerability Scanner

Falcove Web Vulnerability Scanner

Netsparker

N-Stalker Web Application Security Scanner

Sandcat

Wikto

WebWatchBot

OWASP ZAP

SecuBat Vulnerability Scanner

Websecurify

HackAlert

WebCruiser

o Web Application Firewalls

dotDefender

IBM AppScan

Page 15

ServerDefender VP

o Web Log Viewers

Deep Log Analyzer

WebLog Expert

AlterWind Log Analyzer

Webalizer

eWebLog Analyzer

Apache Logs Viewer (ALV)

o Web Attack Investigation Tools

AWStats

Paros Proxy

Scrawlr

Tools for Locating IP Address (Day 14)

o Whois Lookup

o SmartWhois

o ActiveWhois

o LanWhois

o CountryWhois

o CallerIP

o Hide Real IP

o IP - Address Manager

o Pandora FMS

Module 15: Database Forensics 2 Hours - Day 14 & 15

Module 16: Cloud Forensics 2 Hours - Day 15 & 16

Module 17: Malware Forensics 2 Hours - Day 16 & 17

Module 18: Investigating EMail Crimes 2 Hours - 6 Topics

Email System Basics (Day 17)

o Email Terminology

o Email System

o Email Clients

o Email Server

o SMTP Server

o POP3 and IMAP Servers

o Email Message

o Importance of Electronic Records Management

Email Crimes (Day 17)

o Email Crime

o Email Spamming

o Mail Bombing/Mail Storm

o Phishing

o Email Spoofing

Page 16

o Crime via Chat Room

o Identity Fraud/Chain Letter

Email Headers (Day 17)

o Examples of Email Headers

o List of Common Headers

Steps to Investigate (Day 18)

o Why to Investigate Emails

o Investigating Email Crime and Violation

Obtain a Search Warrant and Seize the Computer and Email

Account

Obtain a Bit-by-Bit Image of Email Information

Examine Email Headers

Viewing Email Headers in Microsoft Outlook

Viewing Email Headers in AOL

Viewing Email Headers in Hotmail

Viewing Email Headers in Gmail

Viewing Headers in Yahoo Mail

Forging Headers

Analyzing Email Headers

Email Header Fields

Received: Headers

Microsoft Outlook Mail

Examining Additional Files (.pst or .ost files)

Checking the Email Validity

Examine the Originating IP Address

Trace Email Origin

Tracing Back

Tracing Back Web-based Email

Acquire Email Archives

Email Archives

Content of Email Archives

Local Archive

Server Storage Archive

Forensic Acquisition of Email Archive

Recover Deleted Emails

Deleted Email Recovery

Email Forensics Tools (Day 18)

o Stellar Phoenix Deleted Email Recovery

o Recover My Email

o Outlook Express Recovery

o Zmeil

o Quick Recovery for MS Outlook

o Email Detective

o Email Trace - Email Tracking

o R-Mail

Page 17

o FINALeMAIL

o eMailTrackerPro

o Forensic Tool Kit (FTK)

o Paraben’s email Examiner

o Network Email Examiner by Paraben

o DiskInternal’s Outlook Express Repair

o Abuse.Net

o MailDetective Tool

Laws and Acts against Email Crimes (Day 18)

o U.S. Laws Against Email Crime: CAN-SPAM Act

o 18 U.S.C. § 2252A

o 18 U.S.C. § 2252B

o Email Crime Law in Washington: RCW 19.190.020

Module 19: Mobile Forensics 4 Hours - 6 Topics

Mobile Phone (Day 18)

o Mobile Phone

o Different Mobile Devices

o Hardware Characteristics of Mobile Devices

o Software Characteristics of Mobile Devices

o Components of Cellular Network

o Cellular Network

o Different Cellular Networks

Mobile Operating Systems (Day 18)

o Mobile Operating Systems

o Types of Mobile Operating Systems

o WebOS

WebOS System Architecture

o Symbian OS

Symbian OS Architecture

o Android OS

Android OS Architecture

o RIM BlackBerry OS

o Windows Phone 7

Windows Phone 7 Architecture

o Apple iOS

Mobile Forensics (Day 19)

o What a Criminal can do with Mobiles Phones?

o Mobile Forensics

o Mobile Forensics Challenges

o Forensics Information in Mobile Phones

o Memory Considerations in Mobiles

o Subscriber Identity Module (SIM)

o SIM File System

o Integrated Circuit Card Identification (ICCID)

Page 18

o International Mobile Equipment Identifier (IMEI)

o Electronic Serial Number (ESN)

o Precautions to be Taken Before Investigation

Mobile Forensic Process (Day 19)

o Mobile Forensic Process

Collect the Evidence

Collecting the Evidence

Points to Remember while Collecting the Evidence

Collecting iPod/iPhone Connected with Computer

Document the Scene and Preserve the Evidence

Imaging and Profiling

Acquire the Information

Device Identification

Acquire Data from SIM Cards

Acquire Data from Unobstructed Mobile Devices

Acquire the Data from Obstructed Mobile Devices

Acquire Data from Memory Cards

Acquire Data from Synched Devices

Gather Data from Network Operator

Check Call Data Records (CDRs)

Gather Data from SQLite Record

Analyze the Information

Generate Report

Mobile Forensics Software Tools (Day 19)

o Oxygen Forensic Suite 2011

o MOBILedit! Forensic

o BitPim

o SIM Analyzer

o SIMCon

o SIM Card Data Recovery

o Memory Card Data Recovery

o Device Seizure

o SIM Card Seizure

o ART (Automatic Reporting Tool)

o iPod Data Recovery Software

o Recover My iPod

o PhoneView

o Elcomsoft Blackberry Backup Explorer

o Oxygen Phone Manager II

o Sanmaxi SIM Recoverer

o USIMdetective

o CardRecovery

o Stellar Phoenix iPod Recovery Software

o iCare Data Recovery Software

o Cell Phone Analyzer

Page 19

o iXAM

o BlackBerry Database Viewer Plus

o BlackBerry Signing Authority Tool

Mobile Forensics Hardware Tools (Day 19)

o Secure View Kit

o Deployable Device Seizure (DDS)

o Paraben's Mobile Field Kit

o PhoneBase

o XACT System

o Logicube CellDEK

o Logicube CellDEK TEK

o TadioTactics ACESO

o UME-36Pro - Universal Memory Exchanger

o Cellebrite UFED System - Universal Forensic Extraction Device

o ZRT 2

o ICD 5200

o ICD 1300

Module 20: Report Writing and Presentation 2 Hours - Day 20