Copyright © 2015 by McGraw-Hill Education All rights reserved Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication ISBN: 978-0-07-183155-0 MHID: 0-07-183155-X The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-183156-7, MHID: 0-07-183156-8 eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs To contact a representative, please visit the Contact Us page at www.mhprofessional.com All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks Figure 4-2 courtesy of ErrantX Figure 6-3 courtesy of Evan-Amos with permission granted under the terms of the Creative Commons Attribution-Share Alike 3.0 Unported license, http://creativecommons.org/licenses/by-sa/3.0/legalcode Figure 10-6 courtesy of Viljo Viitanen Figure ll-5 courtesy of Ale2006-from-en with permission granted under the terms of the Creative Commons Attribution-Share Alike 3.0 Unported license, https://creativecommons.org/licenses/by-sa/3.0/legalcode Information has been obtained by McGraw-Hill Education from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGrawHill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms THE WORK IS PROVIDED “AS IS.” MCGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill Education has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise This book is dedicated to my wife, Helyn Pultz ABOUT THE AUTHOR Charles Brooks, MsCIS, CISSP, CEH, CHFI, CTT+, CCNA, CWNA, CWSP, is a writer and educator with a background in IT that spans 30 years, with the last 15 years in information security and education Since 1998, he has been involved in information security, first as a technical lead for the VPN Advantage IPsecmanaged service at Genuity, Inc., and then as overall software architect for the project At EMC, Charles developed and delivered computer-based and instructor-based training in general information security and storage security At RSA, Charles developed courses in cloud security fundamentals, network analysis, and advanced analysis and forensics He has written and contributed to several technical training books, as well as continued to develop graduate-level courses in network security, secure software development, software security testing, and securing virtualized and cloud infrastructures Charles has taught at several colleges and technical institutes in the Greater Boston area, and currently teaches at Brandeis University in the Rabb School/GPS MSIS program, as well as facilitating online courses at Boston University Charles is currently the owner/principal consultant at Security Technical Education About the Technical Editor Bobby E Rogers is an information security engineer working for a major hospital in the southeastern United States His previous experience includes working as a contractor for Department of Defense agencies, helping to secure, certify, and accredit their information systems His duties include information system security engineering, risk management, and certification and accreditation efforts He retired after 21 years in the United States Air Force, serving as a network security engineer and instructor, and has secured networks all over the world Bobby has a master’s degree in information assurance (IA), and is pursuing a doctoral degree in IA from Capitol College, Maryland His many certifications include CompTIA A+, CompTIA Network+, CompTIA Security+, and CompTIA Mobility+ certifications, as well as CISSP-ISSEP, CEH, and MCSE: Security CONTENTS AT A GLANCE Chapter 1 Computer Forensics Today Chapter 2 The Nature of Digital Evidence Chapter 3 The Investigation Process Chapter 4 Computer Forensics Labs Chapter 5 Getting the Goods Chapter 6 Spinning Rust Chapter 7 Windows Forensics Chapter 8 Forensic Investigations Chapter 9 Network Forensics Chapter 10 Mobile Forensics Chapter 11 Attacking Applications Chapter 12 The Whole Truth, and Nothing But the Truth Appendix A Acronyms Appendix B About the Download Glossary Index CONTENTS Acknowledgments Introduction Chapter 1 Computer Forensics Today So What Is This Computer Forensics Business Anyway? The History of Computer Forensics Objectives and Benefits Corporate vs Criminal Investigations The Forensics Investigator Chapter Review Questions Answers References Chapter 2 The Nature of Digital Evidence What Is Digital Evidence? Anti-Digital Forensics Locard’s Exchange Principle Federal Rules of Evidence (FRE) Computer-Generated vs Computer-Stored Records Essential Data Best Evidence International Principles of Computer Evidence International Organization on Computer Evidence Scientific Working Group on Digital Evidence Evidence Collection IOCE Guidelines for Recovering Digital Forensic Evidence The Scientific Method Consider a Scenario Exculpatory Evidence Chapter Review Questions Answers References Chapter 3 The Investigation Process The Process Is Key Overview Before the Investigation Preparing the Investigation Seizing the Evidence Analyzing the Evidence Reporting and Testifying Chapter Review Questions Answers References Chapter 4 Computer Forensics Labs What Services Are You Offering? Staffing Requirements and Planning Becoming Certified Setting Up Your Lab Physical Location Needs Software Requirements Hardware Requirements Field Tools vs feature phones, 232–233 iOS–based, 233–234 remote wipe feature, 38 as wireless access points, 41 SMEs (subject matter experts), 279 SMS (Short Message Service), 72, 230, 317 SMS chat, 317 SMTP (Simple Mail Transfer Protocol), 246, 257, 258 SMTP codes, 263–264 SMTP servers, 260–264 Smurf attacks, 204 sniffing, 204 social engineering, 166–167 sockets, 201 software requirements, 58–59 solid state drives (SSDs), 3, 86, 96, 103 spam, 258 SPAN (switched port analysis) port, 208 sparse data copy, 81–82 spear phishing, 166, 205 spindle, 97, 98 “spinning rust,” 96 SPL (search engine processing language), 219 Splunk tool, 219–220 spoliation, 81 spread spectrum techniques, 126 SQL injection, 248 SSDs (solid-state drives), 3, 86, 96, 103 SSIDs (service set identifiers), 211, 212 SSL (Secure Sockets Layer), 203 stalking, 6 static analysis, 137, 138 static data acquisition, 83–84 static discharge, 42 static file analysis, 153–154 statistical analysis, 128 steganalysis, 127 steganography, 124–128, 318 See also encryption stegdetect tool, 130 stegokey, 127 Stoll, Clifford, 7 S-Tools suite, 130 storage area networks (SANs), 100 storage media See also devices archival, 84 Elastic Computer Cloud, 3, 4 forensically clean, 53, 314 Simple Storage Service, 3, 4 storing evidence, 57, 175 wiping, 318 write protection, 318 Stored Communications Act (SCA), 69, 70–71 Stored Wired and Electronic Communications Act, 5 strings command, 123 strings program, 153 striping, 104, 105 subdirectories, 119, 318 subject matter experts (SMEs), 279 subscriber identity module See SIM subscriber information, 70 Sun Solaris systems, 109 supoenas, 71 surveillance, electronic, 70–72 swap space, 84 SWGDE (Scientific Working Group on Digital Evidence), 22–23 switched port analysis (SPAN) port, 208 syllable attacks, 165 SYN floods, 204 synchronization protocols, 318 syntactic steganography, 125 Sysinternals suite, 140–141, 145 system logs, 155, 216–217 system resources, 144 T tablets, 234 TAC (type allocation code), 227 TAI (International Atomic Time), 218 tasklist command, 139, 145, 146 TCP (Transmission Control Protocol), 200–201 tcpdump tool, 208–209 TCP/IP (Transmission Control Protocol/Internet Protocol), 144 TCP/IP connections, 145 TDMA (Time Division Multiple Access), 226 teardrop attacks, 204 technical witness, 277–279 Technology Pathways, 180 Telnet, 246 temperature, 42 temporary file systems, 78, 84 temporary files, 78 terminology acronyms, 297–307 glossary, 311–318 testdisk software, 118, 120 testimonial evidence, 288 testimony, 280–284 See also witnesses best practices, 282–283 considerations, 280 in court, 47 cross-examination, 283 Daubert v Merrell Down Pharmaceuticals, Inc., 277–278 demeanor, 283 EC-Council Code of Ethics, 280–281 ethics and, 280–282 examination plan, 280 expert, 52 Frye v United States, 277, 278 how to testify, 282–284 other proceedings, 283–284 principles, 277–278 prior to trial, 282–283 professionalism, 283 during trial, 283 visual aids, 280 testimony preservation depositions, 284 The Onion Routing (TOR), 205 The Sleuth Kit (TSK), 109–111, 173, 219 theft, identity, 4, 6, 198 threads, 144, 318 three-letter acronym (TLA), 285 threshold reports, 46, 276 Tier 1 software, 191 Tier 2 software, 190, 191 Tier 3 software, 191 TIF files, 121 TIF format, 121 Time Division Multiple Access (TDMA), 226 time service, 218 time synchronization, 218 TimeMachine, 118 timestamp injection attacks, 216 Timestomp program, 4 Title III, 72 TLA (three-letter acronym), 285 TLS (Transport Layer Security), 203 TLS/SSL encryption, 211 “Tommy Boy” principle, 3 TOR (The Onion Routing), 205 Total Tester, 309–310 trace evidence, 17–18 traceroute program, 252 tracert command, 252 tracks, 97, 98 Transmission Control Protocol (TCP), 200–201 Transmission Control Protocol/Internet Protocol See TCP/IP transport layer protocols, 203 Transport Layer Security (TLS), 203 trials See also court cases conflicts of interest, 282 phases of, 282–284 testimony See testimony witnesses See witnesses TRIM command, 103 TrueCrypt files, 16 Tshark tool, 209 TSK (The Sleuth Kit), 109–111, 173, 219 type allocation code (TAC), 227 U UDP (User Datagram Protocol), 200–201 UEFI (Unified Extensible Firmware Interface), 114 UICC (universal integrated circuit card), 227, 228, 318 UMTS (Universal Mobile Telecommunications System), 318 UMTS Subscriber Identity Module (USIM), 318 unallocated space, 99 unauthorized usage, 281 Undelete software, 120 underground communities, 281 Unified Extensible Firmware Interface (UEFI), 114 Uniform Resource Locators (URLs), 249 uninterruptible power supply (UPS), 58 universal integrated circuit card (UICC), 227, 228, 318 Universal Mobile Telecommunications System (UMTS), 318 Universal Serial Bus See USB UNIX systems BSD UNIX, 115, 216 software requirements, 58 versions, 58 UPS (uninterruptible power supply), 58 URLs (Uniform Resource Locators), 249 U.S Constitution, 5 U.S Federal Rules of Evidence, 5 U.S statutory laws, 5 USB (Universal Serial Bus), 99, 318 USB cables/connectors, 236 USB devices, 99, 102, 112 USB drives, 102, 112 USB hubs, 99 USB stick, 97 User Datagram Protocol (UDP), 200–201 users changes to, 255 logged-in, 145, 217 USIM (UMTS Subscriber Identity Module), 318 UTC (Coordinated Universal Time), 218 V validation, 85 vector graphics, 120 vector quantization, 122 VERIS (Vocabulary for Event Recording and Incident Sharing), 5 victimology, 276 victims, 205, 206, 276 video files, 126 virtual machines (VMs), 35, 116, 154 virtualization platforms, 35 virtualization technology, 3 Vistumbler, 213, 214 VMFS for VMware, 3 VMs (virtual machines), 35, 116, 154 VMware, 3 Vocabulary for Event Recording and Incident Sharing (VERIS), 5 volatile data, 78, 84–85, 138, 142–149, 318 volatile memory, 318 Volatility framework, 149 Volume Shadow, 118 volumes, 100–101, 315 vulnerabilities host systems, 205 N-day, 138 networks, 203 zero-day, 138 vulnerability assessment, 6 W WAF (web application firewalls), 202, 247, 250, 251 WAP (Wireless Application Protocol), 318 WAPs (wireless access points), 41, 199 warning events, 158 warrants, 38, 52, 66–70, 71 water damage, 56, 57 watering hole attacks, 205 watermarking, 126, 127 web application firewalls (WAF), 202, 247, 250, 251 web applications, 247–256 defined, 247 investigating breaches, 255–256 log files, 253–255 mounting attacks on, 247–249 protecting, 250–253 security, 250 web tools, 250–253 web browsers browsing history, 69 cache, 154 considerations, 154 cookies, 154, 155 history analysis, 154, 155 passwords, 164 web pages cached, 154 cookies, 154, 155 defacement, 247 phishing and, 258 web servers attacks on, 247 considerations, 247 investigating breaches, 255–256 log files, 253–255 web services, 3, 4 web sites cookies, 154, 155 history list, 155 passwords for, 169 recently visited, 150 web tools, 250–253 web-based attacks, 246–256 WEP keys, 212 WEP (Wired Equivalent Privacy) protocol, 212 whaling, 205 white hats, 179 who, what, when, where, why, and how (5WH), 5, 34, 38 whois lookups, 252, 253 whois software, 252 Wi-Fi (wireless fidelity), 318 window shade case, 124 Windows Boot Manager (bootmgr), 114 Windows CE (Compact Edition) OS, 232 Windows Encrypting File System (EFS), 182 Windows Event Viewer, 160 Windows file analysis, 151–152 Windows Firewall logs, 157–158 Windows LogParser.exe software, 159–160 Windows native commands, 140, 141 Windows Pocket PC, 232 Windows registry See registry entries Windows Registry hive, 182 Windows System Control Center (WSCC), 141–142, 143 Windows systems, 137–172 acquiring data on, 87 acquisition validation, 85 boot process, 112–114 command-line programs, 139–140 deleted files and, 118–119 file systems, 106–107, 118–119 forensic investigation of, 150–155 forensics analysis, 139–160 forensics tools, 140–142, 143, 159–160 live investigations, 142–150 log files, 155–159, 214 memory, 148–149 memory dumps, 148–149 nonvolatile data, 138, 149–150 password cracking, 160–168 password guidelines/tips, 162–164 password storage, 159 PowerShell, 139, 140, 143–144 processes, 144 recovery tools, 120 registry See registry entries shutdown procedures, 79 software requirements, 58 versions, 58, 112–114, 139 volatile data, 84–85, 138, 142–149 Windows Vista systems, 114 Windows XP boot process, 113, 114 Windows XP Service Pack 3, 113 Win-Hex editor, 153 Win-Hex Forensics, 180 WinHex tools, 88 winload.exe, 114 wiping media/devices, 38, 53, 318 Wired Equivalent Privacy (WEP) protocol, 212 wired networks, 198–210 wireless access points (WAPs), 41, 199 Wireless Application Protocol (WAP), 318 wireless encryption, 212 wireless fidelity (Wi-Fi), 318 wireless forensics, 212–214 wireless local area networks (WLANs), 211 wireless networks, 210–214 ad hoc, 211 blocking, 60 considerations, 210–211 encryption, 212 enterprise, 211 mobile devices, 235 Wireless Protected Access See WPA Wireshark network protocol analyzer, 154 Wireshark sniffer, 209 Wiretap act, 5 wiretapping, 5, 72, 236 witnesses, 276–284 conditions, 278–279 considerations, 52, 72, 276–277 preliminary interview, 76 qualifications, 278–279 reports, 279 role of, 276 vs subject matter experts, 279 technical vs expert, 277–279 testimony See testimony WLANs (wireless local area networks), 211 workplace searches, 68–69 workspaces, 57 workstations See forensics workstations World Wide Web (WWW), 246 World Wide Web Consortium (W3C) logfile format, 253–255 WORM (write-once, read-many) devices, 215 WPA (Wireless Protected Access), 212 WPA-2 standard, 211, 212 write protection, 318 write-blockers, 60, 318 write-once, read-many (WORM) devices, 215 WSCC (Windows System Control Center), 141–142, 143 WWW (World Wide Web), 246 X Xen hypervisor, 3 XML (Extensible Markup Language), 155, 156 xor function, 104 XSS (cross-site scripting) attacks, 248 X-Ways WinHex Forensics, 58–59 Z zero-day vulnerabilities, 138 Zettabyte File System (ZFS), 109 ZFS (Zettabyte File System), 109 LICENSE AGREEMENT THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDING DOCUMENTATION) OWNED BY McGRAW-HILL EDUCATION AND ITS LICENSORS YOUR RIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT LICENSE: Throughout this License Agreement, “you” shall mean either the individual or the entity whose agent opens this package You are granted a nonexclusive and non-transferable license to use the Product subject to the following terms: (i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU) If you licensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of the following subparagraph (ii) (ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single building selected by you that is served by such local area network If you have licensed a wide area network version, you may use the Product on unlimited workstations located in multiple buildings on the same site selected by you that is served by such wide area network; provided, however, that any building will not be considered located in the same site if it is more than five (5) miles away from any building included in such site In addition, you may only use a local area or wide area network version of the Product on one single server If you wish to use the Product on more than one server, you must obtain written authorization from McGraw-Hill Education and pay additional fees (iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of the back-up at all times COPYRIGHT; RESTRICTIONS ON USE AND TRANSFER: All rights (including copyright) in and to the Product are owned by McGraw-Hill Education and its licensors You are the owner of the enclosed disc on which the Product is recorded You may not use, copy, decompile, disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrieval system of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise) except as expressly provided for in this License Agreement You must reproduce the copyright notices, trademark notices, legends and logos of McGraw-Hill Education and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder All rights in the Product not expressly granted herein are reserved by McGraw-Hill Education and its licensors TERM: This License Agreement is effective until terminated It will terminate if you fail to comply with any term or condition of this License Agreement Upon termination, you are obligated to return to McGraw-Hill Education the Product together with all copies thereof and to purge all copies of the Product included in any and all servers and computer facilities DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY ARE LICENSED “AS IS.” McGRAW-HILL EDUCATION, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE RESULTS TO BE OBTAINED BY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT, ANY INFORMATION OR DATA INCLUDED THEREIN AND/OR ANY TECHNICAL SUPPORT SERVICES PROVIDED HEREUNDER, IF ANY (“TECHNICAL SUPPORT SERVICES”) McGRAW-HILL EDUCATION, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT McGRAW-HILL EDUCATION, ITS LICENSORS, AND THE AUTHORS MAKE NO GUARANTEE THAT YOU WILL PASS ANY CERTIFICATION EXAM WHATSOEVER BY USING THIS PRODUCT NEITHER McGRAW-HILL EDUCATION, ANY OF ITS LICENSORS NOR THE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE YOU ASSUME THE ENTIRE RISK WITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT LIMITED WARRANTY FOR DISC: To the original licensee only, McGrawHill Education warrants that the enclosed disc on which the Product is recorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date of purchase In the event of a defect in the disc covered by the foregoing warranty, McGraw-Hill Education will replace the disc LIMITATION OF LIABILITY: NEITHER McGRAW-HILL EDUCATION, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITS OR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM OR CAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT, TORT, OR OTHERWISE Some states do not allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you U.S GOVERNMENT RESTRICTED RIGHTS: Any software included in the Product is provided with restricted rights subject to subparagraphs (c), (1) and (2) of the Commercial Computer Software-Restricted Rights clause at 48 C.F.R 52.227-19 The terms of this Agreement applicable to the use of the data in the Product are those under which the data are generally made available to the general public by McGraw-Hill Education Except as provided herein, no reproduction, use, or disclosure rights are granted with respect to the data included in the Product and no right to modify or create derivative works from any such data is hereby granted GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product The terms of any Purchase Order shall have no effect on the terms of this License Agreement Failure of McGraw-Hill Education to insist at any time on strict compliance with this License Agreement shall not constitute a waiver of any rights under this License Agreement This License Agreement shall be construed and governed in accordance with the laws of the State of New York If any provision of this License Agreement is held to be contrary to law, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect ... Chapter 7 Windows Forensics Windows Forensics Analysis Live Investigations: Volatile Information Live Investigations: Nonvolatile Information Forensic Investigation of a Windows System Windows Log Analysis... Generating the Report Choosing the Proper Forensic Software Forensic Investigations Using FTK Installation and Configuration Creating the Case and Adding Data Analyzing the Data Generating the Report... This book covers the exam objectives for EC-Council’s Computer Hacking Forensic Investigator (CHFI) v8 certification examination Each chapter covers specific objectives and details for the exam EC-Council has defined 22 areas of