EnCase Computer Forensics II

Inclusive of: Training Materials, Certificate and AM/PM Snack and Lunch) & 32 CPE Credit

Venue: Ground Flr. Unit 107 Beacon Plaza, Shaw Blvd. Cor. Ideal St. Mandaluyong City, Philippines

Level: Introductory  

Prerequisites: EnCase® Computer Forensics I. Advance preparation for this course is not required.

Delivery method: Group-Live & Instructor Led; English Language

Course Description: This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase forensic software. This course builds upon the skills covered in the EnCase Computer Forensics I course and enhances the examiner's ability to work efficiently through the use of the unique features of EnCase.

Students must understand evidence handling; the structure of the evidence file; creating and using case files; data acquisition methods including DOS based, hardware write protected, crossover cable and disk to disk; recovering deleted files and folders in a FAT environment; keyword searches across logical and physical media; creating and using EnCase bookmarks; file signatures and signature analysis; and locating and understanding Windows® artifacts.

Day 1

Day one starts with a brief review of working within the EnCase® Forensic v6 environment. Attendees then move on to study the Master Boot Record partitioning model, partition recovery, FAT folder structure, NTFS and FAT folder recovery. Instruction is then provided on the use of the EnCase® Virtual File System (VFS) Module and the EnCase® Physical Disk Emulator (PDE) Module. The attendees are shown how to use these technologies to accomplish tasks outside of the EnCase Forensic environment such as virus scanning and rebuilding the target operating system within a VMware environment. Day one finishes with intermediate-level instruction concerning NTFS and its most important metafile, the Master File Table (MFT).

Day 2

Day two begins with an examination of compound files. Their structures are explored and issues surrounding their examination are discussed in detail. Students move on to exploring a very important type of compound file structure, the Windows Registry hive file. They explore mounting and examining these files and are given instruction on the relationship of the hive files to the structure of the Registry in its on-line state. They then progress to examining the time zone information contained within the Registry, its importance to their case and how they apply it in EnCase Forensic. They then move on to using GREP and text-indexing functionality of EnCase Forensic in order to perform advanced searches. Day two concludes with instruction on how to use EnCase Forensic conditions and queries to filter in information of interest and filter out common data that is of no relevance to the investigation.

Day 3

Day three focuses upon specific analysis of common artifacts that often provide vital information to investigations. These specific areas reveal data that can provide a clearer indication of user activities. We will examine specific artifacts that the operating system creates through the user’s interaction with the computer. Students willexplore the methods that EnCase Forensic provides to examine common email files, Internet history and cache content, Internet bookmarks, print artifacts, as well as the function and content ofthe Windows Recycle Bin.

Day 4

Day four starts with instruction on the recovery and preservation of data from memory sticks, compact flash, XD cards and similar media. A review of the week’s work will reveal a significant volume of data within the class case folders. Students will explore methods to document, organize and prepare a professional, accurate and articulate final report.