EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide

The official, Guidance Software-approved book on the newest EnCE exam! The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more. Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7 Includes hands-on exercises, practice questions, and up-to-date legal information Sample evidence files, Sybex Test Engine, electronic flashcards, and more If you're preparing for the new EnCE exam, this is the study guide you need.

Table of Contents:
Introduction xxi Assessment Test xxvii Chapter 1 Computer Hardware 1 Computer Hardware Components 2 The Boot Process 14 Partitions 20 File Systems 25 Summary 27 Exam Essentials 27 Review Questions 28 Chapter 2 File Systems 33 FAT Basics 34 The Physical Layout of FAT 36 Viewing Directory Entries Using EnCase 52 The Function of FAT 58 NTFS Basics 73 CD File Systems 77 exFAT 79 Summary 83 Exam Essentials 84 Review Questions 85 Chapter 3 First Response 89 Planning and Preparation 90 The Physical Location 91 Personnel 91 Computer Systems 92 What to Take with You Before You Leave 94 Search Authority 97 Handling Evidence at the Scene 98 Securing the Scene 98 Recording and Photographing the Scene 99 Seizing Computer Evidence 99 Bagging and Tagging 110 Summary 113 Exam Essentials 113 Review Questions 115 Chapter 4 Acquiring Digital Evidence 119 Creating EnCase Forensic Boot Disks 121 Booting a Computer Using the EnCase Boot Disk 124 Seeing Invisible HPA and DCO Data 125 Other Reasons for Using a DOS Boot 126 Steps for Using a DOS Boot 126 Drive-to-Drive DOS Acquisition 128 Steps for Drive-to-Drive DOS Acquisition 128 Supplemental Information About Drive-to-Drive DOS Acquisition 132 Network Acquisitions 135 Reasons to Use Network Acquisitions 135 Understanding Network Cables 136 Preparing an EnCase Network Boot Disk 137 Preparing an EnCase Network Boot CD 138 Steps for Network Acquisition 138 FastBloc/Tableau Acquisitions 151 Available FastBloc Models 151 FastBloc 2 Features 152 Steps for Tableau (FastBloc) Acquisition 154 FastBloc SE Acquisitions 163 About FastBloc SE 163 Steps for FastBloc SE Acquisitions 164 LinEn Acquisitions 168 Mounting a File System as Read-Only 168 Updating a Linux Boot CD with the Latest Version of LinEn 169 Running LinEn 171 Steps for LinEn Acquisition 173 Enterprise and FIM Acquisitions 176 EnCase Portable 180 Helpful Hints 188 Summary 189 Exam Essentials 192 Review Questions 194 Chapter 5 EnCase Concepts 199 EnCase Evidence File Format 200 CRC, MD5, and SHA-1 201 Evidence File Components and Function 202 New Evidence File Format 206 Evidence File Verification 207 Hashing Disks and Volumes 215 EnCase Case Files 217 EnCase Backup Utility 220 EnCase Configuration Files 227 Evidence Cache Folder 231 Summary 233 Exam Essentials 235 Review Questions 236 Chapter 6 EnCase Environment 241 Home Screen 242 EnCase Layout 246 Creating a Case 249 Tree Pane Navigation 255 Table Pane Navigation 266 Table View 266 Gallery View 275 Timeline View 277 Disk View 280 View Pane Navigation 284 Text View 284 Hex View 287 Picture View 288 Report View 289 Doc View 289 Transcript View 290 File Extents View 291 Permissions View 291 Decode View 292 Field View 294 Lock Option 294 Dixon Box 294 Navigation Data (GPS) 295 Find Feature 297 Other Views and Tools 298 Conditions and Filters 298 EnScript 299 Text Styles 299 Adjusting Panes 300 Other Views 306 Global Views and Settings 306 EnCase Options 310 Summary 318 Exam Essentials 320 Review Questions 321 Chapter 7 Understanding, Searching For, and Bookmarking Data 325 Understanding Data 327 Binary Numbers 327 Hexadecimal 333 Characters 336 ASCII 337 Unicode 338 EnCase Evidence Processor 340 Searching for Data 352 Creating Keywords 353 GREP Keywords 364 Starting a Search 373 Viewing Search Hits and Bookmarking Your Findings 376 Bookmarking 377 Summary 426 Exam Essentials 428 Review Questions 430 Chapter 8 File Signature Analysis and Hash Analysis 435 File Signature Analysis 436 Understanding Application Binding 437 Creating a New File Signature 438 Conducting a File Signature Analysis 442 Hash Analysis 449 MD5 Hash 449 Hash Sets and Hash Libraries 449 Hash Analysis 462 Summary 466 Exam Essentials 468 Review Questions 469 Chapter 9 Windows Operating System Artifacts 473 Dates and Times 475 Time Zones 475 Windows 64-Bit Time Stamp 476 Adjusting for Time Zone Offsets 481 Recycle Bin 487 Details of Recycle Bin Operation 488 The INFO2 File 488 Determining the Owner of Files in the Recycle Bin 493 Files Restored or Deleted from the Recycle Bin 494 Using an EnCase Evidence Processor to Determine the Status of Recycle Bin Files 496 Recycle Bin Bypass 498 Windows Vista/Windows 7 Recycle Bin 500 Link Files 504 Changing the Properties of a Shortcut 504 Forensic Importance of Link Files 505 Using the Link File Parser 509 Windows Folders 511 Recent Folder 515 Desktop Folder 516 My Documents/Documents 518 Send To Folder 518 Temp Folder 519 Favorites Folder 520 Windows Vista Low Folders 521 Cookies Folder 523 History Folder 526 Temporary Internet Files 532 Swap File 535 Hibernation File 536 Print Spooling 537 Legacy Operating System Artifacts 543 Windows Volume Shadow Copy 544 Windows Event Logs 549 Kinds of Information Available in Event Logs 549 Determining Levels of Auditing 552 Windows Vista/7 Event Logs 554 Using the Windows Event Log Parser 555 For More Information 558 Summary 559 Exam Essentials 564 Review Questions 566 Chapter 10 Advanced EnCase 571 Locating and Mounting Partitions 573 Mounting Files 588 Registry 595 Registry History 595 Registry Organization and Terminology 596 Using EnCase to Mount and View the Registry 601 Registry Research Techniques 605 EnScript and Filters 608 Running EnScripts 609 Filters and Conditions 611 Email 614 Base64 Encoding 619 EnCase Decryption Suite 622 Virtual File System (VFS) 629 Restoration 633 Physical Disk Emulator (PDE) 636 Putting It All Together 641 Summary 645 Exam Essentials 648 Review Questions 649 Appendix A Answers to Review Questions 653 Chapter 1: Computer Hardware 654 Chapter 2: File Systems 655 Chapter 3: First Response 657 Chapter 4: Acquiring Digital Evidence 658 Chapter 5: EnCase Concepts 659 Chapter 6: EnCase Environment 661 Chapter 7: Understanding, Searching For, and Bookmarking Data 662 Chapter 8: File Signature Analysis and Hash Analysis 663 Chapter 9: Windows Operating System Artifacts 664 Chapter 10: Advanced EnCase 665 Appendix B Creating Paperless Reports 667 Exporting the Web Page Report 669 Creating Your Container Report 671 Bookmarks and Hyperlinks 675 Burning the Report to CD or DVD 678 Appendix C About the Additional Study Tools 681 Additional Study Tools 682 Sybex Test Engine 682 Electronic Flashcards 682 PDF of Glossary of Terms 682 Adobe Reader 682 Additional Author Files 683 System Requirements 683 Using the Study Tools 683 Troubleshooting 683 Customer Care 684 Index 685  

About the Author :
Steve Bunting, EnCE, CCFT, has over 30 years of law enforcement and computer forensics experience. He is a Senior Forensic Consultant for Forward Discovery, a global forensics consulting organization. Previously he served as a captain with the University of Delaware Police Department, where he conducted examinations of computer systems for federal, state, and local law enforcement. He is also the coauthor of Mastering Windows Network Forensics and Investigation.