Print this page Share

EnCase Computer Forensics: The Official EnCE: EnCase†Certified Examiner Study Guide

ISBN: 978-0-7821-4435-2
576 pages
March 2006
EnCase Computer Forensics: The Official EnCE: EnCase†Certified Examiner Study Guide (0782144357) cover image


  • Guidance Software's EnCase product is the premier computer forensics tool on the market, used in law enforcement labs for digital evidence collection; in commercial settings for incident response and information assurance; and by the FBI and Department of Defense to detect domestic and international threats
  • This guide prepares readers for both the CBT and practical phases of the exam that validates mastery of EnCase
  • Written by two law enforcement professionals who are computer forensics specialists and EnCase trainers
  • Includes the EnCase Legal Journal, essential for forensics investigators who need to be sure they are operating within the law and able to give expert testimony
  • The CD includes tools to help readers prepare for Phase II of the certification, which requires candidates to examine computer evidence, as well as a searchable PDF of the text
See More

Table of Contents


About the Authors.


Assessment Test.

Chapter 1. Computer Hardware.

Chapter 2. File Systems.

Chapter 3. First Response.

Chapter 4. Acquiring Digital Evidence.

Chapter 5. EnCase Concepts.

Chapter 6. EnCase Environment.

Chapter 7. Understanding, Searching for, and Bookmarking Data.

Chapter 8. File Signature Analysis and Hash Analysis.

Chapter 9. Windows Operating System Artifacts.

Chapter 10. Advanced EnCase.

Appendix A. Creating Paperless Reports.



See More

Author Information

Steve Bunting is a Captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers. He has over 30 years’ experience in law enforcement, and his background in computer forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence for receiving the highest test score on his certification examination. He holds a BS in Applied Professions/Business Management from Wilmington College and a Computer Applications Certificate in Network Environments from the University of Delaware. He has conducted computer forensic examinations for the University of Delaware and for numerous local, state, and federal agencies on an extreme variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a Lead Instructor at all course levels, including the Expert Series, with a particular emphasis on the “Internet and E-mail Examinations” course. He has been a presenter at several seminars and workshops, the author of numerous white papers, and maintains a website for cyber-crime and computer forensics issues:

William Wei, a detective in the Monmouth County Prosecutor’s Office, has been a police officer for over 15 years and is currently employed as a detective with the Monmouth County Prosecutor’s Office Computer Crimes Unit. He holds a BA in economics and an EdM in Adult and Continuing Education from Rutgers, The State University of New Jersey. William is certified by Guidance Software as an EnCase Certified Examiner (EnCE) and by the International Association of Computer Investigative Specialists as a Certified Forensic Computer Examiner (CFCE).
William is a member of the International Association of Computer Investigative Specialists (IACIS) and High Tech Crime Investigation Association (HTCIA). William has conducted hundreds of computer-related investigations and has been qualified as an expert witness in computer forensics. He has taught computer forensics at the Computer and Enterprise Investigations Conference (CEIC) and HTCIA conferences and lectured on Internet safety throughout New Jersey.

See More


Download TitleSizeDownload
Data Integrity Test updated September 2006
Download an update to the Data Integrity test. The code examples for this title are stored in a ZIP archive. To open it, you will need a computer with software capable of opening ZIP files. If you do not already have this capability, you can download a free trial of WinZip.
2.43 MB Click to Download
EvalVersion505e.zip Updated September 2006
Guidance Software has provided a new evaluation version (Evalversion505e.zip) of EnCase for users of the EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. We have also updated the bookís exercise files (DataIntegrityTest.zip). You can download both from the download section here.
32.14 MB Click to Download
Data Integrity Test Instructions

Download a PDF file containing the Data Integrity Test With New Evidence File and Updated EnCase (5.05E - Demo Version Only)

816.61 KB Click to Download
Chapter 6 missing from book in PDF format on CD: Downloadable Chapter 6 PDF 3.53 MB Click to Download
See More


Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.

ChapterPageDetailsDatePrint Run
Guidance Software Evaluation and Data Integrity Test Updates September 2006
Guidance Software has provided a new evaluation version (Evalversion505e.zip) of EnCase for users of the EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. We have also updated the bookís exercise files (DataIntegrityTest.zip). You can download both from the download section here.

Note from Guidance Software:
Also, please note that EnCase has changed the way it automatically verifies the integrity of a data block each time a data block is accessed. In previous versions of EnCase, a popup box notified the user that something was wrong with a data block when the user caused an action to occur within said data block. The problem was that this pop up window required a mouse click to go away and would come back each time EnCase re-verified the data block. In some cases, this message would continue to notify the user over and over again as the user continued to work their case. This is because several files could be contained within one data block and as an investigator continued to look at different files, parts of several files might have been located within that same data block, thus triggering the pop up box. This pop up window was the topic of many discussions and, after due process, a decision was made to remove it in Version 5.

--Guidance Software

Authorís Note:

The text was written using, at all times, EnCase Version 5.04a, which was the longest available version of Version 5. Version 5.04a did display a pop-up window upon a failed CRC check for a corrupted block of data. This anomaly was discovered when 5.05 was released and testing of the file integrity evidence file was done against the new release. As it turns out, a piece of the old code was introduced into 5.04a that caused the pop-up warning of the past. It was removed when 5.05 was released.

Currently, if a CRC check fails, there is no pop-up warning or entry in any log. This is a known issue and Guidance Software has indicated that Version 6, due out first quarter 2007, will include some feature to better handle this issue. Until then, the only way youíll know if an evidence file has been corrupted is to run a final file integrity check prior to closing out the case and going to court. While this is always a good practice, the current lack of a warning if a CRC fails almost necessitates this added check.

As a final note, remember that the demonstration software canít be expected to be a fully functional version of EnCase able to perform every feature referenced in the text. Guidance Software included this demo version as a bonus to assist with the learning process when readers were away from their fully licensed versions of their software.

As a final reminder, when using the demo version, remember that you donít start a new case in the same manner as with the licensed version. Rather, you drag and drop an evidence file (only those recognized by the demo version) into the left pane of the software at which point a new case is created for you, with some prompts.

Best regards to all,

Steve Bunting
See More

Learn more about

Back to Top