Skip to main content

EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide

EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide

Steve Bunting, William Wei

ISBN: 978-0-782-14435-2

Mar 2006

576 pages

Select type: Paperback

Product not available for purchase

Description

  • Guidance Software's EnCase product is the premier computer forensics tool on the market, used in law enforcement labs for digital evidence collection; in commercial settings for incident response and information assurance; and by the FBI and Department of Defense to detect domestic and international threats
  • This guide prepares readers for both the CBT and practical phases of the exam that validates mastery of EnCase
  • Written by two law enforcement professionals who are computer forensics specialists and EnCase trainers
  • Includes the EnCase Legal Journal, essential for forensics investigators who need to be sure they are operating within the law and able to give expert testimony
  • The CD includes tools to help readers prepare for Phase II of the certification, which requires candidates to examine computer evidence, as well as a searchable PDF of the text

Related Resources

Instructor

Contact your Rep for all inquiries

Foreword.

About the Authors.

Introduction.

Assessment Test.

Chapter 1. Computer Hardware.

Chapter 2. File Systems.

Chapter 3. First Response.

Chapter 4. Acquiring Digital Evidence.

Chapter 5. EnCase Concepts.

Chapter 6. EnCase Environment.

Chapter 7. Understanding, Searching for, and Bookmarking Data.

Chapter 8. File Signature Analysis and Hash Analysis.

Chapter 9. Windows Operating System Artifacts.

Chapter 10. Advanced EnCase.

Appendix A. Creating Paperless Reports.

Glossary.

Index.

Data Integrity Test updated September 2006
Download an update to the Data Integrity test. The code examples for this title are stored in a ZIP archive. To open it, you will need a computer with software capable of opening ZIP files. If you do not already have this capability, you can download a free trial of WinZip.
Download
EvalVersion505e.zip Updated September 2006
Guidance Software has provided a new evaluation version (Evalversion505e.zip) of EnCase for users of the EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. We have also updated the book’s exercise files (DataIntegrityTest.zip). You can download both from the download section here.
Download
Data Integrity Test Instructions

Download a PDF file containing the Data Integrity Test With New Evidence File and Updated EnCase (5.05E - Demo Version Only)

Download
Chapter 6 missing from book in PDF format on CD: Downloadable Chapter 6 PDF
Download
ChapterPageDetailsDatePrint Run
Guidance Software Evaluation and Data Integrity Test Updates September 2006
Guidance Software has provided a new evaluation version (Evalversion505e.zip) of EnCase for users of the EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. We have also updated the book’s exercise files (DataIntegrityTest.zip). You can download both from the download section here.

Note from Guidance Software:
Also, please note that EnCase has changed the way it automatically verifies the integrity of a data block each time a data block is accessed. In previous versions of EnCase, a popup box notified the user that something was wrong with a data block when the user caused an action to occur within said data block. The problem was that this pop up window required a mouse click to go away and would come back each time EnCase re-verified the data block. In some cases, this message would continue to notify the user over and over again as the user continued to work their case. This is because several files could be contained within one data block and as an investigator continued to look at different files, parts of several files might have been located within that same data block, thus triggering the pop up box. This pop up window was the topic of many discussions and, after due process, a decision was made to remove it in Version 5.

--Guidance Software

Author’s Note:

The text was written using, at all times, EnCase Version 5.04a, which was the longest available version of Version 5. Version 5.04a did display a pop-up window upon a failed CRC check for a corrupted block of data. This anomaly was discovered when 5.05 was released and testing of the file integrity evidence file was done against the new release. As it turns out, a piece of the old code was introduced into 5.04a that caused the pop-up warning of the past. It was removed when 5.05 was released.

Currently, if a CRC check fails, there is no pop-up warning or entry in any log. This is a known issue and Guidance Software has indicated that Version 6, due out first quarter 2007, will include some feature to better handle this issue. Until then, the only way you’ll know if an evidence file has been corrupted is to run a final file integrity check prior to closing out the case and going to court. While this is always a good practice, the current lack of a warning if a CRC fails almost necessitates this added check.

As a final note, remember that the demonstration software can’t be expected to be a fully functional version of EnCase able to perform every feature referenced in the text. Guidance Software included this demo version as a bonus to assist with the learning process when readers were away from their fully licensed versions of their software.

As a final reminder, when using the demo version, remember that you don’t start a new case in the same manner as with the licensed version. Rather, you drag and drop an evidence file (only those recognized by the demo version) into the left pane of the software at which point a new case is created for you, with some prompts.

Best regards to all,

Steve Bunting
9/13/06