Software Training

• HOME
• OTHER LINK

Description:

This live, hands-on course is designed for investigators with strong computer skills, prior computer forensics training and experience using the EnCase forensic software. This course builds upon the skills covered in the EnCase Forensics I course and enhances the examiner’s ability to work efficiently through the use of the unique features of EnCase.

Students must understand evidence handling; the structure of the evidence file; creating and using case files; data acquisition methods including DOS based, hardware write protected, crossover cable and disk to disk; recovering deleted files and folders in a FAT environment; keyword searches across logical and physical media; creating and using EnCase bookmarks; file signatures and signature analysis; and locating and understanding Windows® artifacts.


Skills Gained: After attending the EnCase Comptuer Forensics II course, you will have a clear understanding of how to evaluate relevant evidence on a computer system via common types of media, identify and bookmark files and perform export and recovery activities.

You will also have an indepth understanding of the "EnCase Computer Forensic Methodology".


Key Topics: Day one provides an understanding of EnCase concepts. Students will learn how an evidence file is acquired, verified, added to a case, and stored. They will learn how to create and use logical evidence files and single evidence files. Students will receive hands-on imaging training using FastBloc SE.
* How the EnCase Evidence File is Stored and Verified
* Encase Forensic Edition Overview
* Logical Evidence Files
* Single Evidence Files
* Software Write Protection
* Introduction to NTFS
* Handling Formatted or Repartitioned Media
* Partition recovery

Day two introduces the students to the process of analyzing the evidence. The hashing of files both as a means of identification and as a tool to speed up the searching process is covered. Students also take a first look into the Windows Registry and learn how, why and when to use VFS and PDE. We continue to build on the students??skill sets, moving from general keyword searches and file type analysis to advanced keyword searches using GREP.
* Hash Analysis
* Compound files
* Windows Registry
* VFS / PDE
* Using GREP to focus searches. GREP allows the examiner to create concise keywords using control characters, reducing false positives and increasing efficiency.

Day three moves to specific analysis of common artifacts that cannot normally be located through keyword searches. This analysis can often provide vital information to investigations by revealing data that can provide a clear indication of a user’s activities. We look at how EnCase handles common e-mail files and Internet history.
* Quickly locating file system artifacts unique to the NTFS file system
* De-constructing link files to reveal artifacts that indicate the who, what, when and where of file manipulation.