This hands-on EnCase Computer Forensics Training course is designed for examiners with strong computer skills, prior computer forensics training, and experience using the EnCase forensic software. This course builds upon the skills covered in the EnCase Computer Forensics I course and enhances the examiner's ability to work efficiently through the use of the unique features of EnCase.
Students must understand evidence handling; the structure of the evidence file; creating and using case files; data acquisition methods including DOS based, hardware write protected, crossover cable and disk to disk; recovering deleted files and folders in a FAT environment; keyword searches across logical and physical media; creating and using EnCase bookmarks; file signatures and signature analysis; and locating and understanding Windows® artifacts.
Focusing on investigations common to the private sector, students will learn about the following:
- How to create and use of logical evidence files
- How to locate and recover deleted partitions and folders
- How to conduct keyword searches and advanced searches using GREP
- Students will gain an understanding of the EnCase Virtual File System (VFS) and Physical Disk Emulator (PDE)
- Students will learn about the Windows® Registry
- Students will learn how to deal with compound file types
- How to export files, directories and entire volumes
- How to identify files using hash values and building hash libraries
- How to identify Windows XP operating system artifacts such as link files, recycle bin, and user folders
- How to prepare reports and evidence for presentation in court
- How to recover artifacts such as swap files, file slack, and spooler files
- How to recover printed and faxed pages