This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase® Forensic version 7 (EnCase v7). This course builds upon the skills covered in the EnCase® v7 Computer Forensics I course and enhances the examiner’s ability to work efficiently through the use of the unique features of EnCase v7.

Students must understand evidence handling, the structure of the evidence file, creating and using case files, and data acquisition methods, including DOS-based, hardware write protected, crossover cable, and disk-to-disk. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting keyword searches across logical and physical media, creating and using EnCase® bookmarks, file signatures and signature analysis, and locating and understanding Windows® artifacts.

Focusing on commonly conducted investigations, students will learn about the following:
  • How to recover encrypted information particularly that which was encrypted using Windows BitLocker™
  • How to locate and recover deleted partitions
  • How to deal with compound file types
  • Students will learn about the Windows® Registry
  • How to determine time zone offsets and properly adjust case settings
  • Students will gain an overview of the NT file system
  • Students will learn how to use the EnCase® Evidence Processor
  • How to recover deleted folders and conduct an index search
  • The differences between single and logical evidence files and how to create and use logical evidence files
  • Students will gain an understanding of the EnCase® Virtual File System (VFS) Module and EnCase® Physical Disk Emulator (PDE) Module
  • How to conduct keyword searches and advanced searches using GREP
  • How to identify Windows 7 operating system artifacts, such as link files, Recycle Bin, and user folders
  • Students will learn how to examine e-mail and Internet artifacts
  • How to create and use conditions for effective searching
  • How to conduct a search for e-mail and e-mail attachments
  • How to recover artifacts, such as swap files, file slack, and spooler files
  • How to recover data from the Recycle Bin
Download Course Syllabus