EnCase Computer Forensics Study Guide 2nd Edition. Sybex

The Official EnCE® : EnCase® Certified Examiner

Study Guide . Second Edition

Steve Bunting
Acquisitions Editor: Jeff Kellum
Development Editor: Stef Jones
Technical Editor: Dave Arnett
Production Editor: Angela Smith
Copy Editor: Kim Wimpsett
Production Manager: Tim Tate
Vice President and Executive Group Publisher: Richard Swadley
Vice President and Executive Publisher: Joseph B. Wikert
Vice President and Publisher: Neil Edde
Media Associate Project Manager: Laura Atkinson
Media Assistant Producer: Josh Frank
Media Quality Assurance: Angie Denny
Book Designer: Judy Fung
Compositor: Craig Woods, Happenstance Type-O-Rama
Proofreader: Jennifer Larsen, Word One
Indexer: Jack Lewis
Anniversary Logo Design: Richard Pacifico
Cover Designer: Ryan Sneed
Cover Image: Getty Images

e-books shop
EnCase Computer Forensics Study Guide 2nd Edition

 About the Author
Steve Bunting is a captain with the University of Delaware Police Department, where he is
responsible for computer forensics, video forensics, and investigations involving computers.
He has more than 30 years’ experience in law enforcement, and his background in computer
forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase
Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified
Examiner Award of Excellence for receiving the highest test score on his certification examination.
He holds a bachelor’s degree in Applied Professions/Business Management from
Wilmington College and a computer applications certificate in Network Environments from
the University of Delaware. He has conducted computer forensic examinations for the University
of Delaware and for numerous local, state, and federal agencies on an extreme variety
of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property
theft, and unlawful intrusions into computer systems. He has testified in court on numerous
occasions as a computer forensics expert. He has taught computer forensics for Guidance
Software, makers of EnCase, and taught as a lead instructor at all course levels, including the
Expert Series, with a particular emphasis on the Internet and Email Examinations course. He
has been a presenter at several seminars and workshops, is the author of numerous white papers, and is the coauthor of Mastering Windows Network Forensics and Investigation (Wiley, 2007). 
He also maintains a website for cybercrime and computer forensics issues at
http://128.175.24.251/forensics/
.

 Contents at a Glance
Introduction xxi
Assessment Test xxvii
Chapter 1 Computer Hardware 1
Chapter 2 File Systems 31
Chapter 3 First Response 81
Chapter 4 Acquiring Digital Evidence 109
Chapter 5 EnCase Concepts 177
Chapter 6 EnCase Environment 209
Chapter 7 Understanding, Searching For, and Bookmarking Data 273
Chapter 8 File Signature Analysis and Hash Analysis 349
Chapter 9 Windows Operating System Artifacts 379
Chapter 10 Advanced EnCase 469
Appendix A Creating Paperless Reports 563
Appendix B About the Companion DVD 579
Glossary 583
Index 591

 Introduction

This book was designed for several audiences. First and foremost, it was designed for anyone
seeking the EnCase Certified Examiner (EnCE) credential. This certification is rapidly growing
in popularity and demand in all areas of the computer forensics industry. More and more
employers are recognizing the importance of this certification and are seeking this credential
in potential job candidates. Equally important, courts are placing increasing emphasis on certifications
that are specific to computer forensics. The EnCE certification meets or exceeds the
needs of the computer forensics industry.
This book was also designed for computer forensics students working either in a structured
educational setting or in a self-study program. The chapters include exercises and evidence
files that work with the version of EnCase that ships with the DVD, making it an ideal learning
tool for either setting.

The version of EnCase that is provided on the DVD is not a fully functional
version of the software and works only with the evidence files provided on the
DVD. The limited use version of EnCase provided on this DVD functions differently
when acquiring evidence and you will note that the Acquire button on
the toolbar is disabled. To acquire the evidence files on the DVD, drag them
from the DVD and drop them into the open EnCase program and follow the
prompts to create the paths for your case files. Thus in the exercises in this
book, if you are using the limited use version on the DVD, you will be dragging
and dropping DVD evidence files instead of using the Acquire button. In
this manner, the reader is provided with an excellent tool by which to study
for the exam and to learn many of the functions of EnCase.

Finally, this book was written for those with knowledge of EnCase or forensics who simply
want to learn more about either or both. Every topic goes well beyond what’s needed for certification
with the specific intent of overpreparing the certification candidate. In some cases,
the material goes beyond that covered in many of the formal training classes you may have
attended. In either case, that added depth of knowledge provides comprehensive learning
opportunities for the intermediate or advanced user.

The EnCE certification program is geared toward those who have attended the EnCase
Intermediate Computer Forensics training or its equivalent. To that extent, this book assumes
the reader has a general knowledge of computer forensics and some basic knowledge of
EnCase. For those who may need a refresher in either, you’ll find plenty of resources. Many
users may have used earlier versions of EnCase and have not yet transitioned to EnCase 6.
Those users may benefit by starting with Chapter 6, which discusses the EnCase environment.
The chapters are organized into related concepts to facilitate the learning process, with basic
concepts in the beginning and advanced material at the end. At the end of each chapter you will
find the “Summary,” “Exam Essentials,” and “Review Questions” sections. The “Summary” section
is a brief outline of the essential points contained in the chapter; the “Exam Essentials” section
explains the concepts you’ll need to understand for the examination.

I strongly urge you to make full use of the “Review Questions” section. A good way to use
the questions is as a pretest before reading each chapter and then again as a posttest when
you’re done. Although answering correctly is always important, it’s more important to understand
the concepts covered in the question. Make sure you are comfortable with all the material
before moving to the next chapter. Just as knowledge is cumulative, a lack thereof impedes
that accumulation. As you prepare for your certification examinations (written and practical),
take the time to thoroughly understand those items that you may have never understood. The
journey along the road to certification is just as important as the destination.

What Is the EnCE Certification?
Guidance Software, Inc., developed the EnCE in late 2001 to meet the needs of its customer base,
who requested a solid certification program covering both the use of the EnCase software and
computer forensics concepts in general. Since its inception, the EnCE certification has become
one of the most recognized and coveted certifications in the computer forensics industry. You
might ask why, but the answer is simple. The process is demanding and challenging. You must
have certain knowledge, skills, and abilities to be able to pass both a written and a practical
examination. For certain, it is not a “giveaway” program. You will work hard, and you will earn
your certification. When you are certified, you’ll be proud of your accomplishment. What’s
more, you will have joined the ranks of the elite in the industry who have chosen to adhere to
high standards and to excel in their field. Remember, in the field of computer forensics, excellence
is not an option; it is an operational necessity.

Why Become EnCE Certified?
The following benefits are associated with becoming EnCE certified:
EnCE certification demonstrates professional achievement.
EnCE certification increases your marketability and provides opportunity for advancement.
EnCE certification enhances your professional credibility and standing when testifying
before courts, hearing boards, and other fact-finding bodies.
EnCE certification provides peer recognition.

EnCE certification is a rigorous process that documents and demonstrates your achievements
and competency in the field of computer forensics. You must have experience as an
investigator and examiner, and you must have received training at the EnCase Intermediate
Computer Forensics level or other equivalent classroom instruction before you can apply for
the program. Next, you will have to pass both a written and a practical examination before
receiving your certification. EnCE certification assures customers, employers, courts, your
peers, and others that your computer forensics knowledge, skills, and abilities meet the highest
professional standards.

How to Become EnCE Certified
There are two different paths leading to EnCE certification. One path is for those who have
completed Guidance Software’s computer forensic or incident response training at the intermediate
level or above. For those candidates, the following applies:
Possess licensed EnCase software with an order number. The copy may be personally
owned or purchased through a training site or business.
18 months total investigative experience with at least 6 months experience in computer
forensic examinations—experience must be verified via signed application and endorsement
from department head.
All application and supporting documents verified by Guidance Software prior to authorization
for exam.
Complete Phase I and Phase II of the EnCE examination. Phase I is a computer-based test
administered by Prometric (http://www.2test.com). Candidates must obtain a grade of
80 percent or higher to pass. Phase II is a practical test requiring candidates to examine
computer evidence that is sent to them via CD-ROM. Candidates must submit their findings
report to the certification coordinator within 60 days and receive a grade of 85 percent or higher to pass.
The other certification path is for those candidates who have not attended Guidance Software’s
intermediate-level training course but who have other computer forensics training and
experience. For those candidates, the following applies:
Possess licensed EnCase software with an order number. The copy may be personally
owned or purchased through a training site or business.
80 hours of authorized classroom computer forensic training with 18 months total investigative
experience including 6 months experience in computer forensic examinations;
or
32 hours of authorized classroom computer forensic training with 2 years total investigative
experience, including 1-year experience in computer forensic examinations—experience
must be verified via signed application and endorsement from department head.
Training must be verified with copies of training certificates or verification of training
records from the training organization, and the training must have been authorized by the
owner or copyright holder of the training course.
All application and supporting documents will be verified by Guidance Software prior to
authorization for exam.
Complete Phase I and Phase II of the EnCE examination. Phase I is a computer-based test
administered by Prometric (http://www.2test.com). Candidates must obtain a grade of
80 percent or higher to pass. Phase II is a practical test requiring candidates to examine
computer evidence that is sent to them via CD-ROM. Candidates must submit their findings
report to the certification coordinator within 60 days and receive a grade of 85 percent
or higher to pass.
These requirements are quoted directly from Guidance Software’s website and are current
as of the publication date of this book. You should check the website before you apply to make
sure you are complying with the most current requirements. You can find the requirements,
the application form, and other important information relating to the EnCE certification program
at http://guidancesoftware.com/training/EnCE_certification.aspx
.

Screenshot

e-books shop

Purchase Now !
Just with Paypal



Product details
 Price
 File Size
 23,445 KB
 Pages
  651 p
 File Type
  PDF format
 ISBN
 978-0-470-18145-4
 Copyright
 2008 by Wiley Publishing, Inc 


Contents
Introduction xxi
Assessment Test xxvii
Chapter 1 Computer Hardware
Computer Hardware Components 2
The Boot Process 12
Partitions 18
File Systems 21
Summary 22
Exam Essentials 23
Review Questions 24
Answers to Review Questions 28
Chapter 2 File Systems
FAT Basics 32
The Physical Layout of FAT 33
Viewing FAT Entries Using EnCase 48
The Function of FAT 52
How a File Is Stored 52
The Effects of Deleting and Undeleting Files 59
Slack Space 65
Directory Entry Status Byte 66
NTFS (New Technology File System) 67
CD File Systems 70
Summary 72
Exam Essentials 72
Review Questions 74
Answers to Review Questions 78
Chapter 3 First Response
Planning and Preparation 82
The Physical Location 83
Personnel 83
Computer Systems 84
What to Take with You Before You Leave? 86
Search Authority 88
Handling Evidence at the Scene 89
Securing the Scene 89
Recording and Photographing the Scene 90
Seizing Computer Evidence 90
Bagging and Tagging 98
Summary 101
Exam Essentials 101
Review Questions 103
Answers to Review Questions 107
Chapter 4 Acquiring Digital Evidence
Creating EnCase Forensic Boot Disks 111
Booting a Computer Using the EnCase Boot Disk 113
Seeing Invisible HPA and DCO Data 114
Other Reasons for Using a DOS Boot 115
Steps for Using a DOS Boot 115
Drive-to-Drive DOS Acquisition 116
Steps for Drive-to-Drive DOS Acquisition 117
Supplemental Information About Drive-to-Drive
DOS Acquisition 121
Network Acquisitions 123
Reasons to Use Network Acquisitions 123
Understanding Network Cables 124
Preparing an EnCase Network Boot Disk 125
Preparing an EnCase Network Boot CD 126
Steps for Network Acquisition 126
FastBloc Acquisitions 137
Available FastBloc Models 137
FastBloc 2 Features 138
Steps for FastBloc Acquisition 139
FastBloc SE Acquisitions 146
About FastBloc SE 146
Steps for FastBloc SE Acquisitions 148
LinEn Acquisitions 153
Mounting a File System as Read-Only 154
Updating a Linux Boot CD with the Latest Version
of LinEn 155
Running LinEn 156
Steps for LinEn Acquisition 158
Enterprise and FIM Acquisitions 161
Helpful Hints 165
Summary 166
Exam Essentials 168
Review Questions 170
Answers to Review Questions 174
Chapter 5 EnCase Concepts
EnCase Evidence File Format 178
CRC and MD5 179
Evidence File Components and Function 180
Evidence File Verification 183
Hashing Disks and Volumes 190
EnCase Case Files 191
EnCase Backup File (.cbak) 193
EnCase Configuration Files 197
EnCase Record Cache Folder 199
Summary 201
Exam Essentials 202
Review Questions 204
Answers to Review Questions 208
Chapter 6 EnCase Environment
EnCase Layout 210
Creating a Case 211
Tree Pane Navigation 216
Table Pane Navigation 222
Table View 222
Report View 231
Gallery View 231
Disk View 234
Timeline View 235
Code View 238
View Pane Navigation 238
Text View 238
Hex View 239
Picture View 239
Report View 240
Console View 240
Doc View 241
Transcript View 242
Details View 242
Output View 242
Lock Option 242
Dixon Box 242
Navigation Data (GPS) 243
Find Feature 245
Other Views 246
Adjusting Panes 248
Other Case-Level Views 253
Global Views 255
EnCase Options 259
Summary 264
Exam Essentials 265
Review Questions 267
Answers to Review Questions 270
Chapter 7 Understanding, Searching For, 
and Bookmarking Data
Understanding Data 275
Binary Numbers 275
Hexadecimal 281
Characters 284
ASCII 284
Unicode 286
Searching for Data 287
Creating and Managing Keywords 287
GREP Keywords 297
Starting a Search 306
Viewing Search Hits and Bookmarking Your Findings 309
Bookmarking 313
Summary 340
Exam Essentials 341
Review Questions 343
Answers to Review Questions 347
Chapter 8 File Signature Analysis and Hash Analysis
File Signature Analysis 350
Understanding Application Binding 350
Creating a New File Signature 352
Conducting a File Signature Analysis 355
Hash Analysis 360
MD5 Hash 360
Hash Sets and Hash Libraries 361
Hash Analysis 364
Summary 372
Exam Essentials 373
Review Questions 374
Answers to Review Questions 377
Chapter 9 Windows Operating System Artifacts 
Dates and Times 380
Time Zones 381
Windows 64-Bit Time Stamp 382
Adjusting for Time Zone Offsets 386
Recycle Bin 392
Details of Recycle Bin Operation 392
The INFO2 File 393
Determining the Owner of Files in the Recycle Bin 396
Files Restored or Deleted from the Recycle Bin 398
Using an EnScript to Determine the Status of
Recycle Bin Files 399
Recycle Bin Bypass 400
Windows Vista Recycle Bin 402
Link Files 405
Changing the Properties of a Shortcut 406
Forensic Importance of Link Files 406
Using the Link File Parser EnScript 410
Windows 2000, XP, and Vista Folders 412
Recent Folder 416
Desktop Folder 418
My Documents/Documents 419
Send To Folder 420
Temp Folder 420
Favorites Folder 421
Windows Vista Low Folders 422
Cookies Folder 425
History Folder 426
Temporary Internet Files 431
Swap File 435
Hibernation File 435
Print Spooling 436
Legacy Operating System Artifacts 441
Windows Vista Volume Shadow Copy 441
Windows Event Logs 445
Kinds of Information Available in Event Logs 445
Determining Levels of Auditing 446
Windows Vista Event Logs 449
Using the Windows Event Log Parser 450
For More Information 452
Summary 457
Exam Essentials 460
Review Questions 463
Ansewers to Review Questions 467
Chapter 10 Advanced EnCase
Locating and Mounting Partitions 471
Mounting Files 480
Registry 486
Registry History 487
Registry Organization and Terminology 488
Using EnCase to Mount and View the Registry 493
Registry Research Techniques 496
EnScript and Filters 509
EnScript Navigation and Paths 510
Editing, Copying, Moving, and Deleting EnScripts 511
Running EnScripts 512
Filters, Conditions, and Queries 513
Email 514
Base64 Encoding 524
EnCase Decryption Suite (EDS) 531
Virtual File System (VFS) 535
Exporting Applications 539
Restoration 542
Physical Disk Emulator (PDE) 545
Putting It All Together 549
Summary 552
Exam Essentials 555
Review Questions 556
Answers to Review Questions 560
Appendix A
Creating Paperless Reports 563
Exporting the Web Page Report 565
Creating Your Container Report 568
Bookmarks and Hyperlinks 572
Burning the Report to CD or DVD 575
Appendix B
About the Companion DVD 579
What You’ll Find on the DVD 580
EnCase Forensics Software and Evidence Files 580
EnCase Legal Journal 580
Sybex Test Engine 581
Adobe Reader 581
Practice Files 581
System Requirements 581
Using the DVD 581
Troubleshooting 582
Customer Care 582
Glossary
583
Index 591

Table of Exercises
Exercise 1.1
Examining the Partition Table . . . . . . . . . . . . . . . . . . 20
Exercise 2.1
Viewing FAT Entries . . . . . . . . . . . . . . . . . . . . . . 51
Exercise 3.1
First Response to a Computer Incident. . . . . . . . . . . . . . 100
Exercise 4.1
Previewing Your Own Hard Drive . . . . . . . . . . . . . . . . 145
Exercise 5.1
Understanding How EnCase Maintains Data Integrity . . . . . . . 188
Exercise 6.1
Navigating EnCase . . . . . . . . . . . . . . . . . . . . . . 249
Exercise 7.1
Searching for Data and Bookmarking the Results . . . . . . . . . 330
Exercise 8.1
Performing a File Signature Analysis . . . . . . . . . . . . . . 359
Exercise 8.2
Hash Analysis . . . . . . . . . . . . . . . . . . . . . . . . 369
Exercise 9.1
Windows Artifacts Recovery . . . . . . . . . . . . . . . . . . 452
Exercise 9.2
Windows Vista Artifact Recovery . . . . . . . . . . . . . . . . 455
Exercise 10.1
Partition Recovery . . . . . . . . . . . . . . . . . . . . . . 478
Exercise 10.2
Conducting Email and Registry Examinations. . . . . . . . . . . 521

  ●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════

Previous Post Next Post