DF210 – Building an Investigation with EnCase Forensic Training
**Formerly EnCase v7 Computer Forensics II
This hands-on course is designed for investigators with solid computer skills, prior computer forensics training, and experience using EnCase Forensic (EnCase). This course builds upon the skills covered in the DF120 – Foundations of Digital Forensics course and enhances the examiner’s ability to work efficiently through the use of the unique features of EnCase. This course will build an investigation using analysis techniques, such as recovering volumes, registry analysis, and examining compound files. The course progresses through the analysis of Windows artifacts, shortcut link files, Recycle Bin, stored internet data, and email. This course will assist criminal, corporate, and cybersecurity analysts.
Students must understand EnCase forensic concepts, the structure of the evidence file, creating and using case files, and data acquisition and basic analysis methods. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting indexed queries and keyword searches across logical and physical media, creating and using EnCase bookmarks, file signature analysis, and exporting evidence.
Delivery method: Group-Live.
NASBA defined level: Intermediate.
CPE Credits – 32
Focusing on commonly conducted investigations, students will learn about the following:
• How to recover encrypted information particularly that which was encrypted using Windows BitLocker™
• How to locate and recover deleted partitions
• Students will learn how to deal with compound file types
• Students will learn about the Windows® Registry
• How to determine time zone offsets and properly adjust case settings
• How to create and use conditions for effective searching
• Students will learn how to use the EnCase Evidence Processor
• Students will gain an overview of the FAT, ExFAT, and NT file system
• How to conduct keyword searches and advanced searches using GREP
• The differences between single and logical evidence files and how to create and use of logical evidence files
• How to identify Windows operating system artifacts, such as link files, Recycle Bin, and user folders
• How to recover data from the Recycle Bin
• How to recover artifacts, such as swap files, file slack, and spooler files
• How to conduct a search for e-mail and e-mail attachments
• Students will learn how to examine e-mail and Internet artifacts
• How to identify and recover data relating to the use of removable USB devices
This course is intended for cybersecurity professionals, litigation support and forensic investigators.
DF120 – Foundations in Digital Forensics with EnCase
Participants should have attended the EnCase course,
- DF120 – Foundations of Digital Forensics or
- EnCase v7 Computer Forensics I (offered prior to June, 2016).
This training will be delivered by highly qualified instructors in the field of Computer Forensics.