www.dbebooks.com - Free Books & magazines

Wiley Publishing, Inc.

EnCase

®

Computer
Forensics

The Official EnCE

®

: EnCase

®


Certified Examiner

Study Guide

Second Edition

Steve Bunting

81454ffirs.fm Page iii Thursday, October 25, 2007 8:46 AM

81454ffirs.fm Page ii Thursday, October 25, 2007 8:46 AM

EnCase

®

Computer
Forensics

The Official EnCE

®

: EnCase

®


Certified Examiner

Study Guide

Second Edition

81454ffirs.fm Page i Thursday, October 25, 2007 8:46 AM

81454ffirs.fm Page ii Thursday, October 25, 2007 8:46 AM

Wiley Publishing, Inc.

EnCase


®

Computer
Forensics

The Official EnCE

®

: EnCase

®


Certified Examiner

Study Guide

Second Edition

Steve Bunting

81454ffirs.fm Page iii Thursday, October 25, 2007 8:46 AM

Acquisitions Editor: Jeff Kellum
Development Editor: Stef Jones
Technical Editor: Dave Arnett
Production Editor: Angela Smith
Copy Editor: Kim Wimpsett

Production Manager: Tim Tate
Vice President and Executive Group Publisher: Richard Swadley
Vice President and Executive Publisher: Joseph B. Wikert
Vice President and Publisher: Neil Edde
Media Associate Project Manager: Laura Atkinson
Media Assistant Producer: Josh Frank
Media Quality Assurance: Angie Denny
Book Designer: Judy Fung
Compositor: Craig Woods, Happenstance Type-O-Rama
Proofreader: Jennifer Larsen, Word One
Indexer: Jack Lewis
Anniversary Logo Design: Richard Pacifico
Cover Designer: Ryan Sneed
Cover Image: Getty Images
Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-18145-4
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal
Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-
4355, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect
to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without
limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional
materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the
understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional
assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author

shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation
and/or a potential source of further information does not mean that the author or the publisher endorses the information the
organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Web-
sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care
Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available
in electronic books.
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission.
Microsoft and Visual Basic are registered trademarks of Microsoft Corporation in the United States and/or other coun-
tries. All other trademarks are the property of their respective owners. EnCase® is a registered trademark of Guidance
Software, Inc. in the United States and other jurisdictions. Copyright ©1998-2006 Guidance Software, Inc. All Rights
Reserved. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1

81454ffirs.fm Page iv Thursday, October 25, 2007 8:46 AM

Dear Reader
Thank you for choosing

EnCase Computer Forensics—The Official EnCE: EnCase
Certified Examiner Study Guide, Second Edition

. This book is part of a family of pre-
mium quality Sybex books, all written by outstanding authors who combine practical
experience with a gift for teaching.

Sybex was founded in 1976. More than thirty years later, we’re still committed to producing
consistently exceptional books. With each of our titles we’re working hard to set a new stan-
dard for the industry. From the paper we print on, to the authors we work with, our goal
is to bring you the best books available.
I hope you see all that reflected in these pages. I’d be very interested to hear your comments
and get your feedback on how we’re doing. Feel free to let me know what you think about
this or any other Sybex book by sending me an email at



, or if you think
you’ve found a technical error in this book, please visit



.
Customer feedback is critical to our efforts at Sybex.
Best regards,
Neil Edde
Vice President and Publisher
Sybex, an Imprint of Wiley

81454ffirs.fm Page v Thursday, October 25, 2007 8:46 AM

To Donna, my loving wife and partner for life, for your unwavering love,
encouragement, and support.
—Steve

81454ffirs.fm Page vi Thursday, October 25, 2007 8:46 AM


Acknowledgments

Any work of this magnitude requires the hard work of many dedicated people, all doing what
they enjoy and what they do best. In addition, many others have contributed indirectly, and
without their efforts and support, this book would not have come to fruition. That said, many
are people deserving of my gratitude, and my intent here is to acknowledge them all.
I would like to first thank Maureen Adams, former Wiley Acquisitions Editor, who brought
me on board with this project with the first edition and tutored me on the fine nuances of the
publishing process. I would also like to thank Jeff Kellum, another Wiley Acquisitions Editor,
for his work on the second edition. Jeff guided me through the second edition, keeping me
on schedule and helping in many ways. I would also like to thank Stef Jones, Developmental
Editor. Stef allowed me to concentrate on content while she handled the rest. In addition to
many varied skills that you’d normally find with an editor, Stef has a strong understanding of
topic material, which helped in so many ways. In addition, with several hundred screen shots
in this book to mold and shape, I know there is a graphics department at Wiley deserving of
my thanks. To those folks, I say thank you.
A special thanks goes to Jon Bair of Guidance Software, Inc. In addition to being a friend
and mentor of many years, Jon was the technical editor for the first edition. An equally special
thanks goes to Dave Arnett, also of Guidance Software. Dave is a master instructor for Guid-
ance Software and was the technical editor for the second edition of this book. They both
worked diligently, making sure the technical aspects of both editions are as accurate and as
complete as possible.
Sitting behind the scenes on this project at Guidance Software was Bill Siebert. In addition
to being a friend and colleague, Bill is the director of customer relations for Guidance Soft-
ware. Bill was, with both editions, the facilitator, fixer, go-between, and, at all times, a guiding
hand. Thanks, Bill!
Many thanks go to William Wei, who made many contributions to the first edition end of
chapter tests, as well as some of the Real World Scenarios. Some of those contributions have
been carried forth into this edition. Thank you, Will!
The study of computer forensics can’t exist within a vacuum. To that extent, any individual

examiner is a reflection and product of their instructors, mentors, and colleagues. Through
them you learn, share ideas, troubleshoot, conduct research, grow, and develop. Over my
career, I’ve had the fortune of interacting with many computer forensics professionals and
have learned much through those relationships. In no particular order, I would like to thank
the following people for sharing their knowledge over the years: Keith Lockhart, Ben Lewis,
Chris Stippich, Grant Wade, Ed Van Every, Raemarie Schmidt, Mark Johnson, Bob Weiter-
shausen, John Colbert, Bruce Pixley, Lance Mueller, Howie Williamson, Lisa Highsmith,
Dan Purcell, Ben Cotton, Patrick Paige, John D’Andrea, Mike Feldman, Mike Nelson, Steve
Mahoney, Joel Horne, Mark Stringer, Dustin Hurlbut, Fred Cotton, Ross Mayfield, Bill Spernow,
Arnie “A. J.” Jackson, Ed Novreske, Steve Anson, Warren Kruse, Bob Moses, Kevin Perna,
Dan Willey, Scott Garland, and Steve Whalen.
Every effort has been made to present all material accurately and completely. To achieve this
I verified as much information as possible with multiple sources. In a few instances, published

81454ffirs.fm Page vii Thursday, October 25, 2007 8:46 AM

viii

Acknowledgments

or generally accepted information was in conflict or error. When this occurred, the information
was researched and tested, and the most accurate information available was published in this
book. I would like to thank the authors of the following publications because I relied on their
vast wealth of knowledge and expertise for research and information verification:
Carrier, Brian,

File System Forensic Analysis,

Boston, Addison-Wesley, 2005.
Carvey, Harlan,


Windows Forensics and Incident Recovery,

Boston, Addison-Wesley, 2005.
Carvey, Harlan,

Windows Forensic Analysis Including DVD Toolkit,

Syngress Publish-
ing, 2007.
Hipson, Peter,

Mastering Windows XP Registry,

San Francisco, SYBEX, 2002.
Honeycutt, Jerry,

Microsoft Windows XP Registry Guide,

Redmond, WA, Microsoft
Press, 2003.
Kruse, Warren G. II, and Jay G. Heiser,

Computer Forensics: Incident Response Essentials,


Boston, Addison-Wesley, 2002.
Mueller, Scott,

Upgrading and Repairing PCs,


17th Edition, Indianapolis, IN, Que
Publications, 2006.
These books are valuable resources and should be in every examiner’s library. In addition
to these publications, I relied heavily on the wealth of information contained in the many
training, product, and lab manuals produced by Guidance Software. To the many staff
members of Guidance Software who have contributed over the years to these publications,
I extend my most grateful appreciation.
Last, but by no means least, I would like to acknowledge the contributions by my parents
and my loving wife. My parents instilled in me, at a very young age, an insatiable quest for
knowledge that has persisted throughout my life, and I thank them for it along with a lifetime
of love and support. My best friend and loving wife, Donna, encouraged and motivated me
long ago to pursue computer forensics. Although the pursuit of computer forensics never ends,
without her support, sacrifices, motivation, sense of humor, and love, this book would never
have been completed.
Thank you, everyone.
—Steve

81454ffirs.fm Page viii Thursday, October 25, 2007 8:46 AM

About the Author

ix

About the Author

Steve Bunting is a captain with the University of Delaware Police Department, where he is
responsible for computer forensics, video forensics, and investigations involving computers.
He has more than 30 years’ experience in law enforcement, and his background in computer
forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase

Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified
Examiner Award of Excellence for receiving the highest test score on his certification exami-
nation. He holds a bachelor’s degree in Applied Professions/Business Management from
Wilmington College and a computer applications certificate in Network Environments from
the University of Delaware. He has conducted computer forensic examinations for the Uni-
versity of Delaware and for numerous local, state, and federal agencies on an extreme variety
of cases, including extortion, homicide, embezzlement, child exploitation, intellectual prop-
erty theft, and unlawful intrusions into computer systems. He has testified in court on numer-
ous occasions as a computer forensics expert. He has taught computer forensics for Guidance
Software, makers of EnCase, and taught as a lead instructor at all course levels, including the
Expert Series, with a particular emphasis on the Internet and Email Examinations course. He
has been a presenter at several seminars and workshops, is the author of numerous white
papers, and is the coauthor of

Mastering Windows Network Forensics and Investigation


(Wiley, 2007). He also maintains a website for cybercrime and computer forensics issues at

http://128.175.24.251/forensics/

.

81454ffirs.fm Page ix Thursday, October 25, 2007 8:46 AM

81454ffirs.fm Page x Thursday, October 25, 2007 8:46 AM

Contents at a Glance

Introduction xxi

Assessment Test xxvii

Chapter 1

Computer Hardware 1

Chapter 2

File Systems 31

Chapter 3

First Response 81

Chapter 4

Acquiring Digital Evidence 109

Chapter 5

EnCase Concepts 177

Chapter 6

EnCase Environment 209

Chapter 7

Understanding, Searching For, and Bookmarking Data 273


Chapter 8

File Signature Analysis and Hash Analysis 349

Chapter 9

Windows Operating System Artifacts 379

Chapter 10

Advanced EnCase 469

Appendix A

Creating Paperless Reports 563

Appendix B

About the Companion DVD 579

Glossary

583

Index 591

81454ffirs.fm Page xi Thursday, October 25, 2007 8:46 AM

81454ffirs.fm Page xii Thursday, October 25, 2007 8:46 AM


Contents

Introduction xxi
Assessment Test xxvii

Chapter 1 Computer Hardware 1

Computer Hardware Components 2
The Boot Process 12
Partitions 18
File Systems 21
Summary 22
Exam Essentials 23
Review Questions 24
Answers to Review Questions 28

Chapter 2 File Systems 31

FAT Basics 32
The Physical Layout of FAT 33
Viewing FAT Entries Using EnCase 48
The Function of FAT 52
How a File Is Stored 52
The Effects of Deleting and Undeleting Files 59
Slack Space 65
Directory Entry Status Byte 66
NTFS (New Technology File System) 67
CD File Systems 70
Summary 72
Exam Essentials 72

Review Questions 74
Answers to Review Questions 78

Chapter 3 First Response 81

Planning and Preparation 82
The Physical Location 83
Personnel 83
Computer Systems 84
What to Take with You Before You Leave? 86
Search Authority 88
Handling Evidence at the Scene 89
Securing the Scene 89
Recording and Photographing the Scene 90

81454ftoc.fm Page xiii Thursday, October 25, 2007 8:49 AM

xiv

Contents

Seizing Computer Evidence 90
Bagging and Tagging 98
Summary 101
Exam Essentials 101
Review Questions 103
Answers to Review Questions 107

Chapter 4 Acquiring Digital Evidence 109


Creating EnCase Forensic Boot Disks 111
Booting a Computer Using the EnCase Boot Disk 113
Seeing Invisible HPA and DCO Data 114
Other Reasons for Using a DOS Boot 115
Steps for Using a DOS Boot 115
Drive-to-Drive DOS Acquisition 116
Steps for Drive-to-Drive DOS Acquisition 117
Supplemental Information About Drive-to-Drive
DOS Acquisition 121
Network Acquisitions 123
Reasons to Use Network Acquisitions 123
Understanding Network Cables 124
Preparing an EnCase Network Boot Disk 125
Preparing an EnCase Network Boot CD 126
Steps for Network Acquisition 126
FastBloc Acquisitions 137
Available FastBloc Models 137
FastBloc 2 Features 138
Steps for FastBloc Acquisition 139
FastBloc SE Acquisitions 146
About FastBloc SE 146
Steps for FastBloc SE Acquisitions 148
LinEn Acquisitions 153
Mounting a File System as Read-Only 154
Updating a Linux Boot CD with the Latest Version
of LinEn 155
Running LinEn 156
Steps for LinEn Acquisition 158
Enterprise and FIM Acquisitions 161
Helpful Hints 165

Summary 166
Exam Essentials 168
Review Questions 170
Answers to Review Questions 174

81454ftoc.fm Page xiv Thursday, October 25, 2007 8:49 AM

Contents

xv

Chapter 5 EnCase Concepts 177

EnCase Evidence File Format 178
CRC and MD5 179
Evidence File Components and Function 180
Evidence File Verification 183
Hashing Disks and Volumes 190
EnCase Case Files 191
EnCase Backup File (.cbak) 193
EnCase Configuration Files 197
EnCase Record Cache Folder 199
Summary 201
Exam Essentials 202
Review Questions 204
Answers to Review Questions 208

Chapter 6 EnCase Environment 209

EnCase Layout 210

Creating a Case 211
Tree Pane Navigation 216
Table Pane Navigation 222
Table View 222
Report View 231
Gallery View 231
Disk View 234
Timeline View 235
Code View 238
View Pane Navigation 238
Text View 238
Hex View 239
Picture View 239
Report View 240
Console View 240
Doc View 241
Transcript View 242
Details View 242
Output View 242
Lock Option 242
Dixon Box 242
Navigation Data (GPS) 243
Find Feature 245
Other Views 246
Adjusting Panes 248
Other Case-Level Views 253
Global Views 255
EnCase Options 259

81454ftoc.fm Page xv Thursday, October 25, 2007 8:49 AM


xvi

Contents

Summary 264
Exam Essentials 265
Review Questions 267
Answers to Review Questions 270

Chapter 7 Understanding, Searching For, and
Bookmarking Data 273

Understanding Data 275
Binary Numbers 275
Hexadecimal 281
Characters 284
ASCII 284
Unicode 286
Searching for Data 287
Creating and Managing Keywords 287
GREP Keywords 297
Starting a Search 306
Viewing Search Hits and Bookmarking Your Findings 309
Bookmarking 313
Summary 340
Exam Essentials 341
Review Questions 343
Answers to Review Questions 347


Chapter 8 File Signature Analysis and Hash Analysis 349

File Signature Analysis 350
Understanding Application Binding 350
Creating a New File Signature 352
Conducting a File Signature Analysis 355
Hash Analysis 360
MD5 Hash 360
Hash Sets and Hash Libraries 361
Hash Analysis 364
Summary 372
Exam Essentials 373
Review Questions 374
Answers to Review Questions 377

Chapter 9 Windows Operating System Artifacts 379

Dates and Times 380
Time Zones 381
Windows 64-Bit Time Stamp 382
Adjusting for Time Zone Offsets 386

81454ftoc.fm Page xvi Thursday, October 25, 2007 8:49 AM

Contents

xvii

Recycle Bin 392
Details of Recycle Bin Operation 392

The INFO2 File 393
Determining the Owner of Files in the Recycle Bin 396
Files Restored or Deleted from the Recycle Bin 398
Using an EnScript to Determine the Status of
Recycle Bin Files 399
Recycle Bin Bypass 400
Windows Vista Recycle Bin 402
Link Files 405
Changing the Properties of a Shortcut 406
Forensic Importance of Link Files 406
Using the Link File Parser EnScript 410
Windows 2000, XP, and Vista Folders 412
Recent Folder 416
Desktop Folder 418
My Documents/Documents 419
Send To Folder 420
Temp Folder 420
Favorites Folder 421
Windows Vista Low Folders 422
Cookies Folder 425
History Folder 426
Temporary Internet Files 431
Swap File 435
Hibernation File 435
Print Spooling 436
Legacy Operating System Artifacts 441
Windows Vista Volume Shadow Copy 441
Windows Event Logs 445
Kinds of Information Available in Event Logs 445
Determining Levels of Auditing 446

Windows Vista Event Logs 449
Using the Windows Event Log Parser 450
For More Information 452
Summary 457
Exam Essentials 460
Review Questions 463
Ansewers to Review Questions 467

Chapter 10 Advanced EnCase 469

Locating and Mounting Partitions 471
Mounting Files 480

81454ftoc.fm Page xvii Thursday, October 25, 2007 8:49 AM

xviii

Contents

Registry 486
Registry History 487
Registry Organization and Terminology 488
Using EnCase to Mount and View the Registry 493
Registry Research Techniques 496
EnScript and Filters 509
EnScript Navigation and Paths 510
Editing, Copying, Moving, and Deleting EnScripts 511
Running EnScripts 512
Filters, Conditions, and Queries 513
Email 514

Base64 Encoding 524
EnCase Decryption Suite (EDS) 531
Virtual File System (VFS) 535
Exporting Applications 539
Restoration 542
Physical Disk Emulator (PDE) 545
Putting It All Together 549
Summary 552
Exam Essentials 555
Review Questions 556
Answers to Review Questions 560

Appendix A

Creating Paperless Reports 563

Exporting the Web Page Report 565
Creating Your Container Report 568
Bookmarks and Hyperlinks 572
Burning the Report to CD or DVD 575

Appendix B

About the Companion DVD 579

What You’ll Find on the DVD 580
EnCase Forensics Software and Evidence Files 580
EnCase Legal Journal 580
Sybex Test Engine 581
Adobe Reader 581

Practice Files 581
System Requirements 581
Using the DVD 581
Troubleshooting 582
Customer Care 582

Glossary

583

Index 591

81454ftoc.fm Page xviii Thursday, October 25, 2007 8:49 AM

Table of Exercises

Exercise 1.1

Examining the Partition Table . . . . . . . . . . . . . . . . . . 20

Exercise 2.1

Viewing FAT Entries . . . . . . . . . . . . . . . . . . . . . . 51

Exercise 3.1

First Response to a Computer Incident. . . . . . . . . . . . . . 100

Exercise 4.1


Previewing Your Own Hard Drive . . . . . . . . . . . . . . . . 145

Exercise 5.1

Understanding How EnCase Maintains Data Integrity . . . . . . . 188

Exercise 6.1

Navigating EnCase . . . . . . . . . . . . . . . . . . . . . . 249

Exercise 7.1

Searching for Data and Bookmarking the Results . . . . . . . . . 330

Exercise 8.1

Performing a File Signature Analysis . . . . . . . . . . . . . . 359

Exercise 8.2

Hash Analysis . . . . . . . . . . . . . . . . . . . . . . . . 369

Exercise 9.1

Windows Artifacts Recovery . . . . . . . . . . . . . . . . . . 452

Exercise 9.2

Windows Vista Artifact Recovery . . . . . . . . . . . . . . . . 455


Exercise 10.1

Partition Recovery . . . . . . . . . . . . . . . . . . . . . . 478

Exercise 10.2

Conducting Email and Registry Examinations. . . . . . . . . . . 521

81454flast.fm Page xix Thursday, October 25, 2007 8:49 AM

81454flast.fm Page xx Thursday, October 25, 2007 8:49 AM

Introduction

This book was designed for several audiences. First and foremost, it was designed for anyone
seeking the EnCase Certified Examiner (EnCE) credential. This certification is rapidly growing
in popularity and demand in all areas of the computer forensics industry. More and more
employers are recognizing the importance of this certification and are seeking this credential
in potential job candidates. Equally important, courts are placing increasing emphasis on cer-
tifications that are specific to computer forensics. The EnCE certification meets or exceeds the
needs of the computer forensics industry.
This book was also designed for computer forensics students working either in a structured
educational setting or in a self-study program. The chapters include exercises and evidence
files that work with the version of EnCase that ships with the DVD, making it an ideal learning
tool for either setting.

The version of EnCase that is provided on the DVD is not a fully functional
version of the software and works only with the evidence files provided on the
DVD. The limited use version of EnCase provided on this DVD functions dif-
ferently when acquiring evidence and you will note that the Acquire button on

the toolbar is disabled. To acquire the evidence files on the DVD, drag them
from the DVD and drop them into the open EnCase program and follow the
prompts to create the paths for your case files. Thus in the exercises in this
book, if you are using the limited use version on the DVD, you will be drag-
ging and dropping DVD evidence files instead of using the Acquire button. In
this manner, the reader is provided with an excellent tool by which to study

for the exam and to learn many of the functions of EnCase.

Finally, this book was written for those with knowledge of EnCase or forensics who simply
want to learn more about either or both. Every topic goes well beyond what’s needed for cer-
tification with the specific intent of overpreparing the certification candidate. In some cases,
the material goes beyond that covered in many of the formal training classes you may have
attended. In either case, that added depth of knowledge provides comprehensive learning
opportunities for the intermediate or advanced user.
The EnCE certification program is geared toward those who have attended the EnCase
Intermediate Computer Forensics training or its equivalent. To that extent, this book assumes
the reader has a general knowledge of computer forensics and some basic knowledge of
EnCase. For those who may need a refresher in either, you’ll find plenty of resources. Many
users may have used earlier versions of EnCase and have not yet transitioned to EnCase 6.
Those users may benefit by starting with Chapter 6, which discusses the EnCase environment.
The chapters are organized into related concepts to facilitate the learning process, with basic
concepts in the beginning and advanced material at the end. At the end of each chapter you will
find the “Summary,” “Exam Essentials,” and “Review Questions” sections. The “Summary” sec-
tion is a brief outline of the essential points contained in the chapter; the “Exam Essentials” section
explains the concepts you’ll need to understand for the examination.
I strongly urge you to make full use of the “Review Questions” section. A good way to use
the questions is as a pretest before reading each chapter and then again as a posttest when

81454flast.fm Page xxi Thursday, October 25, 2007 8:49 AM


xxii

Introduction

you’re done. Although answering correctly is always important, it’s more important to under-
stand the concepts covered in the question. Make sure you are comfortable with all the mate-
rial before moving to the next chapter. Just as knowledge is cumulative, a lack thereof impedes
that accumulation. As you prepare for your certification examinations (written and practical),
take the time to thoroughly understand those items that you may have never understood. The
journey along the road to certification is just as important as the destination.

What Is the EnCE Certification?

Guidance Software, Inc., developed the EnCE in late 2001 to meet the needs of its customer base,
who requested a solid certification program covering both the use of the EnCase software and
computer forensics concepts in general. Since its inception, the EnCE certification has become
one of the most recognized and coveted certifications in the computer forensics industry. You
might ask why, but the answer is simple. The process is demanding and challenging. You must
have certain knowledge, skills, and abilities to be able to pass both a written and a practical
examination. For certain, it is not a “giveaway” program. You will work hard, and you will earn
your certification. When you are certified, you’ll be proud of your accomplishment. What’s
more, you will have joined the ranks of the elite in the industry who have chosen to adhere to
high standards and to excel in their field. Remember, in the field of computer forensics, excel-
lence is not an option; it is an operational necessity.

Why Become EnCE Certified?

The following benefits are associated with becoming EnCE certified:



EnCE certification demonstrates professional achievement.


EnCE certification increases your marketability and provides opportunity for advancement.


EnCE certification enhances your professional credibility and standing when testifying
before courts, hearing boards, and other fact-finding bodies.


EnCE certification provides peer recognition.
EnCE certification is a rigorous process that documents and demonstrates your achieve-
ments and competency in the field of computer forensics. You must have experience as an
investigator and examiner, and you must have received training at the EnCase Intermediate
Computer Forensics level or other equivalent classroom instruction before you can apply for
the program. Next, you will have to pass both a written and a practical examination before
receiving your certification. EnCE certification assures customers, employers, courts, your
peers, and others that your computer forensics knowledge, skills, and abilities meet the highest
professional standards.

81454flast.fm Page xxii Thursday, October 25, 2007 8:49 AM