San Francisco, California
London, United Kingdom
DF120 – Foundations in Digital Forensics with EnCase® Forensic
This hands-on course involves practical exercises and real-life simulations in the use of EnCase® Forensic (EnCase) Version 8. The class provides participants with an understanding of the proper handling of digital evidence from the initial seizure of the computer/media, acquisition concepts, including live evidence acquisition. Instruction then progresses to the analysis of the data. It concludes with basic report creation and archiving, validating the data, and restoring the case.
Delivery method: Group-Live
NASBA defined level: Basic
Students attending this course will learn the following:
• The EnCase digital forensic methodology
• How to navigate the EnCase interface
• How to create a case and how to preview and acquire media
• How to extract data and files from your evidence
• How to bookmark evidence files, file sets, and data structures
• How to conduct raw and index searches
• How to analyze file signatures and view files
• How to conduct hash and entropy analyses and import hash sets
• How to import and export data to and from Project Vic
• How to install external file viewers to EnCase
• How to locate data in unallocated space
• How to prepare reports, using templates provided with EnCase
• How to create a report template
• How to restore evidence
• How to archive files and data created through the analysis process
• The proper techniques for handling and preserving evidence
Basic computer skills. Advance preparation for this course is not required.
About the Test:
- CPE Credits: 32**
- Course Level: Introductory
- Course Type: Core
- Delivery Method: Group-Live, Classroom
Who Should Attend?
This course is intended for IT security professionals, litigation support and forensic investigators Participants may have minimal computer skills and may be new to the field of computer forensics.
DF120 - Foundations in Digital Forensics Syllabus
Day one starts with instruction on using EnCase® Forensic Version 8 (EnCase) to create a new case and navigate within the EnCase interface. The students participate in a practical exercise, which allows them to test their newly acquired navigation skills and provides an understanding of how to search for les based on metadata. Attendees use EnCase to acquire a forensic copy of media while protecting the original media from change. Methodologies used within a computer system for the allocation of storage areas are discussed. The concepts of digital evidence and how to validate evidence verification are also discussed.
The main areas covered on day one include:
• Creating a case file in EnCase
• Navigating within the EnCase environment
• Understanding concepts of digital evidence and disk/volume allocation:
• Types of evidence
• Terminology describing data storage, including but not limited to unallocated space, unused disk area, volume slack, file slack, RAM slack, and disk slack
• Documenting EnCase concepts:
• Evidence files
• Case files and backups
• Configuration files
• Object icons within EnCase
• Acquiring media in a forensically sound manner
Day two begins with a continuation of a lesson regarding acquisition concepts, which is followed by a quiz that reviews presented concepts. The students learn how to properly preview a live computer system prior to acquisition using the Direct Network Preview function. The attendees utilize the EnCase® Evidence Processor to run modules on evidence files to obtain results that are reviewed during subsequent lessons. Attendee’s bookmark and tag data to be incorporated into an examination report during the Report Creation lesson. Students perform a practical exercise during which they backup the case with customized settings and bookmark items for reporting purposes. Participants then run two different searching processes, raw searching (on raw data, indexed or not) and index searching (on interpreted, indexed data).
The main areas covered on day two include:
• Previewing a running computer (even one using full disk encryption) using multiple techniques, including the Direct Network Preview function
• Running EnCase utilities to capture RAM
• Processing evidence:
• Running processes, including but not limited to file signature analysis, protected file, analysis, hash and entropy analysis, email and internet artifact analysis, and word/phrase indexing
• Executing modules, including but not limited to file carver, Windows artifacts parser, and system info parser
• Bookmarking and tagging data for inclusion in the final report
• Creating and conducting raw keyword searches and index search queries to locate search expressions of interest
Day three begins with the completion of the index-searching lesson. The participants perform a practical exercise, allowing them to practice the discussed searching and bookmarking techniques. Attendees de ne and install external viewers within EnCase and copy data from within an evidence file to the file system for use with other computer programs. Participants employ the use of file signature analysis to properly identify file types and to locate renamed files. Students are then provided instruction on the principal and practical usage of hash analysis. Students create a hash library, containing hash sets and hash values of notables to identify and known files to exclude from an evidence file. Hash analysis tools, such as EnScript® programs and other utilities, are then employed to analyze hash libraries and to incorporate commonly available hash libraries/sets into the examination environment. Entropy analysis techniques are demonstrated to students to assist in the identification of files that nearly match notable files.
The main areas covered on day three include:
• Creating and conducting index search queries and raw keyword searches
• Incorporating the use of installed external viewers used by examiners into EnCase
• Copying files, folders, and data from EnCase to the local file system for analysis by other tools
• Performing signature analysis to determine the true identities of file objects and to ascertain if files were renamed to hide their true identities
• Conducting hash analysis using unique values calculated based on file logical content to identify and/or exclude files
• Importing and exporting data to/from Project Vic
• Running entropy analysis to locate files that may be near matches to other files or that may be password protected, obfuscated, or encrypted
Day four begins with a practical exercise on conducting signature, entropy, and hash analyses. The day’s instruction begins with a lesson on searching and recovering data from unallocated space. The students then discover how to customize and organize a report using bookmarked data and how to include pertinent file metadata in the report. The students are given advice and guidance in properly archiving and later reopening a case. During the archiving process, attendees use procedures to reacquire an evidence file to change evidence file parameters, such as compression or evidence file format or segment size to facilitate effective archiving. The course concludes with a final practical exercise on the week’s instruction.
The main areas covered on day four include:
• Locating and recovering evidence, including images, documents, and videos in unallocated space manually and by using EnScript programs
• Creating a report of files and data bookmarked during the examination:
• Exporting reports
• Modifying basic reporting formats
• Creating templates for future case utilization
• Reacquiring evidence to change evidence file settings
• Restoring evidence to run proprietary software or as required by a court order
• Archiving and reopening an archived case
• Completing a comprehensive final practical exercise
- Sunday - Wednesday
- Course Time; 8am - 4pm
- Coffee, Tea & Refreshments will be available daily
- Lunch on-site is included
- Free on-site parking
- Full payment required prior to course start date to reserve seat(s)
- Payment forms accepted - Visa, Mastercard, Amex, Discover cards
Training Brought To You By:
One To One Hotel
Al Salam St
United Arab Emirates
Elias Technologies - UAE
Elias Technologies, UAE is a provider of digital forensics investigations, network intrusion response, penetration testing, vulnerability assessments, mobile device forensics, cellular triangulation and cyber security training.
Our experts deliver training methodology from over twenty years worth of knowledge, experiences and passion for our industry. Experience only gained through industry proven track records and dedication to providing factual and measurable results to our clients.
Elias Technologies, UAE is globally recognized as an international developer, implementer and manager of Cyber Crimes Laboratories. From being the first privately held company to establish and manage a Cyber Crimes lab in the U.S. for the US State Attorneys’ office to the full development, implementation and daily management of a full service Cyber Crimes Center for the Abu Dhabi Judicial Department in the U.A.E.
Elias Technologies, UAE | Cyber Forensics 360, is an authorized provider and reseller of Guidance Software, Inc. EnCase Forensics, Endpoint Security and Endpoint Investigator. We provide direct vendor implementation of GSI’s cyber security product line. Currently supporting U.A.E. Africa, Europe and the Philippines.
Elias Technologies, UAE | Cyber Forensics 360, is an authorized global reseller and training partner for Oxygen Forensics®. Oxygen Forensic® Detective is a forensic software for extraction and analysis of data from cell phones, smartphones and tablets. Using advanced proprietary protocols permits Oxygen Forensic® Detective to extract much more data than usually extracted and guarantees zero-footprint operation, leaving no traces and making no modifications to the device content. The software is distributed to law enforcement and government agencies, military, private investigators and other forensic specialists.