DF210 - Building an Investigation with EnCase Forensic

This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase® Forensic (EnCase). This course builds upon the skills covered in the DF120 – Foundations of Digital Forensics course and enhances the examiner's ability to work efficiently through the use of the unique features of EnCase. Students must understand evidence handling, the structure of the evidence file, creating and using case files, and data acquisition methods, including DOS-based, hardware write protected, crossover cable, and disk-to-disk. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting keyword searches across logical and physical media, creating and using EnCase® bookmarks, file signatures and signature analysis, and locating and understanding Windows® artifacts. 

Delivery method: Group-Live

NASBA defined level: Intermediate

Focusing on commonly conducted investigations, students will learn about the following: 

•    How to recover encrypted information particularly that which was encrypted using Windows BitLocker™
•    How to locate and recover deleted partitions 
•    Students will learn how to deal with compound file types 
•    Students will learn about the Windows® Registry 
•    How to determine time zone offsets and properly adjust case settings
•    How to create and use conditions for effective searching
•    Students will learn how to use the EnCase® Evidence Processor
•    Students will gain an overview of the FAT, ExFAT, and NT file system
•    How to conduct keyword searches and advanced searches using GREP 
•    The differences between single and logical evidence files and how to create and use of logical evidence files 
•    How to identify Windows operating system artifacts, such as link files, Recycle Bin, and user folders 
•    How to recover data from the Recycle Bin
•    How to recover artifacts, such as swap files, file slack, and spooler files 
•    How to conduct a search for e-mail and e-mail attachments
•    Students will learn how to examine e-mail and Internet artifacts
•    How to identify and recover data relating to the use of removable USB devices

Prerequisite:

DF120 – Foundations in Digital Forensics with EnCase® Forensic

About the Test:

• CPE Credits: 32**
• Course Level: Intermediate
• Course Type: Core
• Delivery Method: Group-Live, Classroom

Who Should Attend?

This course is intended for IT security professionals, litigation support and forensic investigators Participants may have minimal computer skills and may be new to the field of computer forensics.

DF210 - Building an Investigation Syllabus

Day 1

Day one starts with an overview of the EnCase Forensic version 8 environment. The students then learn how to collect encrypted information by examining files encrypted with Windows® BitLockerTM. Attendees go on to study the Master Boot Record partitioning model and deleted partition recovery. Instruction continues with an examination of compound files. Their structures are explored and issues surrounding their examination are discussed. Students move on to explore a very important type of compound file structure, the Windows® Registry hive file. They explore mounting and examining these files and learn the relationship of the hive files to the structure of the Registry in its online state. Students then progress to examining the time zone information contained within the Registry, its importance to their case, and how they apply it in EnCase Forensic. The students are provided intermediate-level instruction concerning instruction regarding the methods for creating conditions to filter data. Next the students are provided with an overview of the Evidence Processor and the processing of the Malone case, which will be used throughout the rest of the course.

The main areas covered on day one include:

• Review of EnCase Forensic case creation and adding evidence

• Examining data encrypted with BitLocker

• Understanding the Master Boot Record partitioning scheme

• Principles of attempting to recover data lost through the partitioning process

• Partition recovery

• Compound files

• Mounting and searching compound files

• Documenting data contained within these compound files

• Pitfalls of not examining compound files properly

• Windows Registry

• Elements of the Registry

• Registry keys (folders) and values

• Registry value types

• Locating and mounting the Registry hive files

• Examination of time zone settings with the Registry

• Applying time zones within EnCase Forensic

• Using conditions to filter data

• Evidence Processor overview

Day 2

Day two begins with instructions about the FAT, ExFat, and NT file systems and then the students will participate in a practical exercise, examining all three files systems and their differences. The course continues with the use of the GREP operator functionality of EnCase Forensic to perform advanced searches. Single- le functionality as well as the value of logical evidence files are explored. A practical exercise and review follows with the processing of our second case, which concludes the instruction for the day.

The main areas covered on day two include:

• FAT, ExFAT, and NT Files Systems

• Using the GREP operators within EnCase Forensic to construct advanced search terms

• Suitability of GREP, proper syntax, and potential results • Single files and logical evidence files

Day 3

Day three focuses upon specific analysis of common artifacts that often provide vital information to investigations. These specific areas reveal data that can provide a clearer indication of user activities. Students will explore the methods that EnCase Forensic offers to provide detailed information to the examiner. The final lesson for day three is focused on identifying, locating, and recovering email message and attachments.

The main areas covered on day three include:

• Advanced search techniques

• Windows artifacts

• User account information and associated data

• System folders and files of interest

• Thumbnail cache files

• Windows 7 specific artifacts

• Folder structure and the effects of junctions (folder mount points)

• User/administrator privileges and impact on storage of data

• Links and Library folder content

• System files

• Shortcut or link files

• Deconstructing link files to reveal internal structures related to their target files

• Using link files to help determine drive letter assignment

• The Windows Recycle Bin

• Linking Recycle Bin data to the associated user

• Registry entries controlling operation of the Recycle Bin

• Examination of the Recycle Bin, its properties, and function

• Exploring the way the Recycle Bin is implemented under

• Print spooler recovery

• Understanding the printing process and associated files

• Recovery of SPL and SHD files as well as understanding and extracting the graphical and metadata they contain

• Email and Internet history

• Examining both client-based and web-based email and methods available within EnCase Forensic to locate and parse email data stores

• Recovering and analyzing email attachments

Day 4

Day four begins with instruction on examining various Internet artifact and moves on to how the data located on removable USB devices can be examined and recovered. The students will then participate in a practical exercise focusing on these skills. The week of instructions concludes with a final practical exercise that provides the student with a hands-on review of all the tuition dispensed during the course.

The main areas covered on day four include:

• Internet artifacts

• Removable USB device identification

Course Information:

• Sunday - Wednesday
• Course Time; 8am - 4pm
• Coffee, Tea & Refreshments will be available daily
• Lunch on-site is included
• Free on-site parking
• Full payment required prior to course start date to reserve seat(s)
• Payment forms accepted - Visa, Mastercard, Amex, Discover cards

Training Brought To You By: