Skip Main Navigation
Page Content

Save This Event

Event Saved

DF210 - Building an Investigation with EnCase Forensic

Elias Technologies - UAE

DF210 - Building an Investigation with EnCase Forensic

Ticket Information

Ticket Type Price Fee Quantity
DF210 - Building an Investigation
1 Participant, February 19-23, 2017
$2,875.00 $0.00

Who's Going

Loading your connections...

Share DF210 - Building an Investigation with EnCase Forensic

Event Details

DF210 - Building an Investigation with EnCase Forensic

This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the EnCase® Forensic (EnCase). This course builds upon the skills covered in the DF120 – Foundations of Digital Forensics course and enhances the examiner's ability to work efficiently through the use of the unique features of EnCase. Students must understand evidence handling, the structure of the evidence file, creating and using case files, and data acquisition methods, including DOS-based, hardware write protected, crossover cable, and disk-to-disk. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting keyword searches across logical and physical media, creating and using EnCase® bookmarks, file signatures and signature analysis, and locating and understanding Windows® artifacts. 

Delivery method: Group-Live

NASBA defined level: Intermediate


Focusing on commonly conducted investigations, students will learn about the following: 

•    How to recover encrypted information particularly that which was encrypted using Windows BitLocker™
•    How to locate and recover deleted partitions 
•    Students will learn how to deal with compound file types 
•    Students will learn about the Windows® Registry 
•    How to determine time zone offsets and properly adjust case settings
•    How to create and use conditions for effective searching
•    Students will learn how to use the EnCase® Evidence Processor
•    Students will gain an overview of the FAT, ExFAT, and NT file system
•    How to conduct keyword searches and advanced searches using GREP 
•    The differences between single and logical evidence files and how to create and use of logical evidence files 
•    How to identify Windows operating system artifacts, such as link files, Recycle Bin, and user folders 
•    How to recover data from the Recycle Bin
•    How to recover artifacts, such as swap files, file slack, and spooler files 
•    How to conduct a search for e-mail and e-mail attachments
•    Students will learn how to examine e-mail and Internet artifacts
•    How to identify and recover data relating to the use of removable USB devices


DF120 – Foundations in Digital Forensics with EnCase® Forensic

About the Test:

  • CPE Credits: 32**
  • Course Level: Intermediate
  • Course Type: Core
  • Delivery Method: Group-Live, Classroom

Who Should Attend?

This course is intended for IT security professionals, litigation support and forensic investigators Participants may have minimal computer skills and may be new to the field of computer forensics.



DF210 - Building an Investigation Syllabus

Day 1

Day one starts with an overview of the EnCase Forensic version 8 environment. The students then learn how to collect encrypted information by examining files encrypted with Windows® BitLockerTM. Attendees go on to study the Master Boot Record partitioning model and deleted partition recovery. Instruction continues with an examination of compound files. Their structures are explored and issues surrounding their examination are discussed. Students move on to explore a very important type of compound file structure, the Windows® Registry hive file. They explore mounting and examining these files and learn the relationship of the hive files to the structure of the Registry in its online state. Students then progress to examining the time zone information contained within the Registry, its importance to their case, and how they apply it in EnCase Forensic. The students are provided intermediate-level instruction concerning instruction regarding the methods for creating conditions to filter data. Next the students are provided with an overview of the Evidence Processor and the processing of the Malone case, which will be used throughout the rest of the course.

The main areas covered on day one include:

• Review of EnCase Forensic case creation and adding evidence

• Examining data encrypted with BitLocker

• Understanding the Master Boot Record partitioning scheme

• Principles of attempting to recover data lost through the partitioning process

• Partition recovery

• Compound files

• Mounting and searching compound files

• Documenting data contained within these compound files

• Pitfalls of not examining compound files properly

• Windows Registry

• Elements of the Registry

• Registry keys (folders) and values

• Registry value types

• Locating and mounting the Registry hive files

• Examination of time zone settings with the Registry

• Applying time zones within EnCase Forensic

• Using conditions to filter data

• Evidence Processor overview


Day 2

Day two begins with instructions about the FAT, ExFat, and NT file systems and then the students will participate in a practical exercise, examining all three files systems and their differences. The course continues with the use of the GREP operator functionality of EnCase Forensic to perform advanced searches. Single- le functionality as well as the value of logical evidence files are explored. A practical exercise and review follows with the processing of our second case, which concludes the instruction for the day.

The main areas covered on day two include:

• FAT, ExFAT, and NT Files Systems

• Using the GREP operators within EnCase Forensic to construct advanced search terms

• Suitability of GREP, proper syntax, and potential results • Single files and logical evidence files


Day 3

Day three focuses upon specific analysis of common artifacts that often provide vital information to investigations. These specific areas reveal data that can provide a clearer indication of user activities. Students will explore the methods that EnCase Forensic offers to provide detailed information to the examiner. The final lesson for day three is focused on identifying, locating, and recovering email message and attachments.

The main areas covered on day three include:

• Advanced search techniques

• Windows artifacts

• User account information and associated data

• System folders and files of interest

• Thumbnail cache files

• Windows 7 specific artifacts

• Folder structure and the effects of junctions (folder mount points)

• User/administrator privileges and impact on storage of data

• Links and Library folder content

• System files

• Shortcut or link files

• Deconstructing link files to reveal internal structures related to their target files

• Using link files to help determine drive letter assignment

• The Windows Recycle Bin

• Linking Recycle Bin data to the associated user

• Registry entries controlling operation of the Recycle Bin

• Examination of the Recycle Bin, its properties, and function

• Exploring the way the Recycle Bin is implemented under

• Print spooler recovery

• Understanding the printing process and associated files

• Recovery of SPL and SHD files as well as understanding and extracting the graphical and metadata they contain

• Email and Internet history

• Examining both client-based and web-based email and methods available within EnCase Forensic to locate and parse email data stores

• Recovering and analyzing email attachments


Day 4

Day four begins with instruction on examining various Internet artifact and moves on to how the data located on removable USB devices can be examined and recovered. The students will then participate in a practical exercise focusing on these skills. The week of instructions concludes with a final practical exercise that provides the student with a hands-on review of all the tuition dispensed during the course.

The main areas covered on day four include:

• Internet artifacts

• Removable USB device identification



Course Information:

  • Sunday - Wednesday
  • Course Time; 8am - 4pm
  • Coffee, Tea & Refreshments will be available daily
  • Lunch on-site is included
  • Free on-site parking
  • Full payment required prior to course start date to reserve seat(s)
  • Payment forms accepted - Visa, Mastercard, Amex, Discover cards



Training Brought To You By: 


Have questions about DF210 - Building an Investigation with EnCase Forensic? Contact Elias Technologies - UAE

Save This Event

Event Saved


One To One Hotel
Al Salam Street
Abu Dhabi, Abu Dhabi
United Arab Emirates


Elias Technologies - UAE

Elias Technologies - Guidance Software

Elias Technologies, UAE is a provider of digital forensics investigations, network intrusion response, penetration testing, vulnerability assessments, mobile device forensics, cellular triangulation and cyber security training.

Our experts deliver training methodology from over twenty years worth of knowledge, experiences and passion for our industry. Experience only gained through industry proven track records and dedication to providing factual and measurable results to our clients.

Elias Technologies, UAE is globally recognized as an international developer, implementer and manager of Cyber Crimes Laboratories. From being the first privately held company to establish and manage a Cyber Crimes lab in the U.S. for the US State Attorneys’ office to the full development, implementation and daily management of a full service Cyber Crimes Center for the Abu Dhabi Judicial Department in the U.A.E.





Elias Technologies, UAE | Cyber Forensics 360, is an authorized provider and reseller of Guidance Software, Inc. EnCase Forensics, Endpoint Security and Endpoint Investigator. We provide direct vendor implementation of GSI’s cyber security product line. Currently supporting U.A.E. Africa, Europe and the Philippines.


 GUID Endpoint Security




Elias Technologies, UAE | Cyber Forensics 360, is an authorized global reseller and training partner for Oxygen Forensics®. Oxygen Forensic® Detective is a forensic software for extraction and analysis of data from cell phones, smartphones and tablets. Using advanced proprietary protocols permits Oxygen Forensic® Detective to extract much more data than usually extracted and guarantees zero-footprint operation, leaving no traces and making no modifications to the device content. The software is distributed to law enforcement and government agencies, military, private investigators and other forensic specialists.



  Contact the Organizer
DF210 - Building an Investigation with EnCase Forensic
Things to do in Abu Dhabi Class Business

Please log in or sign up

In order to purchase these tickets in installments, you'll need an Eventbrite account. Log in or sign up for a free account to continue.