GUIDANCE SOFTWARE EnCase Forensic v7forensicsguru.com/pdf/EnCase_CF1_v7_Syllabus.pdf · GUIDANCE...
Transcript of GUIDANCE SOFTWARE EnCase Forensic v7forensicsguru.com/pdf/EnCase_CF1_v7_Syllabus.pdf · GUIDANCE...
GUIDANCE SOFTWARE | EnCase Forensic v7
EnCase® Computer Forensics I Syllabus
www.guidancesoftware.com
Day 1
Day one starts with instruction on using EnCase® Forensic version 7
(EnCase v7) to create a new case and navigating in the EnCase v7
interface. Attendees are shown how to use EnCase v7 to acquire a
complete copy of the data from removable media in a forensically
sound manner. The concept of digital evidence and how computers
work (paying particular regard to the associated impact on forensic
examination) are also included.
The main areas covered on day one include:
•Creating a case file in EnCase v7
•NavigatingwithintheEnCasev7environment
•Understandingtheuseofthetimelineviewingfunction withEnCasev7
•Understandingtheconceptofdigitalevidenceandits impactonaninvestigation
•EnCasev7concepts – Safeguarding and preserving evidential data
•Thebasicsofacquiringaforensicallysoundcopyof datafromremovablemedia,includingtheuseofGuidance Software’swrite-blockingsoftware,FastBloc® SE
•Understandinghowcomputerswork – Hardware and associated terminology – The CMOS, BIOS, and boot sequence – Interpreting binary and hexadecimal data – The basics of text encoding
Day 2
Day two begins with a practical exercise on the techniques learned on the
previous day for creating an evidence file and then continues with a detailed
discussion of the FAT file systems as well as an overview of the NT file
system. The students will learn how to properly preview a computer system
prior to acquisition. Hard disk acquisition is covered, using both a forensically
sound Linux CD, LinEn, and drive-to-drive connection methods. Attendees
will learn how to properly process evidence files and will be introduced to
basic methods of search techniques.
The main areas covered on day two include:
•NT/FATFileSystems
– How these file systems track data on their respective volumes as well as what occurs when a file is created or deleted
•Acquisitionofaharddisk – Acquisition using a forensically sound Linux operating system » Drive-to-drive acquisition » Network crossover-cable acquisition
•Processingevidence – Using the EnCase® Evidence Processor – Preparing evidence for processing – Managing and using the various Evidence Processor settings and toolbars
•Creatingandconductingrawandindexsearches