Course Description
Duration: 4 Days
This hands-on course involves practical exercises and real-life simulations in the use of EnCase™ software (EnCase). The class provides participants with an understanding of how EnCase may be used to examine data related to an incident response, an employee misconduct investigation, and/or a law enforcement criminal and/or civil investigation. Participants create cases using EnCase, configure the application to maximize its utilization, and learn evidence acquisition concepts and how to validate the data collected. Instruction progresses to the analysis of the data whether related to criminal investigations, cybersecurity incidents, or other matters. The course will cover techniques, such as keyword or indexed searching along with hash analysis. Participants will learn how to bookmark, export, and create reports relating to examination findings. The course concludes with instruction on archiving, validating the data, and restoring the case.
Delivery method: Group-Live.
What Will You Learn?
Students attending this course will learn the following:
- The EnCase digital forensic methodology and how to create a case
- How to configure and navigate the EnCase interface
- How to use case templates included with EnCase
- How to create an evidence file
- How to install external file viewers to EnCase
- How to create conditions within EnCase
- How to analyze file signatures and view files
- How to conduct hash and entropy analyses and import hash sets
- How to adjust time zones within EnCase
- How to extract data and files from your evidence
- How to decipher data allocation and file descriptions
- How to tag and bookmark evidence files, file sets, and data structures
- How to conduct raw and index searches
- How to create and use GREP operators
- How to import and export data
- How to prepare reports using templates provided with EnCase
- How to create reports
- How to restore evidence
- How to archive files and data created through the analysis process
- The proper techniques for handling and preserving evidence