FT210, Windows Forensic Examinations - EnCase (WFE-E)
Who Should Attend:
DoD and federal law enforcement agents and prospective intrusion analysts.
Prerequisites:
TT110 (INCH) and RT120 (CIRC) or Test Outs
Duration:
10 Days
Course Description:
Introduces the basic concepts and practices of processing digital evidence using the EnCase 6 tool.
A Case Jacket is reviewed for legal and investigative points. Students use EnCase and other
forensic tools to analyze, recover, and report digital evidence. Students set up a forensic
workstation, conduct and document an examination, and testify in a moot court setting.
Objectives:
- Demonstrate a basic knowledge of Windows operating systems and respective file systems
- Formulate and execute a methodology for a forensic examination based upon case type
- Import digital evidence into EnCase 6 and conduct various investigative tasks
- Document in a report how the evidence supports the investigation
- Identify key legal concepts for a forensic examination
- Conduct a variety of standard forensic tasks for cases
Topics Covered:
Technical Background
- Discuss the Windows file systems and how they relate to an investigation
- Basics of the NT and FAT file systems and how data is stored in each
- Structure of partition tables
Case Setup and Management
- Focus on the procedures to start and manage a case
- New case setup and management
- Open a new case, perform analysis, and record findings in the forensic report
- Set up your forensic workstation
- Install and configure EnCase 6
- Understand the Case Jacket
- Perform a hash analysis
- Use the Windows registry to identify case data
Automated Tools
- Conduct analysis with automated tools
- Perform text searches, signature searches, and data carving
- Conduct a positive hash analysis
File Level Analysis
- Analyze evidence found on the Web, e-mail, and system files
- Recover and review e-mail, Web cache, and newsgroup mailboxes
- Recover passwords