EnCase Computer Forensics -- The Official EnCE: EnCase Certified Examiner Study Guide / Edition 3

Paperback (Print)
Rent from BN.com
(Save 83%)
Est. Return Date: 05/04/2015
Buy Used
Buy Used from BN.com
(Save 41%)
Item is in good condition but packaging may have signs of shelf wear/aging or torn packaging.
Condition: Used – Good details
Used and New from Other Sellers
Used and New from Other Sellers
from $29.98
Usually ships in 1-2 business days
(Save 57%)
Other sellers (Paperback)
  • All (21) from $29.98   
  • New (12) from $38.18   
  • Used (9) from $29.98   


The official, Guidance Software-approved book on the newest EnCE exam!

The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.

  • Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
  • Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
  • Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
  • Includes hands-on exercises, practice questions, and up-to-date legal information
  • Sample evidence files, Sybex Test Engine, electronic flashcards, and more

If you're preparing for the new EnCE exam, this is the study guide you need.

Read More Show Less

Product Details

  • ISBN-13: 9780470901069
  • Publisher: Wiley
  • Publication date: 9/11/2012
  • Edition description: Study Guid
  • Edition number: 3
  • Pages: 744
  • Sales rank: 228,062
  • Product dimensions: 9.00 (w) x 7.40 (h) x 1.20 (d)

Meet the Author

Steve Bunting, EnCE, CCFT, has over 30 years of law enforcementand computer forensics experience. He is a Senior ForensicConsultant for Forward Discovery, a global forensics consultingorganization. Previously he served as a captain with the Universityof Delaware Police Department, where he conducted examinations ofcomputer systems for federal, state, and local law enforcement. Heis also the coauthor of Mastering Windows Network Forensics andInvestigation.

Read More Show Less

Table of Contents

Introduction xxi

Assessment Test xxvii

Chapter 1 Computer Hardware 1

Computer Hardware Components 2

The Boot Process 14

Partitions 20

File Systems 25

Summary 27

Exam Essentials 27

Review Questions 28

Chapter 2 File Systems 33

FAT Basics 34

The Physical Layout of FAT 36

Viewing Directory Entries Using EnCase 52

The Function of FAT 58

NTFS Basics 73

CD File Systems 77

exFAT 79

Summary 83

Exam Essentials 84

Review Questions 85

Chapter 3 First Response 89

Planning and Preparation 90

The Physical Location 91

Personnel 91

Computer Systems 92

What to Take with You Before You Leave 94

Search Authority 97

Handling Evidence at the Scene 98

Securing the Scene 98

Recording and Photographing the Scene 99

Seizing Computer Evidence 99

Bagging and Tagging 110

Summary 113

Exam Essentials 113

Review Questions 115

Chapter 4 Acquiring Digital Evidence 119

Creating EnCase Forensic Boot Disks 121

Booting a Computer Using the EnCase Boot Disk 124

Seeing Invisible HPA and DCO Data 125

Other Reasons for Using a DOS Boot 126

Steps for Using a DOS Boot 126

Drive-to-Drive DOS Acquisition 128

Steps for Drive-to-Drive DOS Acquisition 128

Supplemental Information About Drive-to-Drive DOS Acquisition 132

Network Acquisitions 135

Reasons to Use Network Acquisitions 135

Understanding Network Cables 136

Preparing an EnCase Network Boot Disk 137

Preparing an EnCase Network Boot CD 138

Steps for Network Acquisition 138

FastBloc/Tableau Acquisitions 151

Available FastBloc Models 151

FastBloc 2 Features 152

Steps for Tableau (FastBloc) Acquisition 154

FastBloc SE Acquisitions 163

About FastBloc SE 163

Steps for FastBloc SE Acquisitions 164

LinEn Acquisitions 168

Mounting a File System as Read-Only 168

Updating a Linux Boot CD with the Latest Version of LinEn 169

Running LinEn 171

Steps for LinEn Acquisition 173

Enterprise and FIM Acquisitions 176

EnCase Portable 180

Helpful Hints 188

Summary 189

Exam Essentials 192

Review Questions 194

Chapter 5 EnCase Concepts 199

EnCase Evidence File Format 200

CRC, MD5, and SHA-1 201

Evidence File Components and Function 202

New Evidence File Format 206

Evidence File Verification 207

Hashing Disks and Volumes 215

EnCase Case Files 217

EnCase Backup Utility 220

EnCase Configuration Files 227

Evidence Cache Folder 231

Summary 233

Exam Essentials 235

Review Questions 236

Chapter 6 EnCase Environment 241

Home Screen 242

EnCase Layout 246

Creating a Case 249

Tree Pane Navigation 255

Table Pane Navigation 266

Table View 266

Gallery View 275

Timeline View 277

Disk View 280

View Pane Navigation 284

Text View 284

Hex View 287

Picture View 288

Report View 289

Doc View 289

Transcript View 290

File Extents View 291

Permissions View 291

Decode View 292

Field View 294

Lock Option 294

Dixon Box 294

Navigation Data (GPS) 295

Find Feature 297

Other Views and Tools 298

Conditions and Filters 298

EnScript 299

Text Styles 299

Adjusting Panes 300

Other Views 306

Global Views and Settings 306

EnCase Options 310

Summary 318

Exam Essentials 320

Review Questions 321

Chapter 7 Understanding, Searching For, and Bookmarking Data 325

Understanding Data 327

Binary Numbers 327

Hexadecimal 333

Characters 336


Unicode 338

EnCase Evidence Processor 340

Searching for Data 352

Creating Keywords 353

GREP Keywords 364

Starting a Search 373

Viewing Search Hits and Bookmarking Your Findings 376

Bookmarking 377

Summary 426

Exam Essentials 428

Review Questions 430

Chapter 8 File Signature Analysis and Hash Analysis 435

File Signature Analysis 436

Understanding Application Binding 437

Creating a New File Signature 438

Conducting a File Signature Analysis 442

Hash Analysis 449

MD5 Hash 449

Hash Sets and Hash Libraries 449

Hash Analysis 462

Summary 466

Exam Essentials 468

Review Questions 469

Chapter 9 Windows Operating System Artifacts 473

Dates and Times 475

Time Zones 475

Windows 64-Bit Time Stamp 476

Adjusting for Time Zone Offsets 481

Recycle Bin 487

Details of Recycle Bin Operation 488

The INFO2 File 488

Determining the Owner of Files in the Recycle Bin 493

Files Restored or Deleted from the Recycle Bin 494

Using an EnCase Evidence Processor to Determine

the Status of Recycle Bin Files 496

Recycle Bin Bypass 498

Windows Vista/Windows 7 Recycle Bin 500

Link Files 504

Changing the Properties of a Shortcut 504

Forensic Importance of Link Files 505

Using the Link File Parser 509

Windows Folders 511

Recent Folder 515

Desktop Folder 516

My Documents/Documents 518

Send To Folder 518

Temp Folder 519

Favorites Folder 520

Windows Vista Low Folders 521

Cookies Folder 523

History Folder 526

Temporary Internet Files 532

Swap File 535

Hibernation File 536

Print Spooling 537

Legacy Operating System Artifacts 543

Windows Volume Shadow Copy 544

Windows Event Logs 549

Kinds of Information Available in Event Logs 549

Determining Levels of Auditing 552

Windows Vista/7 Event Logs 554

Using the Windows Event Log Parser 555

For More Information 558

Summary 559

Exam Essentials 564

Review Questions 566

Chapter 10 Advanced EnCase 571

Locating and Mounting Partitions 573

Mounting Files 588

Registry 595

Registry History 595

Registry Organization and Terminology 596

Using EnCase to Mount and View the Registry 601

Registry Research Techniques 605

EnScript and Filters 608

Running EnScripts 609

Filters and Conditions 611

Email 614

Base64 Encoding 619

EnCase Decryption Suite 622

Virtual File System (VFS) 629

Restoration 633

Physical Disk Emulator (PDE) 636

Putting It All Together 641

Summary 645

Exam Essentials 648

Review Questions 649

Appendix A Answers to Review Questions 653

Chapter 1: Computer Hardware 654

Chapter 2: File Systems 655

Chapter 3: First Response 657

Chapter 4: Acquiring Digital Evidence 658

Chapter 5: EnCase Concepts 659

Chapter 6: EnCase Environment 661

Chapter 7: Understanding, Searching For, and Bookmarking Data 662

Chapter 8: File Signature Analysis and Hash Analysis 663

Chapter 9: Windows Operating System Artifacts 664

Chapter 10: Advanced EnCase 665

Appendix B Creating Paperless Reports 667

Exporting the Web Page Report 669

Creating Your Container Report 671

Bookmarks and Hyperlinks 675

Burning the Report to CD or DVD 678

Appendix C About the Additional Study Tools 681

Additional Study Tools 682

Sybex Test Engine 682

Electronic Flashcards 682

PDF of Glossary of Terms 682

Adobe Reader 682

Additional Author Files 683

System Requirements 683

Using the Study Tools 683

Troubleshooting 683

Customer Care 684

Index 685

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)