EnCase III

Main Menu
HOME TRAINING Cyber Forensics EnCase I EnCase II EnCase III Cisco Associate Level CCNA CCNA Security CCNA Voice CCNA Wireless CCDA Professional Level CCNP New CCDP CCIP CCNP CCSP CCVP Expert Level CCIE Routing & Switching CCIE Security CCIE Voice CCIE Service Provider CCDE Juniper JUNOS Routing M-Series & T-Series JNCIA-M JNCIS-M Enterprise Routing JNCIA-ER JNCIS-ER JUNOS Security Enterprise Switching JNCIA-EX E-Seires JNCIA-E JNCIS-E Firewall/VPN JNCIA-FWV JNCIS-FWV IDP JNCIA-IDP SSL VPN JNCIA-SSL JNCIS-SSL DX Application WX Application UAC Microsoft MCP MCSA 2003 MCSE 2003 MCITP Server Admin MCITP Enterprise Admin Checkpoint CCSA CCSE Nokia Checkpoint (IPSO) Nortel Checkpoint (NSF) IT Management ITILv3 CISA CISSP EC-Council CEH ENSA CHFI EDRP CompTIA A+ Network+ Security+ Wireless (Planet3) CWNA CWTS CWSP CWNP Certification Package Routing Switching Firewall Prevention System Voice Hacking Virtualization VMware Workstation VMware ESX Videos CONSULTING Assist Services Network Design Implementation Services Network Security Penetration Testing IT Security Audit Network Operations BOOTCAMP Juniper Bootcamp Cisco Bootcamp CCNP Bootcamp CCSP Bootcamp CCVP Bootcamp Checkpoint NMAP Microsoft ITILv3 Bootcamp COMPANY INFO Company Trainer Profile Work Culture Leadership Infrastructure CAREER Working With Junisys Hot Jobs CONTACT US FORUM LAB Rack Rental Online LAB

Main Menu

Live Chat

Login Form
Username Password Remember Me Forgot your password? Forgot your username? Create an account

Student Talk

Student Talk

NEWS

EnCase III

DAY 1
Day one provides an in-depth understanding of the NTFS data structures. The day begins with a review and update of the most current version of EnCase. Students are introduced to the methods used to store binary data on a computer system. They will use this information to interpret multi-byte values throughout the week. Students learn details of the NTFS file system, its internal files, and the methods used to administratively document files and folders on the volume. A practical exercise will demonstrate how knowledge of the NTFS file system can be used for advanced data recovery purposes.

The main areas covered on Day 1 include:
EnCase Software Review and Updates
What has changed?
Research Techniques
Interpreting multi-byte values
Big Endian
Little Endian

NTFS
Internal files
Master File Table (MFT)
MFT attributes
Resident/non-resident data
Fragmented file documentation
Deleted files on NTFS
Using EnScripts® to decode the MFT
Data recovery when MFT is inaccessible through normal means

DAY 2
Day two concentrates on the practical operation of the Windows NT operating system, beginning with RAIDs and moving into multi-user environments or networks. Students are shown how to link data with NT domain accounts and obtain valuable information from Windows event logs and the Windows Registry. Students are introduced to $LOGFILE, the file used for NTFS transaction logging and recoverability. Attendees learn about the history and terminology of encryption. They will also learn how to locate encryption software and encrypted data, and how to decrypt the data.

The main areas covered on Day 2 include:
RAID
Hardware and software RAIDs
RAID levels
Forensic approaches
Using EnCase to decode hardware and software RAIDs

Windows® Event Logs
Event log format
Decoding event logs
Within EnCase
WithIn Windows
NTFS $LOGFILE
Purpose and operation
Potential artifacts
Extracting $LOGFILE data using EnScriptTM programs
Encryption
History/terminology
Locating encrypted data
Practical approaches to decryption
EnCase EDS module
NT/2K/XP/2K3 password recovery
NTSF encrypted data

DAY 3
On day three students learn about the Unix/Linux file system (including Linux partition recovery) and receive detailed information on Unix/Linux artifacts, including system log files and how to decode them. Participants are also shown how to use the Linux implementation of EnCase software, Linen, to acquire target media in a forensically sound manner.

The main areas covered on Day 3 include:
Linux/Unix History
Linux/Unix Disk Layout and File System
Partitions/Superblock
Inode table
Mounted volume
Directory structure
Documentation of data location (blocks) for files
Symbolic / Hard links

Linux/Unix User Accounts and Permissions
Linux/Unix Password Cracking
Passwd/Shadow files

Linux/Unix Logging
Shell history
System logging
User authentication – UTMP/WTMP files

Linux Partition Recovery
Use fields documented in superblock sector
Provide information to EnCase process
Forensic Acquisitions Using the Linux Version of EnCase (Linen)

DAY 4
Day four exposes students to Macintosh disk structure and partitions before giving them more practical training on the forensic acquisition of Macintosh data and Macintosh system artifacts. The final lesson offers an introduction to the language governing EnScript®. Students interpret and compose basic filters and queries, and then write the same filters and queries using the composition wizard feature of the
newest EnCase version, Conditions.

The main areas covered on Day 4 include:
Macintosh® File Systems
HFS/HFS+
Disk and volume organization
Partition maps
File system components and organization
Catalog file
Extents overflow file
Directory structure
Deleted files
File structure
Macintosh Forensic Examinations
Imaging
Mac OS 8, 9, and 10 Artifacts
System folders
Recently accessed files and programs
Internet downloads history
User data
System configuration information
Filters/Queries/Conditions
Background/definition
Introduction to objects, classes, properties and methods
Resources
Building basic filters within the “Entries/Home” view
Building a compound filter
Combining filters to form queries
Using the Conditions “wizard” to build conditions