.

EnCase training

<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Wed Apr 28, 2010 11:41 am

EnCase training

I am finally getting to play with more tools at work.  One of the most exciting ones is EnCase.  Apparently, licensing is expensive, and training is even more so.  I want to show that I am deserving of training, by being the self-starter I am.  Are there any good books out there for EnCase?

I have Books24x7 through work with access to "EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide, Second Edition".  This pretty much seems to be the only book out there which deals with EnCase specifically.

Are there any other good books that deal specifically with EnCase, or even a forensics book which deals with EnCase specifically?\

Also, anyone have experience with EnCase training?  I think our department may opt for the OnDemand training due to budgeting issues.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 28, 2010 1:01 pm

Re: EnCase training

I haven't done EnCase training myself, but a bunch of people I work with have.  It's great training.  They have three levels, and specialized courses depending on what your experience level is. 

This is the book that everyone recommends:

http://www.amazon.com/EnCase-Computer-F ... =8-1-spell
~~~~~~~~~~~~~~
Ketchup
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Apr 28, 2010 1:23 pm

Re: EnCase training

Ketchup wrote:This is the book that everyone recommends:

http://www.amazon.com/EnCase-Computer-F ... =8-1-spell


The EnCE book linked is obviously the route to go however I will add a few books that will teach you a lot more about the field as opposed to the reliance on one tool (EnCase). I use Access Data more than EnCase when it comes to all inclusive tools but its not always about the tools. It boils down to understanding a system, data, metadata, etc.

I recommend:

Windows Forensic Analysis Toolkit from Harlan Carvey - worth its weight in gold
http://www.amazon.com/Windows-Forensic- ... rhf_shvl_1

Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes
http://www.amazon.com/Cyber-Forensics-C ... 831&sr=1-1

This book has a lot more informative content you will need to know and understand in the long run: e.g.: Digital Forensic Laboratory Accreditation Standards,  Forensic Black Bag (what should be in your case), Cyber Forensics and the Law: Legal Considerations, Concealment Techniques

And finally...

Computer Forensics: Computer Crime Scene Investigation
http://www.amazon.com/Computer-Forensic ... pd_sim_b_2

There is more to forensics than simply starting EnCase on a captured image.
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Wed Apr 28, 2010 1:46 pm

Re: EnCase training

Thank you for the good recommendations!  Initially, my use for EnCase will be to look for the existence of specific files, programs in memory, and may expand from there.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Apr 28, 2010 2:10 pm

Re: EnCase training

unsupported wrote:Thank you for the good recommendations!  Initially, my use for EnCase will be to look for the existence of specific files, programs in memory, and may expand from there.


I would give Access Data a whirl if you can get it. EnCase is what it is and does its job and a plus is you could create your own EnScripts to assist you when you're truly comfortable with specifics. My big problem with programs like EnCase, Acesss' FTK, etc., is the reliance on automation. I feel a lot of examiners rely too much on a program being able to "find the smoking gun" often leaving an investigator with nothing to do but point and click... At that instance, what is there really to know at the end of the day.

I know a former professor who taught forensics at John Jay College of Criminal Justice and now works for EnCase... If you need a blog on EnCase shoot me a private message as I don't want to throw her name out there like that. Anyhow, I'd get the EnCase book since after all, you won't find anything SPECIFIC about EnCase in any other book however, I would definitely pick up the other books too. Also, depending on your title/role, see about subscribing to Forensic Magazine (http://www.forensicmag.com/) I get my copies every month and ALWAYS learn something new. Not completely specific to IT Forensic, but they post articles on the subject matter. On other matters of forensics, (DNA, labs, laws) there is almost always some cross-talk and you begin to notice similar patterns in say DNA forensics that give you an "aha!!!" on IT forensics.
<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Wed Apr 28, 2010 2:31 pm

Re: EnCase training

I was unable to get work to pay for training, but I did take and pass the EnCE.  The practical gives you a great opportunity to try out all the tools available in EnCase.  Congrats on winning the Offensive Security training!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 28, 2010 3:57 pm

Re: EnCase training

The trouble with FTK is that the new versions are complete garbage.  We are still using version 1.x because 2.0 was completely unusable, and 3.0 is too new and cumbersome.  The newer versions come with an Oracle engine for index storage and are a complete dog when it comes to performance.  FTK also sucks at handling email because it has a horribly configured DtSearch engine.  Yet, FTK is great at some other things, like examining link files.  It's also much better at registry analysis.  You really need to have working knowledge of both products, but it's complicated by the inadequacies of the new version of FTK. 

I do believe that Access Data still allows you to download a trial version of FTK that is limited to 5000 files.    That's enough to get a feel for the software.

There is definitely a reliance on tools in the forensics world.  Some of it has to do with the fact that these tools are well established and have been proven to use repeatable methods.    Some of it is due to lack of knowledge. 
~~~~~~~~~~~~~~
Ketchup
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Fri Apr 30, 2010 1:27 am

Re: EnCase training

Late to the party but I will still put my 2p in.

The EnCe book is the only official Encase book on the market. I did all my study with guidance software and the courses where very good, and the training material and handout was excellent. I think Encase is a good product, and its alot cheapee tha FTK.

You can contact Guidance and they will send you a demo copy, then you can play at home and increase your knowledge.
When I spoke to Access Data, you had to pay £50 for a limited demo copy, no thanks.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software