Customer Reviews

EnCase Computer Forensics, includes DVD: The Official EnCE: EnCase Certified Examiner Study Guide

5 star:		(15)
4 star:		(2)
3 star:		(7)
2 star:		(1)
1 star:		(1)

 

 

I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.

In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.

In terms of overall book value, ECF is the weakest of the three previously mentioned -- but it is the only book on EnCase. As such it is the one independent book which will help you understand the king of the commercial forensics world. I was particularly interested in using the accompanying DVD, which offered a demo version of EnCase. I did encounter the same limitations as mentioned in previous reviews, but I was able to at least perform most of the numbered exercises in the text. I thought the fairly crippled version of EnCase packaged with the book was a drawback, but I know Guidance Software is paranoid about even discussing their product outside of their training environment.

As far as covering EnCase goes, ECF is a pretty good book. I am an EnCase newbie, but I was able to follow most of the book's discussion of the product's interface. Since the lead author is a police officer, I also thought that perspective was valuable. His mindset appeared in the chapter where securing the crime scene was discussed. The inclusion of short case studies also kept the tone lively and relevant.

I had two major problems with ECF, hence the three star review. First, a book that includes a demo copy of EnCase and sample evidence files should use them throughout the text. When introducing EnCase's interface, use a sample evidence file from the DVD so the reader can follow along. While the book's exercises use the DVD evidence files, the textual explanation of the interface seldom do. That was frustrating. The authors should have either said "You need a fully license copy of EnCase to follow along" or they should have run all their examples as if they were a reader using the sample DVD. They would have learned you can't "Add Devices" using the DVD version and you can't save bookmarks -- argh.

The second major problem I found with ECF involved indications of technical misunderstandings and questionable vernacular. Examples follow. "BSD" is not "a Linux variant" (p 91). There is no such thing as "BSD Linux" (p 231). The authors' faith in MD5 should be positioned against research from the last few years. The "approved solution" for shutting down a Unix server ("synch; synch; halt") plus lack of non-Windows material made me question the relevance of the book to non-Windows platforms. On the language side, I didn't like reading about "NIC cards" (p 381) and "RAM memory" (p 381). These are the sorts of issues that make me wonder if I'm reading another book about "the Windows," thereby undermining my faith in ECF's recommendations.

On the operational forensics side, the book is strongly in the traditional "pull the plug, image the hard drive, grep for strings" camp. This model dominated host-centric forensics for decades, but it has been largely inadequate for the past 10 years. For example, there's nothing really useful on live analysis or memory forensics. NTFS is barely addressed, unlike FAT -- another sign of being somewhat backward. I think a second edition of this book would be a lot stronger -- and it would catch the error of using the word "Sudy" on the cover in place of "Study".

Still, because this is the only book on EnCase, it does share plenty of helpful suggestions on using that software. One possible use case for the book would be using it to apply EnCase to data provided on the DVD we ship with "Real Digital Forensics," looking for Windows artifacts described in WF, based on your understanding of hard drives from Brian Carrier's FSFA.

Steve Bunting is the head of the police computer forensics unit in Delaware and, together with co-author William Wei, a computer crime detective in New Jersey, has written an outstanding book which should find a place on every computer forensic examiner's bookshelf - even the bookshelves of those who rarely, if ever, use EnCase as a forensic tool.

This is a fairly thick book at 500 plus pages and a quick flick through reveals that the text is satisfyingly dense and interspersed with a generous number of screenshots. This is certainly not one of those technology books which tries to impress by its sheer physical size but disappoints once opened to reveal a large font and too much white space!

Although the title bills this book as "The Official EnCE EnCase Certified Examiner Study Guide" there is a huge amount of information contained within which will be of use to both the experienced investigator and keen student regardless of their forensic tool of choice. Bunting starts with a concise yet remarkably clear and in depth discussion of computer hardware in chapter 1. After covering a wide range of components he moves on to the boot process, then partitions and filesystems (in general). Even at this early stage it is clear that Bunting can write, and write well. In addition to the depth of knowledge he displays his tone is engaging and he possesses a remarkable ability to describe somewhat complicated technical subject matter with great clarity. Each chapter ends with a summary and an overview of those aspects of the EnCE exam covered, together with a set of review questions (provided, along with many of the "real world scenario" sections, by co-author William Wei). The suggested answers for these questions are included directly afterwards - much better than having to find them at the back of the book!

A more in depth discussion of filesystems takes up chapter 2 with the first real discussion of forensic procedures coming in the third chapter, "First Response". This reviewer was pleased to see "planning and preparation" given first priority in this section, an area sometimes overlooked by authors too keen to start with evidence handling procedures. In depth coverage of EnCase proper begins in the fourth chapter with coverage of the different acquisition tools and methods (boot disks, DOS acquisitions, network acquisitions, FastBloc etc.) Bunting's real-world experience shows, as it does throughout the book, and the coverage is comprehensive with discussion of the pros and cons of each method being given. The next chapter looks closely at the EnCase evidence file format and covers essential concepts such as verification and hashing.

Chapter 6 marks the start of the section of the book which will be of most use not only to those looking to pass the EnCE exam but to anyone using EnCase in a real world setting. This chapter looks at the EnCase environment and explains the form and function of the various EnCase window panes. Those coming to EnCase for the first time, or indeed those upgrading from an earlier version, will find this essential reading. Chapter 7 concentrates on understanding and searching for data, namely binary, hex, ASCII and Unicode. The next chapter covers file signature and hash analysis with a discussion of how EnCase utilises hash sets and hash libraries.

Chapter 9, "Windows Operating System Artifacts", covers a lot of ground and is one of the best explorations of Windows artifacts I have read. Starting with dates and times (and the need to adjust for time zone differences during an investigation) it goes on to cover the Recycle Bin, link files, cookies, temporary and history folders, the swap file, print spooling and more. Common ground for experienced investigators to be sure but covered in sufficient detail to warrant a read through for those practical tips which Bunting supplies in abundance. Those new to computer forensics will find a huge amount of very useful information here.

The final chapter - although not the last useful section of the book, see below for details of the appendix - covers "Advanced EnCase". Here we find information on locating and mounting partitions, registry analysis, use of EnScripts, email, the EnCase Decryption Suite and more. The appendix which follows this chapter contains details of a template created by Bunting - based on an earlier template from Roy Rector - which aims to help with the creation of presentation-quality web page reports. The methodology looks sound but as of the date of writing I have not followed the procedure in practice.

Does the book have any areas which could be improved upon? Overall the book achieves exactly what it sets out to do but if I have one criticism it would be the number of examples included on the companion DVD. The DVD includes an EnCase demo with a number of evidence files which can be used when reading later chapters to give some practical hands on experience but further examples to accompany earlier chapters would be welcome. There are instances in those early chapters where practical exercises require use of EnCase but a fully working version with accompanying dongle is required. No doubt the majority of readers will have access to licensed versions of EnCase in the workplace but it is not always possible to maintain that access at home or while travelling where I suspect many will use the book. Beyond that there are a very small number of typos but they are far fewer than those often encountered in similar works. No doubt these will be picked up in future editions and they certainly do not detract from the book as a whole (in fact even mentioning them feels like nitpicking).

Overall, this is a book with a great deal of practical information which is also a genuine pleasure to read. Highly recommended.

www.forensicfocus.com

Bought the book some 3 weeks ago and had gone through the entire book.

The contents are good and beneficial, but the provided evaluation Encase version 5 is not working properly.

Many of the exercises stated in the book cannot be carried out because those necessary features needed are not activated in the provided software. But the book said the provided software is constructed for us to go through all the exercises in preparation for the Phase II practical test.

Wrote a complaint to the publisher and they acknowledged the errors in the software but then they do nothing to resolve it...I sort of feeling being cheated and it seems like it is a strategy they are using to force us to spend the huge sum of money to buy the commercial Encase software.

Great book! Whether you are going for your EnCE certification or just getting started in the hot field of computer forensics this is a great place to start. This book takes you from the basic computer components (However - If you don't know what a CPU is at this point you better do a lot more reading and get out of your house every once in a while) through the depths of capturing and reporting data. The authors of this book sprinkle in real life law enforcement experience which makes this book much more that just a "tech manual".

Encase is a very powerful piece of software used by most large law enforcement agencies and corporations that perform computer forensics. This book will show you how to collect data (evidence), understand the data EnCase presents and report on it.

I would recommend it for anyone interested in the computer forensics and how computers really work and store data.

Problems with the DVD aside, in my opinion, this book is still worth the money. If you aren't ready for the EnCE exam yet, but are planning on taking a non-vendor-specific certification exam, such as the CCE exam, you can make good use of this book.

The explanations of how to understand data (bytes, bits, nibbles, etc.) are exactly the kind of background information you need to know in the world of computer forensics if you ever have to testify in court. You need to know more than what button to push within EnCase or another forensic software program. If you read this book, then read (and try hard to understand, 'cause it won't be easy) Brian Carrier's File System Forensic Analysis book, and you gain some hands on experience, you will run circles around most of the "experts" out there.

This book contains great explanations of time/date stamps and how to interpret them, time zone offsets, where to look for artifacts, locating partitions and recovering them, a little bit on the registry (but still more than you find in most books on forensics), samples of the all-important forensic report (which is the most important part of the practical section of the CCE exam), and lots of other good information.

If you are interested in computer forensics and are not already at the intermediate/expert level, read this book.

T. V. Davis
Black Mountain Forensics LLC
www.bmforensics.com

This book was written to help Forensics Technicians achieve the Guidance software's EnCE Certification. Since Encase software comes with a user's guide which is basically printouts of the help from within the program and it is as useless as a priest after a wedding, This "guide" can also be used as a documentation on how to use the Encase forensics software.
If used for the above purposes, you will get your money's worth, however if you thing you will learn investigative techniques and best way to Forensically archive a digital device This is not the book for you. It is very single minded for example it does not count on criminals using Grub instead of MBR.
I gave it a 3 star since it did help me pass both phase one and two of Encase certification and awarded me with an official looking certificate which is now hanging in my office.
Best fishes and Thank you for reading.

I recently took and passed the written portion of the EnCE exam and I am waiting on the grade for the practical portion of the exam. I used this book, in conjunction with the Guidance Software EnCE-specific training class, and I have to say that the difference between what was presented in the Guidance Software class and this book is significant. While I cannot and will not go into testing details, I can say that there are several areas on the test/practical that are NOT covered in any detail in the book even though they are listed as key concepts to understand at the end of the chapters, while other areas receive undue attention. Also, the index at the back of the book is lacking. There are several keywords I would expect to exist in the index that do not, but can be found in the e-book version included on the CD if you do a find. This is especially tedious when you're trying to find a piece of information quickly and have to load the e-book to find it. It makes the physical book muck less useful.

The author was not able to preview any of his excercises on the demo version of the software prior to publication. Most exercises simply don't work with the enclosed software. He wrote all of the exercises on licensed versions of EnCase. If you have a licensed version of EnCase, this book is great.

If you are dependent on the demo software do not buy this book until the publisher comes out with a fixed version of the demo software. Be careful on the Wiley web site as there is a fixed version 5 already there for Edition 1 of the book. Make sure that it is version 6, to reflect edition 2.

Other than the demo software, it's a good book. Some of my students complain about the labs being a little hard to follow.

I love the reading of this book but, the software doesn't work. I have read the "ReadMe" note that says to drag and drop the files directly into the cases pane. I do that and always come back with a message saying "Drag and Drop is Not Available in this Version". Also, my "Add Device" "Add Raw Image" are both dimmed and unusable, so I cannot get the evidence files into EnCase that way. And the entire Edit menu at the top is unavailable. I understand this is an evaluation copy so I'm not supposed to be able to use it all but if you cannot even get the included evidence files into the included software that renders the software as useless.

**For investing only $3000+ more, you, too, can actually practice using EnCase with the case files found on the accompanying DVD.

With that said, Steve Bunting provides a well-written, easy-to-understand, thorough tour of EnCase. Chapter review questions help guage your learning curve as you progress through the book. Step-by-step exercises familiarize you with the basics and many facets of EnCase--unfortunately, you can't actually perform the tasks, unless you fork over the aforementioned fortune to Guidance Software. Additionally, Steve covers globally applicable basic and advanced digital forensic skills. I would give the book five (*****) stars and the included software one (*) star.

If you have trouble with the book or DVD, feel free to contact Wiley Publishing by visiting their website. Don't try to call the phone numbers listed in the product; they are defunct. You can chat live with a Wiley representative after 4 p.m. (when the pseudo-tech finishes his day job and slips into his favorite grey sweatpants and Linux-logo t-shirt, fires up his Xbox, and starts chugging cases of Mountain Dew). Or, if you actually need to contact them during normal business hours, you can leave a question for them via their web interface. They are quick to respond and comfort you with a compassionate pat on the shoulder and a "There. There." and send you on your way. I have provided my exchange with their tech support, below. (Note the "...unusable with some of the exercises in the book..." comment. I found it unusable with MOST of the exercises.)


==========================================
MY PROBLEM SUBMISSION TO WILEY PUBLISHING:

I have purchased a brand new copy of Steve Bunting's EnCE: The Official EnCase Certified Examiner STUDY GUIDE, Second Edition. I am able to access the eBook on the accompanying disc. Using the provided EnCase software, I cannot perform several of the steps outlined in the book's exercises. The EnCase version is: 6.7.2.1.

Examples of limitations follow: (See attached screenshot)
1) I cannot create a new case as specified in Exercise 6.1, Step 3. I use a workaround by directly opening the Navigation.E01 file on the CD via Explorer. I am, then, prompted for new case info.
2) I cannot Add Evidence.
3) I cannot view items in the Viewing Pane in Text view, per the exercises.

I am stunned that this extremely watered-down, unusable version of EnCase was included with this book. I cannot practice the material and become proficient as is the author's intent.

Please, be so kind as to provide a solution to this. I spent good money on this product and would like to use it.

==========================
WILEY PUBLISHING RESPONSE:

Thank you for contacting Wiley Technical Support.

I apologize for your frustration with the bonus software.

The version of EnCase provided with the book is a demonstration version provided to us by Guidance Software. We understand that some of the features in the software are disabled, rendering it unusable with some of the exercises in the book.

Please see the description of the EnCase Forensics Software and Evidence Files on page 580, which outlines some of the limitations between the demonstration version and the fully licensed product.

Tim S.
Wiley Technical Support

==========================

Thanks, Wiley, for your stellar marketing and failing support.