EnCase Computer Forensics: The Official EnCE: EnCaseCertified Examiner Study Guide [Paperback]

Steve Bunting (Author), William Wei (Author)

Book Description

Publication Date: February 20, 2006 | ISBN-10: 0782144357 | ISBN-13: 978-0782144352

• Guidance Software's EnCase product is the premier computer forensics tool on the market, used in law enforcement labs for digital evidence collection; in commercial settings for incident response and information assurance; and by the FBI and Department of Defense to detect domestic and international threats
• This guide prepares readers for both the CBT and practical phases of the exam that validates mastery of EnCase
• Written by two law enforcement professionals who are computer forensics specialists and EnCase trainers
• Includes the EnCase Legal Journal, essential for forensics investigators who need to be sure they are operating within the law and able to give expert testimony
• The CD includes tools to help readers prepare for Phase II of the certification, which requires candidates to examine computer evidence, as well as a searchable PDF of the text

Editorial Reviews

From the Back Cover

Whether monitoring the Internet for threats and chatter, capturing computer evidence, or crunching forensic data, Guidance Software's EnCase computer forensics software is recognized as the premier computer forensics tool on the market. For investigation professionals, EnCE certification tells the world that you've not only mastered the use of EnCase software, but also that you've acquired in-depth forensics knowledge and proper techniques for conducting complex computer examinations.

Written by two law enforcement professionals who are EnCE and computer forensics experts, this official guide prepares you for both phases of the EnCE exam: a computer-based test and a hands-on test that requires you to examine computer evidence.

Key topics include:

• Understanding Computer Hardware. Understanding computers is crucial for computer forensics experts who are frequently asked to describe systems to juries. The book explains a computer's components, boot process, partitions, and files systems.

• First Response. What to do and how to follow procedures when first entering a scene.

• Acquisition of Digital Evidence. Creating EnCase boot disks; booting with EnCase boot disks; and drive-to-drive, network cable, FastBloc, Linen and Enterprise acquisitions.

• EnCase Forensic Software Overview. Tour of EnCase environment including software, menus, and capabilities.

• Report Writing. Sample reports from real-life cases (names changed).

• EnCase Legal Journal. Essential information on operating within the law and giving expert testimony.

Visit www.sybex.com for all of your professional certification needs.

Featured on the DVD

SYBEX TEST ENGINE
Test your knowledge with advanced testing software, bonus exams, and challenging exam practice questions.

ELECTRONIC FLASHCARDS
Reinforce what you've learned with flashcards that can run on PC, Pocket PC, or Palm handheld.

Also on the DVD, the entire book in searchable and printable PDF

About the Author

Steve Bunting is a Captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers. He has over 30 years’ experience in law enforcement, and his background in computer forensics is extensive. He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified Examiner (EnCE). He was the recipient of the 2002 Guidance Software Certified Examiner Award of Excellence for receiving the highest test score on his certification examination. He holds a BS in Applied Professions/Business Management from Wilmington College and a Computer Applications Certificate in Network Environments from the University of Delaware. He has conducted computer forensic examinations for the University of Delaware and for numerous local, state, and federal agencies on an extreme variety of cases, including extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has testified in court on numerous occasions as a computer forensics expert. He has taught computer forensics for Guidance Software, makers of EnCase, and taught as a Lead Instructor at all course levels, including the Expert Series, with a particular emphasis on the “Internet and E-mail Examinations” course. He has been a presenter at several seminars and workshops, the author of numerous white papers, and maintains a website for cyber-crime and computer forensics issues: http://128.175.24.251/forensics/.

William Wei, a detective in the Monmouth County Prosecutor’s Office, has been a police officer for over 15 years and is currently employed as a detective with the Monmouth County Prosecutor’s Office Computer Crimes Unit. He holds a BA in economics and an EdM in Adult and Continuing Education from Rutgers, The State University of New Jersey. William is certified by Guidance Software as an EnCase Certified Examiner (EnCE) and by the International Association of Computer Investigative Specialists as a Certified Forensic Computer Examiner (CFCE).
William is a member of the International Association of Computer Investigative Specialists (IACIS) and High Tech Crime Investigation Association (HTCIA). William has conducted hundreds of computer-related investigations and has been qualified as an expert witness in computer forensics. He has taught computer forensics at the Computer and Enterprise Investigations Conference (CEIC) and HTCIA conferences and lectured on Internet safety throughout New Jersey.

Product Details

• Paperback: 576 pages
• Publisher: Sybex (February 20, 2006)
• Language: English
• ISBN-10: 0782144357
• ISBN-13: 978-0782144352
• Product Dimensions: 8.9 x 7.5 x 1.3 inches
• Shipping Weight: 1.9 pounds
• Average Customer Review: 4.1 out of 5 stars  See all reviews (27 customer reviews)
• Amazon Best Sellers Rank: #580,050 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

41 of 43 people found the following review helpful:

3.0 out of 5 stars For help with EnCase in book form, start here, October 9, 2006

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: EnCase Computer Forensics: The Official EnCE: EnCaseCertified Examiner Study Guide (Paperback)

I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.

In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.

In terms of overall book value, ECF is the weakest of the three previously mentioned -- but it is the only book on EnCase. As such it is the one independent book which will help you understand the king of the commercial forensics world. I was particularly interested in using the accompanying DVD, which offered a demo version of EnCase. I did encounter the same limitations as mentioned in previous reviews, but I was able to at least perform most of the numbered exercises in the text. I thought the fairly crippled version of EnCase packaged with the book was a drawback, but I know Guidance Software is paranoid about even discussing their product outside of their training environment.

As far as covering EnCase goes, ECF is a pretty good book. I am an EnCase newbie, but I was able to follow most of the book's discussion of the product's interface. Since the lead author is a police officer, I also thought that perspective was valuable. His mindset appeared in the chapter where securing the crime scene was discussed. The inclusion of short case studies also kept the tone lively and relevant.

I had two major problems with ECF, hence the three star review. First, a book that includes a demo copy of EnCase and sample evidence files should use them throughout the text. When introducing EnCase's interface, use a sample evidence file from the DVD so the reader can follow along. While the book's exercises use the DVD evidence files, the textual explanation of the interface seldom do. That was frustrating. The authors should have either said "You need a fully license copy of EnCase to follow along" or they should have run all their examples as if they were a reader using the sample DVD. They would have learned you can't "Add Devices" using the DVD version and you can't save bookmarks -- argh.

The second major problem I found with ECF involved indications of technical misunderstandings and questionable vernacular. Examples follow. "BSD" is not "a Linux variant" (p 91). There is no such thing as "BSD Linux" (p 231). The authors' faith in MD5 should be positioned against research from the last few years. The "approved solution" for shutting down a Unix server ("synch; synch; halt") plus lack of non-Windows material made me question the relevance of the book to non-Windows platforms. On the language side, I didn't like reading about "NIC cards" (p 381) and "RAM memory" (p 381). These are the sorts of issues that make me wonder if I'm reading another book about "the Windows," thereby undermining my faith in ECF's recommendations.

On the operational forensics side, the book is strongly in the traditional "pull the plug, image the hard drive, grep for strings" camp. This model dominated host-centric forensics for decades, but it has been largely inadequate for the past 10 years. For example, there's nothing really useful on live analysis or memory forensics. NTFS is barely addressed, unlike FAT -- another sign of being somewhat backward. I think a second edition of this book would be a lot stronger -- and it would catch the error of using the word "Sudy" on the cover in place of "Study".

Still, because this is the only book on EnCase, it does share plenty of helpful suggestions on using that software. One possible use case for the book would be using it to apply EnCase to data provided on the DVD we ship with "Real Digital Forensics," looking for Windows artifacts described in WF, based on your understanding of hard drives from Brian Carrier's FSFA.

9 of 9 people found the following review helpful:

5.0 out of 5 stars Highly recommended, June 29, 2006

By 

ForensicFocus.com - See all my reviews

This review is from: EnCase Computer Forensics: The Official EnCE: EnCaseCertified Examiner Study Guide (Paperback)

Steve Bunting is the head of the police computer forensics unit in Delaware and, together with co-author William Wei, a computer crime detective in New Jersey, has written an outstanding book which should find a place on every computer forensic examiner's bookshelf - even the bookshelves of those who rarely, if ever, use EnCase as a forensic tool.

This is a fairly thick book at 500 plus pages and a quick flick through reveals that the text is satisfyingly dense and interspersed with a generous number of screenshots. This is certainly not one of those technology books which tries to impress by its sheer physical size but disappoints once opened to reveal a large font and too much white space!

Although the title bills this book as "The Official EnCE EnCase Certified Examiner Study Guide" there is a huge amount of information contained within which will be of use to both the experienced investigator and keen student regardless of their forensic tool of choice. Bunting starts with a concise yet remarkably clear and in depth discussion of computer hardware in chapter 1. After covering a wide range of components he moves on to the boot process, then partitions and filesystems (in general). Even at this early stage it is clear that Bunting can write, and write well. In addition to the depth of knowledge he displays his tone is engaging and he possesses a remarkable ability to describe somewhat complicated technical subject matter with great clarity. Each chapter ends with a summary and an overview of those aspects of the EnCE exam covered, together with a set of review questions (provided, along with many of the "real world scenario" sections, by co-author William Wei). The suggested answers for these questions are included directly afterwards - much better than having to find them at the back of the book!

A more in depth discussion of filesystems takes up chapter 2 with the first real discussion of forensic procedures coming in the third chapter, "First Response". This reviewer was pleased to see "planning and preparation" given first priority in this section, an area sometimes overlooked by authors too keen to start with evidence handling procedures. In depth coverage of EnCase proper begins in the fourth chapter with coverage of the different acquisition tools and methods (boot disks, DOS acquisitions, network acquisitions, FastBloc etc.) Bunting's real-world experience shows, as it does throughout the book, and the coverage is comprehensive with discussion of the pros and cons of each method being given. The next chapter looks closely at the EnCase evidence file format and covers essential concepts such as verification and hashing.

Chapter 6 marks the start of the section of the book which will be of most use not only to those looking to pass the EnCE exam but to anyone using EnCase in a real world setting. This chapter looks at the EnCase environment and explains the form and function of the various EnCase window panes. Those coming to EnCase for the first time, or indeed those upgrading from an earlier version, will find this essential reading. Chapter 7 concentrates on understanding and searching for data, namely binary, hex, ASCII and Unicode. The next chapter covers file signature and hash analysis with a discussion of how EnCase utilises hash sets and hash libraries.

Chapter 9, "Windows Operating System Artifacts", covers a lot of ground and is one of the best explorations of Windows artifacts I have read. Starting with dates and times (and the need to adjust for time zone differences during an investigation) it goes on to cover the Recycle Bin, link files, cookies, temporary and history folders, the swap file, print spooling and more. Common ground for experienced investigators to be sure but covered in sufficient detail to warrant a read through for those practical tips which Bunting supplies in abundance. Those new to computer forensics will find a huge amount of very useful information here.

The final chapter - although not the last useful section of the book, see below for details of the appendix - covers "Advanced EnCase". Here we find information on locating and mounting partitions, registry analysis, use of EnScripts, email, the EnCase Decryption Suite and more. The appendix which follows this chapter contains details of a template created by Bunting - based on an earlier template from Roy Rector - which aims to help with the creation of presentation-quality web page reports. The methodology looks sound but as of the date of writing I have not followed the procedure in practice.

Does the book have any areas which could be improved upon? Overall the book achieves exactly what it sets out to do but if I have one criticism it would be the number of examples included on the companion DVD. The DVD includes an EnCase demo with a number of evidence files which can be used when reading later chapters to give some practical hands on experience but further examples to accompany earlier chapters would be welcome. There are instances in those early chapters where practical exercises require use of EnCase but a fully working version with accompanying dongle is required. No doubt the majority of readers will have access to licensed versions of EnCase in the workplace but it is not always possible to maintain that access at home or while travelling where I suspect many will use the book. Beyond that there are a very small number of typos but they are far fewer than those often encountered in similar works. No doubt these will be picked up in future editions and they certainly do not detract from the book as a whole (in fact even mentioning them feels like nitpicking).

Overall, this is a book with a great deal of practical information which is also a genuine pleasure to read. Highly recommended.

www.forensicfocus.com

11 of 12 people found the following review helpful:

2.0 out of 5 stars The DVD software is full of errors..., June 20, 2006

By 

W. Ng "Chris Charles" - See all my reviews
(REAL NAME)   

This review is from: EnCase Computer Forensics: The Official EnCE: EnCaseCertified Examiner Study Guide (Paperback)

Bought the book some 3 weeks ago and had gone through the entire book.

The contents are good and beneficial, but the provided evaluation Encase version 5 is not working properly.

Many of the exercises stated in the book cannot be carried out because those necessary features needed are not activated in the provided software. But the book said the provided software is constructed for us to go through all the exercises in preparation for the Phase II practical test.

Wrote a complaint to the publisher and they acknowledged the errors in the software but then they do nothing to resolve it...I sort of feeling being cheated and it seems like it is a strategy they are using to force us to spend the huge sum of money to buy the commercial Encase software.