- Broschiertes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
The official, Guidance Software-approved book on the newest EnCE exam!
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more. Guides readers through preparation for the newest EnCase Certified…mehr
Andere Kunden interessierten sich auch für
- Naomi J. AlpernIt Career Jumpstart26,99 €
- William PanekMcTs Windows Server Virtualization Configuration Study Guide51,99 €
- Mike ChappleComptia Cysa+ Certification Kit70,99 €
- Crystal PanekMcSa Windows Server 2016 Practice Tests35,99 €
- Kim HeldmanComptia Project+ Study Guide42,99 €
- William PanekMcSa Microsoft Windows 10 Study Guide54,99 €
- Robert J. BartzCwts, Cws, and Cwt Complete Study Guide50,99 €
-
-
-
The official, Guidance Software-approved book on the newest EnCE exam!
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.
Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
Includes hands-on exercises, practice questions, and up-to-date legal information
Sample evidence files, Sybex Test Engine, electronic flashcards, and more
If you're preparing for the new EnCE exam, this is the study guide you need.
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.
Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
Includes hands-on exercises, practice questions, and up-to-date legal information
Sample evidence files, Sybex Test Engine, electronic flashcards, and more
If you're preparing for the new EnCE exam, this is the study guide you need.
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
Produktdetails
- Produktdetails
- Verlag: Wiley & Sons
- 3. Aufl.
- Seitenzahl: 752
- Erscheinungstermin: 11. September 2012
- Englisch
- Abmessung: 244mm x 192mm x 43mm
- Gewicht: 1106g
- ISBN-13: 9780470901069
- ISBN-10: 0470901063
- Artikelnr.: 31303303
- Herstellerkennzeichnung Die Herstellerinformationen sind derzeit nicht verfügbar.
- Verlag: Wiley & Sons
- 3. Aufl.
- Seitenzahl: 752
- Erscheinungstermin: 11. September 2012
- Englisch
- Abmessung: 244mm x 192mm x 43mm
- Gewicht: 1106g
- ISBN-13: 9780470901069
- ISBN-10: 0470901063
- Artikelnr.: 31303303
- Herstellerkennzeichnung Die Herstellerinformationen sind derzeit nicht verfügbar.
Steve Bunting, EnCE, CCFT, has over 30 years of law enforcement and computer forensics experience. He is a Senior Forensic Consultant for Forward Discovery, a global forensics consulting organization. Previously he served as a captain with the University of Delaware Police Department, where he conducted examinations of computer systems for federal, state, and local law enforcement. He is also the coauthor of Mastering Windows Network Forensics and Investigation.
Introduction xxi
Assessment Test xxvii
Chapter 1 Computer Hardware 1
Computer Hardware Components 2
The Boot Process 14
Partitions 20
File Systems 25
Summary 27
Exam Essentials 27
Review Questions 28
Chapter 2 File Systems 33
FAT Basics 34
The Physical Layout of FAT 36
Viewing Directory Entries Using EnCase 52
The Function of FAT 58
NTFS Basics 73
CD File Systems 77
exFAT 79
Summary 83
Exam Essentials 84
Review Questions 85
Chapter 3 First Response 89
Planning and Preparation 90
The Physical Location 91
Personnel 91
Computer Systems 92
What to Take with You Before You Leave 94
Search Authority 97
Handling Evidence at the Scene 98
Securing the Scene 98
Recording and Photographing the Scene 99
Seizing Computer Evidence 99
Bagging and Tagging 110
Summary 113
Exam Essentials 113
Review Questions 115
Chapter 4 Acquiring Digital Evidence 119
Creating EnCase Forensic Boot Disks 121
Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125
Other Reasons for Using a DOS Boot 126
Steps for Using a DOS Boot 126
Drive-to-Drive DOS Acquisition 128
Steps for Drive-to-Drive DOS Acquisition 128
Supplemental Information About Drive-to-Drive
DOS Acquisition 132
Network Acquisitions 135
Reasons to Use Network Acquisitions 135
Understanding Network Cables 136
Preparing an EnCase Network Boot Disk 137
Preparing an EnCase Network Boot CD 138
Steps for Network Acquisition 138
FastBloc/Tableau Acquisitions 151
Available FastBloc Models 151
FastBloc 2 Features 152
Steps for Tableau (FastBloc) Acquisition 154
FastBloc SE Acquisitions 163
About FastBloc SE 163
Steps for FastBloc SE Acquisitions 164
LinEn Acquisitions 168
Mounting a File System as Read-Only 168
Updating a Linux Boot CD with the Latest Version of LinEn 169
Running LinEn 171
Steps for LinEn Acquisition 173
Enterprise and FIM Acquisitions 176
EnCase Portable 180
Helpful Hints 188
Summary 189
Exam Essentials 192
Review Questions 194
Chapter 5 EnCase Concepts 199
EnCase Evidence File Format 200
CRC, MD5, and SHA-1 201
Evidence File Components and Function 202
New Evidence File Format 206
Evidence File Verification 207
Hashing Disks and Volumes 215
EnCase Case Files 217
EnCase Backup Utility 220
EnCase Configuration Files 227
Evidence Cache Folder 231
Summary 233
Exam Essentials 235
Review Questions 236
Chapter 6 EnCase Environment 241
Home Screen 242
EnCase Layout 246
Creating a Case 249
Tree Pane Navigation 255
Table Pane Navigation 266
Table View 266
Gallery View 275
Timeline View 277
Disk View 280
View Pane Navigation 284
Text View 284
Hex View 287
Picture View 288
Report View 289
Doc View 289
Transcript View 290
File Extents View 291
Permissions View 291
Decode View 292
Field View 294
Lock Option 294
Dixon Box 294
Navigation Data (GPS) 295
Find Feature 297
Other Views and Tools 298
Conditions and Filters 298
EnScript 299
Text Styles 299
Adjusting Panes 300
Other Views 306
Global Views and Settings 306
EnCase Options 310
Summary 318
Exam Essentials 320
Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327
Binary Numbers 327
Hexadecimal 333
Characters 336
ASCII 337
Unicode 338
EnCase Evidence Processor 340
Searching for Data 352
Creating Keywords 353
GREP Keywords 364
Starting a Search 373
Viewing Search Hits and Bookmarking Your Findings 376
Bookmarking 377
Summary 426
Exam Essentials 428
Review Questions 430
Chapter 8 File Signature Analysis and Hash Analysis 435
File Signature Analysis 436
Understanding Application Binding 437
Creating a New File Signature 438
Conducting a File Signature Analysis 442
Hash Analysis 449
MD5 Hash 449
Hash Sets and Hash Libraries 449
Hash Analysis 462
Summary 466
Exam Essentials 468
Review Questions 469
Chapter 9 Windows Operating System Artifacts 473
Dates and Times 475
Time Zones 475
Windows 64-Bit Time Stamp 476
Adjusting for Time Zone Offsets 481
Recycle Bin 487
Details of Recycle Bin Operation 488
The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493
Files Restored or Deleted from the Recycle Bin 494
Using an EnCase Evidence Processor to Determine the Status of Recycle Bin
Files 496
Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500
Link Files 504
Changing the Properties of a Shortcut 504
Forensic Importance of Link Files 505
Using the Link File Parser 509
Windows Folders 511
Recent Folder 515
Desktop Folder 516
My Documents/Documents 518
Send To Folder 518
Temp Folder 519
Favorites Folder 520
Windows Vista Low Folders 521
Cookies Folder 523
History Folder 526
Temporary Internet Files 532
Swap File 535
Hibernation File 536
Print Spooling 537
Legacy Operating System Artifacts 543
Windows Volume Shadow Copy 544
Windows Event Logs 549
Kinds of Information Available in Event Logs 549
Determining Levels of Auditing 552
Windows Vista/7 Event Logs 554
Using the Windows Event Log Parser 555
For More Information 558
Summary 559
Exam Essentials 564
Review Questions 566
Chapter 10 Advanced EnCase 571
Locating and Mounting Partitions 573
Mounting Files 588
Registry 595
Registry History 595
Registry Organization and Terminology 596
Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605
EnScript and Filters 608
Running EnScripts 609
Filters and Conditions 611
Email 614
Base64 Encoding 619
EnCase Decryption Suite 622
Virtual File System (VFS) 629
Restoration 633
Physical Disk Emulator (PDE) 636
Putting It All Together 641
Summary 645
Exam Essentials 648
Review Questions 649
Appendix A Answers to Review Questions 653
Chapter 1: Computer Hardware 654
Chapter 2: File Systems 655
Chapter 3: First Response 657
Chapter 4: Acquiring Digital Evidence 658
Chapter 5: EnCase Concepts 659
Chapter 6: EnCase Environment 661
Chapter 7: Understanding, Searching For, and Bookmarking Data 662
Chapter 8: File Signature Analysis and Hash Analysis 663
Chapter 9: Windows Operating System Artifacts 664
Chapter 10: Advanced EnCase 665
Appendix B Creating Paperless Reports 667
Exporting the Web Page Report 669
Creating Your Container Report 671
Bookmarks and Hyperlinks 675
Burning the Report to CD or DVD 678
Appendix C About the Additional Study Tools 681
Additional Study Tools 682
Sybex Test Engine 682
Electronic Flashcards 682
PDF of Glossary of Terms 682
Adobe Reader 682
Additional Author Files 683
System Requirements 683
Using the Study Tools 683
Troubleshooting 683
Customer Care 684
Index 685
Assessment Test xxvii
Chapter 1 Computer Hardware 1
Computer Hardware Components 2
The Boot Process 14
Partitions 20
File Systems 25
Summary 27
Exam Essentials 27
Review Questions 28
Chapter 2 File Systems 33
FAT Basics 34
The Physical Layout of FAT 36
Viewing Directory Entries Using EnCase 52
The Function of FAT 58
NTFS Basics 73
CD File Systems 77
exFAT 79
Summary 83
Exam Essentials 84
Review Questions 85
Chapter 3 First Response 89
Planning and Preparation 90
The Physical Location 91
Personnel 91
Computer Systems 92
What to Take with You Before You Leave 94
Search Authority 97
Handling Evidence at the Scene 98
Securing the Scene 98
Recording and Photographing the Scene 99
Seizing Computer Evidence 99
Bagging and Tagging 110
Summary 113
Exam Essentials 113
Review Questions 115
Chapter 4 Acquiring Digital Evidence 119
Creating EnCase Forensic Boot Disks 121
Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125
Other Reasons for Using a DOS Boot 126
Steps for Using a DOS Boot 126
Drive-to-Drive DOS Acquisition 128
Steps for Drive-to-Drive DOS Acquisition 128
Supplemental Information About Drive-to-Drive
DOS Acquisition 132
Network Acquisitions 135
Reasons to Use Network Acquisitions 135
Understanding Network Cables 136
Preparing an EnCase Network Boot Disk 137
Preparing an EnCase Network Boot CD 138
Steps for Network Acquisition 138
FastBloc/Tableau Acquisitions 151
Available FastBloc Models 151
FastBloc 2 Features 152
Steps for Tableau (FastBloc) Acquisition 154
FastBloc SE Acquisitions 163
About FastBloc SE 163
Steps for FastBloc SE Acquisitions 164
LinEn Acquisitions 168
Mounting a File System as Read-Only 168
Updating a Linux Boot CD with the Latest Version of LinEn 169
Running LinEn 171
Steps for LinEn Acquisition 173
Enterprise and FIM Acquisitions 176
EnCase Portable 180
Helpful Hints 188
Summary 189
Exam Essentials 192
Review Questions 194
Chapter 5 EnCase Concepts 199
EnCase Evidence File Format 200
CRC, MD5, and SHA-1 201
Evidence File Components and Function 202
New Evidence File Format 206
Evidence File Verification 207
Hashing Disks and Volumes 215
EnCase Case Files 217
EnCase Backup Utility 220
EnCase Configuration Files 227
Evidence Cache Folder 231
Summary 233
Exam Essentials 235
Review Questions 236
Chapter 6 EnCase Environment 241
Home Screen 242
EnCase Layout 246
Creating a Case 249
Tree Pane Navigation 255
Table Pane Navigation 266
Table View 266
Gallery View 275
Timeline View 277
Disk View 280
View Pane Navigation 284
Text View 284
Hex View 287
Picture View 288
Report View 289
Doc View 289
Transcript View 290
File Extents View 291
Permissions View 291
Decode View 292
Field View 294
Lock Option 294
Dixon Box 294
Navigation Data (GPS) 295
Find Feature 297
Other Views and Tools 298
Conditions and Filters 298
EnScript 299
Text Styles 299
Adjusting Panes 300
Other Views 306
Global Views and Settings 306
EnCase Options 310
Summary 318
Exam Essentials 320
Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327
Binary Numbers 327
Hexadecimal 333
Characters 336
ASCII 337
Unicode 338
EnCase Evidence Processor 340
Searching for Data 352
Creating Keywords 353
GREP Keywords 364
Starting a Search 373
Viewing Search Hits and Bookmarking Your Findings 376
Bookmarking 377
Summary 426
Exam Essentials 428
Review Questions 430
Chapter 8 File Signature Analysis and Hash Analysis 435
File Signature Analysis 436
Understanding Application Binding 437
Creating a New File Signature 438
Conducting a File Signature Analysis 442
Hash Analysis 449
MD5 Hash 449
Hash Sets and Hash Libraries 449
Hash Analysis 462
Summary 466
Exam Essentials 468
Review Questions 469
Chapter 9 Windows Operating System Artifacts 473
Dates and Times 475
Time Zones 475
Windows 64-Bit Time Stamp 476
Adjusting for Time Zone Offsets 481
Recycle Bin 487
Details of Recycle Bin Operation 488
The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493
Files Restored or Deleted from the Recycle Bin 494
Using an EnCase Evidence Processor to Determine the Status of Recycle Bin
Files 496
Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500
Link Files 504
Changing the Properties of a Shortcut 504
Forensic Importance of Link Files 505
Using the Link File Parser 509
Windows Folders 511
Recent Folder 515
Desktop Folder 516
My Documents/Documents 518
Send To Folder 518
Temp Folder 519
Favorites Folder 520
Windows Vista Low Folders 521
Cookies Folder 523
History Folder 526
Temporary Internet Files 532
Swap File 535
Hibernation File 536
Print Spooling 537
Legacy Operating System Artifacts 543
Windows Volume Shadow Copy 544
Windows Event Logs 549
Kinds of Information Available in Event Logs 549
Determining Levels of Auditing 552
Windows Vista/7 Event Logs 554
Using the Windows Event Log Parser 555
For More Information 558
Summary 559
Exam Essentials 564
Review Questions 566
Chapter 10 Advanced EnCase 571
Locating and Mounting Partitions 573
Mounting Files 588
Registry 595
Registry History 595
Registry Organization and Terminology 596
Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605
EnScript and Filters 608
Running EnScripts 609
Filters and Conditions 611
Email 614
Base64 Encoding 619
EnCase Decryption Suite 622
Virtual File System (VFS) 629
Restoration 633
Physical Disk Emulator (PDE) 636
Putting It All Together 641
Summary 645
Exam Essentials 648
Review Questions 649
Appendix A Answers to Review Questions 653
Chapter 1: Computer Hardware 654
Chapter 2: File Systems 655
Chapter 3: First Response 657
Chapter 4: Acquiring Digital Evidence 658
Chapter 5: EnCase Concepts 659
Chapter 6: EnCase Environment 661
Chapter 7: Understanding, Searching For, and Bookmarking Data 662
Chapter 8: File Signature Analysis and Hash Analysis 663
Chapter 9: Windows Operating System Artifacts 664
Chapter 10: Advanced EnCase 665
Appendix B Creating Paperless Reports 667
Exporting the Web Page Report 669
Creating Your Container Report 671
Bookmarks and Hyperlinks 675
Burning the Report to CD or DVD 678
Appendix C About the Additional Study Tools 681
Additional Study Tools 682
Sybex Test Engine 682
Electronic Flashcards 682
PDF of Glossary of Terms 682
Adobe Reader 682
Additional Author Files 683
System Requirements 683
Using the Study Tools 683
Troubleshooting 683
Customer Care 684
Index 685
Introduction xxi
Assessment Test xxvii
Chapter 1 Computer Hardware 1
Computer Hardware Components 2
The Boot Process 14
Partitions 20
File Systems 25
Summary 27
Exam Essentials 27
Review Questions 28
Chapter 2 File Systems 33
FAT Basics 34
The Physical Layout of FAT 36
Viewing Directory Entries Using EnCase 52
The Function of FAT 58
NTFS Basics 73
CD File Systems 77
exFAT 79
Summary 83
Exam Essentials 84
Review Questions 85
Chapter 3 First Response 89
Planning and Preparation 90
The Physical Location 91
Personnel 91
Computer Systems 92
What to Take with You Before You Leave 94
Search Authority 97
Handling Evidence at the Scene 98
Securing the Scene 98
Recording and Photographing the Scene 99
Seizing Computer Evidence 99
Bagging and Tagging 110
Summary 113
Exam Essentials 113
Review Questions 115
Chapter 4 Acquiring Digital Evidence 119
Creating EnCase Forensic Boot Disks 121
Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125
Other Reasons for Using a DOS Boot 126
Steps for Using a DOS Boot 126
Drive-to-Drive DOS Acquisition 128
Steps for Drive-to-Drive DOS Acquisition 128
Supplemental Information About Drive-to-Drive
DOS Acquisition 132
Network Acquisitions 135
Reasons to Use Network Acquisitions 135
Understanding Network Cables 136
Preparing an EnCase Network Boot Disk 137
Preparing an EnCase Network Boot CD 138
Steps for Network Acquisition 138
FastBloc/Tableau Acquisitions 151
Available FastBloc Models 151
FastBloc 2 Features 152
Steps for Tableau (FastBloc) Acquisition 154
FastBloc SE Acquisitions 163
About FastBloc SE 163
Steps for FastBloc SE Acquisitions 164
LinEn Acquisitions 168
Mounting a File System as Read-Only 168
Updating a Linux Boot CD with the Latest Version of LinEn 169
Running LinEn 171
Steps for LinEn Acquisition 173
Enterprise and FIM Acquisitions 176
EnCase Portable 180
Helpful Hints 188
Summary 189
Exam Essentials 192
Review Questions 194
Chapter 5 EnCase Concepts 199
EnCase Evidence File Format 200
CRC, MD5, and SHA-1 201
Evidence File Components and Function 202
New Evidence File Format 206
Evidence File Verification 207
Hashing Disks and Volumes 215
EnCase Case Files 217
EnCase Backup Utility 220
EnCase Configuration Files 227
Evidence Cache Folder 231
Summary 233
Exam Essentials 235
Review Questions 236
Chapter 6 EnCase Environment 241
Home Screen 242
EnCase Layout 246
Creating a Case 249
Tree Pane Navigation 255
Table Pane Navigation 266
Table View 266
Gallery View 275
Timeline View 277
Disk View 280
View Pane Navigation 284
Text View 284
Hex View 287
Picture View 288
Report View 289
Doc View 289
Transcript View 290
File Extents View 291
Permissions View 291
Decode View 292
Field View 294
Lock Option 294
Dixon Box 294
Navigation Data (GPS) 295
Find Feature 297
Other Views and Tools 298
Conditions and Filters 298
EnScript 299
Text Styles 299
Adjusting Panes 300
Other Views 306
Global Views and Settings 306
EnCase Options 310
Summary 318
Exam Essentials 320
Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327
Binary Numbers 327
Hexadecimal 333
Characters 336
ASCII 337
Unicode 338
EnCase Evidence Processor 340
Searching for Data 352
Creating Keywords 353
GREP Keywords 364
Starting a Search 373
Viewing Search Hits and Bookmarking Your Findings 376
Bookmarking 377
Summary 426
Exam Essentials 428
Review Questions 430
Chapter 8 File Signature Analysis and Hash Analysis 435
File Signature Analysis 436
Understanding Application Binding 437
Creating a New File Signature 438
Conducting a File Signature Analysis 442
Hash Analysis 449
MD5 Hash 449
Hash Sets and Hash Libraries 449
Hash Analysis 462
Summary 466
Exam Essentials 468
Review Questions 469
Chapter 9 Windows Operating System Artifacts 473
Dates and Times 475
Time Zones 475
Windows 64-Bit Time Stamp 476
Adjusting for Time Zone Offsets 481
Recycle Bin 487
Details of Recycle Bin Operation 488
The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493
Files Restored or Deleted from the Recycle Bin 494
Using an EnCase Evidence Processor to Determine the Status of Recycle Bin
Files 496
Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500
Link Files 504
Changing the Properties of a Shortcut 504
Forensic Importance of Link Files 505
Using the Link File Parser 509
Windows Folders 511
Recent Folder 515
Desktop Folder 516
My Documents/Documents 518
Send To Folder 518
Temp Folder 519
Favorites Folder 520
Windows Vista Low Folders 521
Cookies Folder 523
History Folder 526
Temporary Internet Files 532
Swap File 535
Hibernation File 536
Print Spooling 537
Legacy Operating System Artifacts 543
Windows Volume Shadow Copy 544
Windows Event Logs 549
Kinds of Information Available in Event Logs 549
Determining Levels of Auditing 552
Windows Vista/7 Event Logs 554
Using the Windows Event Log Parser 555
For More Information 558
Summary 559
Exam Essentials 564
Review Questions 566
Chapter 10 Advanced EnCase 571
Locating and Mounting Partitions 573
Mounting Files 588
Registry 595
Registry History 595
Registry Organization and Terminology 596
Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605
EnScript and Filters 608
Running EnScripts 609
Filters and Conditions 611
Email 614
Base64 Encoding 619
EnCase Decryption Suite 622
Virtual File System (VFS) 629
Restoration 633
Physical Disk Emulator (PDE) 636
Putting It All Together 641
Summary 645
Exam Essentials 648
Review Questions 649
Appendix A Answers to Review Questions 653
Chapter 1: Computer Hardware 654
Chapter 2: File Systems 655
Chapter 3: First Response 657
Chapter 4: Acquiring Digital Evidence 658
Chapter 5: EnCase Concepts 659
Chapter 6: EnCase Environment 661
Chapter 7: Understanding, Searching For, and Bookmarking Data 662
Chapter 8: File Signature Analysis and Hash Analysis 663
Chapter 9: Windows Operating System Artifacts 664
Chapter 10: Advanced EnCase 665
Appendix B Creating Paperless Reports 667
Exporting the Web Page Report 669
Creating Your Container Report 671
Bookmarks and Hyperlinks 675
Burning the Report to CD or DVD 678
Appendix C About the Additional Study Tools 681
Additional Study Tools 682
Sybex Test Engine 682
Electronic Flashcards 682
PDF of Glossary of Terms 682
Adobe Reader 682
Additional Author Files 683
System Requirements 683
Using the Study Tools 683
Troubleshooting 683
Customer Care 684
Index 685
Assessment Test xxvii
Chapter 1 Computer Hardware 1
Computer Hardware Components 2
The Boot Process 14
Partitions 20
File Systems 25
Summary 27
Exam Essentials 27
Review Questions 28
Chapter 2 File Systems 33
FAT Basics 34
The Physical Layout of FAT 36
Viewing Directory Entries Using EnCase 52
The Function of FAT 58
NTFS Basics 73
CD File Systems 77
exFAT 79
Summary 83
Exam Essentials 84
Review Questions 85
Chapter 3 First Response 89
Planning and Preparation 90
The Physical Location 91
Personnel 91
Computer Systems 92
What to Take with You Before You Leave 94
Search Authority 97
Handling Evidence at the Scene 98
Securing the Scene 98
Recording and Photographing the Scene 99
Seizing Computer Evidence 99
Bagging and Tagging 110
Summary 113
Exam Essentials 113
Review Questions 115
Chapter 4 Acquiring Digital Evidence 119
Creating EnCase Forensic Boot Disks 121
Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125
Other Reasons for Using a DOS Boot 126
Steps for Using a DOS Boot 126
Drive-to-Drive DOS Acquisition 128
Steps for Drive-to-Drive DOS Acquisition 128
Supplemental Information About Drive-to-Drive
DOS Acquisition 132
Network Acquisitions 135
Reasons to Use Network Acquisitions 135
Understanding Network Cables 136
Preparing an EnCase Network Boot Disk 137
Preparing an EnCase Network Boot CD 138
Steps for Network Acquisition 138
FastBloc/Tableau Acquisitions 151
Available FastBloc Models 151
FastBloc 2 Features 152
Steps for Tableau (FastBloc) Acquisition 154
FastBloc SE Acquisitions 163
About FastBloc SE 163
Steps for FastBloc SE Acquisitions 164
LinEn Acquisitions 168
Mounting a File System as Read-Only 168
Updating a Linux Boot CD with the Latest Version of LinEn 169
Running LinEn 171
Steps for LinEn Acquisition 173
Enterprise and FIM Acquisitions 176
EnCase Portable 180
Helpful Hints 188
Summary 189
Exam Essentials 192
Review Questions 194
Chapter 5 EnCase Concepts 199
EnCase Evidence File Format 200
CRC, MD5, and SHA-1 201
Evidence File Components and Function 202
New Evidence File Format 206
Evidence File Verification 207
Hashing Disks and Volumes 215
EnCase Case Files 217
EnCase Backup Utility 220
EnCase Configuration Files 227
Evidence Cache Folder 231
Summary 233
Exam Essentials 235
Review Questions 236
Chapter 6 EnCase Environment 241
Home Screen 242
EnCase Layout 246
Creating a Case 249
Tree Pane Navigation 255
Table Pane Navigation 266
Table View 266
Gallery View 275
Timeline View 277
Disk View 280
View Pane Navigation 284
Text View 284
Hex View 287
Picture View 288
Report View 289
Doc View 289
Transcript View 290
File Extents View 291
Permissions View 291
Decode View 292
Field View 294
Lock Option 294
Dixon Box 294
Navigation Data (GPS) 295
Find Feature 297
Other Views and Tools 298
Conditions and Filters 298
EnScript 299
Text Styles 299
Adjusting Panes 300
Other Views 306
Global Views and Settings 306
EnCase Options 310
Summary 318
Exam Essentials 320
Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327
Binary Numbers 327
Hexadecimal 333
Characters 336
ASCII 337
Unicode 338
EnCase Evidence Processor 340
Searching for Data 352
Creating Keywords 353
GREP Keywords 364
Starting a Search 373
Viewing Search Hits and Bookmarking Your Findings 376
Bookmarking 377
Summary 426
Exam Essentials 428
Review Questions 430
Chapter 8 File Signature Analysis and Hash Analysis 435
File Signature Analysis 436
Understanding Application Binding 437
Creating a New File Signature 438
Conducting a File Signature Analysis 442
Hash Analysis 449
MD5 Hash 449
Hash Sets and Hash Libraries 449
Hash Analysis 462
Summary 466
Exam Essentials 468
Review Questions 469
Chapter 9 Windows Operating System Artifacts 473
Dates and Times 475
Time Zones 475
Windows 64-Bit Time Stamp 476
Adjusting for Time Zone Offsets 481
Recycle Bin 487
Details of Recycle Bin Operation 488
The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493
Files Restored or Deleted from the Recycle Bin 494
Using an EnCase Evidence Processor to Determine the Status of Recycle Bin
Files 496
Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500
Link Files 504
Changing the Properties of a Shortcut 504
Forensic Importance of Link Files 505
Using the Link File Parser 509
Windows Folders 511
Recent Folder 515
Desktop Folder 516
My Documents/Documents 518
Send To Folder 518
Temp Folder 519
Favorites Folder 520
Windows Vista Low Folders 521
Cookies Folder 523
History Folder 526
Temporary Internet Files 532
Swap File 535
Hibernation File 536
Print Spooling 537
Legacy Operating System Artifacts 543
Windows Volume Shadow Copy 544
Windows Event Logs 549
Kinds of Information Available in Event Logs 549
Determining Levels of Auditing 552
Windows Vista/7 Event Logs 554
Using the Windows Event Log Parser 555
For More Information 558
Summary 559
Exam Essentials 564
Review Questions 566
Chapter 10 Advanced EnCase 571
Locating and Mounting Partitions 573
Mounting Files 588
Registry 595
Registry History 595
Registry Organization and Terminology 596
Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605
EnScript and Filters 608
Running EnScripts 609
Filters and Conditions 611
Email 614
Base64 Encoding 619
EnCase Decryption Suite 622
Virtual File System (VFS) 629
Restoration 633
Physical Disk Emulator (PDE) 636
Putting It All Together 641
Summary 645
Exam Essentials 648
Review Questions 649
Appendix A Answers to Review Questions 653
Chapter 1: Computer Hardware 654
Chapter 2: File Systems 655
Chapter 3: First Response 657
Chapter 4: Acquiring Digital Evidence 658
Chapter 5: EnCase Concepts 659
Chapter 6: EnCase Environment 661
Chapter 7: Understanding, Searching For, and Bookmarking Data 662
Chapter 8: File Signature Analysis and Hash Analysis 663
Chapter 9: Windows Operating System Artifacts 664
Chapter 10: Advanced EnCase 665
Appendix B Creating Paperless Reports 667
Exporting the Web Page Report 669
Creating Your Container Report 671
Bookmarks and Hyperlinks 675
Burning the Report to CD or DVD 678
Appendix C About the Additional Study Tools 681
Additional Study Tools 682
Sybex Test Engine 682
Electronic Flashcards 682
PDF of Glossary of Terms 682
Adobe Reader 682
Additional Author Files 683
System Requirements 683
Using the Study Tools 683
Troubleshooting 683
Customer Care 684
Index 685