- Broschiertes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
The official, Guidance Software-approved book on the newest EnCE exam!
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more. Guides readers through preparation for the newest EnCase Certified…mehr
Andere Kunden interessierten sich auch für
![It Career Jumpstart]( "It Career Jumpstart")
Naomi J. AlpernIt Career Jumpstart26,99 €![McTs Windows Server Virtualization Configuration Study Guide]( "McTs Windows Server Virtualization Configuration Study Guide")
William PanekMcTs Windows Server Virtualization Configuration Study Guide51,99 €![McSa Windows Server 2016 Practice Tests]( "McSa Windows Server 2016 Practice Tests")
Crystal PanekMcSa Windows Server 2016 Practice Tests34,99 €![McSa Microsoft Windows 10 Study Guide]( "McSa Microsoft Windows 10 Study Guide")
William PanekMcSa Microsoft Windows 10 Study Guide53,99 €![Cwts, Cws, and Cwt Complete Study Guide]( "Cwts, Cws, and Cwt Complete Study Guide")
Robert J. BartzCwts, Cws, and Cwt Complete Study Guide48,99 €![MCA Modern Desktop Administrator Study Guide with Online Labs]( "MCA Modern Desktop Administrator Study Guide with Online Labs")
William PanekMCA Modern Desktop Administrator Study Guide with Online Labs123,99 €![Comptia Security+ Deluxe Study Guide with Online Labs]( "Comptia Security+ Deluxe Study Guide with Online Labs")
Mike ChappleComptia Security+ Deluxe Study Guide with Online Labs103,99 €-
-
-
The official, Guidance Software-approved book on the newest EnCE exam!
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.
Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
Includes hands-on exercises, practice questions, and up-to-date legal information
Sample evidence files, Sybex Test Engine, electronic flashcards, and more
If you're preparing for the new EnCE exam, this is the study guide you need.
The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software's EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.
Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
Includes hands-on exercises, practice questions, and up-to-date legal information
Sample evidence files, Sybex Test Engine, electronic flashcards, and more
If you're preparing for the new EnCE exam, this is the study guide you need.
Produktdetails
- Produktdetails
- Verlag: Wiley & Sons
- 3. Aufl.
- Seitenzahl: 752
- Erscheinungstermin: 11. September 2012
- Englisch
- Abmessung: 244mm x 192mm x 43mm
- Gewicht: 1106g
- ISBN-13: 9780470901069
- ISBN-10: 0470901063
- Artikelnr.: 31303303
- Verlag: Wiley & Sons
- 3. Aufl.
- Seitenzahl: 752
- Erscheinungstermin: 11. September 2012
- Englisch
- Abmessung: 244mm x 192mm x 43mm
- Gewicht: 1106g
- ISBN-13: 9780470901069
- ISBN-10: 0470901063
- Artikelnr.: 31303303
Steve Bunting, EnCE, CCFT, has over 30 years of law enforcement and computer forensics experience. He is a Senior Forensic Consultant for Forward Discovery, a global forensics consulting organization. Previously he served as a captain with the University of Delaware Police Department, where he conducted examinations of computer systems for federal, state, and local law enforcement. He is also the coauthor of Mastering Windows Network Forensics and Investigation.
Introduction xxi Assessment Test xxvii Chapter 1 Computer Hardware 1
Computer Hardware Components 2 The Boot Process 14 Partitions 20 File
Systems 25 Summary 27 Exam Essentials 27 Review Questions 28 Chapter 2 File
Systems 33 FAT Basics 34 The Physical Layout of FAT 36 Viewing Directory
Entries Using EnCase 52 The Function of FAT 58 NTFS Basics 73 CD File
Systems 77 exFAT 79 Summary 83 Exam Essentials 84 Review Questions 85
Chapter 3 First Response 89 Planning and Preparation 90 The Physical
Location 91 Personnel 91 Computer Systems 92 What to Take with You Before
You Leave 94 Search Authority 97 Handling Evidence at the Scene 98 Securing
the Scene 98 Recording and Photographing the Scene 99 Seizing Computer
Evidence 99 Bagging and Tagging 110 Summary 113 Exam Essentials 113 Review
Questions 115 Chapter 4 Acquiring Digital Evidence 119 Creating EnCase
Forensic Boot Disks 121 Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125 Other Reasons for Using a DOS Boot
126 Steps for Using a DOS Boot 126 Drive-to-Drive DOS Acquisition 128 Steps
for Drive-to-Drive DOS Acquisition 128 Supplemental Information About
Drive-to-Drive DOS Acquisition 132 Network Acquisitions 135 Reasons to Use
Network Acquisitions 135 Understanding Network Cables 136 Preparing an
EnCase Network Boot Disk 137 Preparing an EnCase Network Boot CD 138 Steps
for Network Acquisition 138 FastBloc/Tableau Acquisitions 151 Available
FastBloc Models 151 FastBloc 2 Features 152 Steps for Tableau (FastBloc)
Acquisition 154 FastBloc SE Acquisitions 163 About FastBloc SE 163 Steps
for FastBloc SE Acquisitions 164 LinEn Acquisitions 168 Mounting a File
System as Read-Only 168 Updating a Linux Boot CD with the Latest Version of
LinEn 169 Running LinEn 171 Steps for LinEn Acquisition 173 Enterprise and
FIM Acquisitions 176 EnCase Portable 180 Helpful Hints 188 Summary 189 Exam
Essentials 192 Review Questions 194 Chapter 5 EnCase Concepts 199 EnCase
Evidence File Format 200 CRC, MD5, and SHA-1 201 Evidence File Components
and Function 202 New Evidence File Format 206 Evidence File Verification
207 Hashing Disks and Volumes 215 EnCase Case Files 217 EnCase Backup
Utility 220 EnCase Configuration Files 227 Evidence Cache Folder 231
Summary 233 Exam Essentials 235 Review Questions 236 Chapter 6 EnCase
Environment 241 Home Screen 242 EnCase Layout 246 Creating a Case 249 Tree
Pane Navigation 255 Table Pane Navigation 266 Table View 266 Gallery View
275 Timeline View 277 Disk View 280 View Pane Navigation 284 Text View 284
Hex View 287 Picture View 288 Report View 289 Doc View 289 Transcript View
290 File Extents View 291 Permissions View 291 Decode View 292 Field View
294 Lock Option 294 Dixon Box 294 Navigation Data (GPS) 295 Find Feature
297 Other Views and Tools 298 Conditions and Filters 298 EnScript 299 Text
Styles 299 Adjusting Panes 300 Other Views 306 Global Views and Settings
306 EnCase Options 310 Summary 318 Exam Essentials 320 Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327 Binary Numbers 327 Hexadecimal 333 Characters 336
ASCII 337 Unicode 338 EnCase Evidence Processor 340 Searching for Data 352
Creating Keywords 353 GREP Keywords 364 Starting a Search 373 Viewing
Search Hits and Bookmarking Your Findings 376 Bookmarking 377 Summary 426
Exam Essentials 428 Review Questions 430 Chapter 8 File Signature Analysis
and Hash Analysis 435 File Signature Analysis 436 Understanding Application
Binding 437 Creating a New File Signature 438 Conducting a File Signature
Analysis 442 Hash Analysis 449 MD5 Hash 449 Hash Sets and Hash Libraries
449 Hash Analysis 462 Summary 466 Exam Essentials 468 Review Questions 469
Chapter 9 Windows Operating System Artifacts 473 Dates and Times 475 Time
Zones 475 Windows 64-Bit Time Stamp 476 Adjusting for Time Zone Offsets 481
Recycle Bin 487 Details of Recycle Bin Operation 488 The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493 Files Restored or
Deleted from the Recycle Bin 494 Using an EnCase Evidence Processor to
Determine the Status of Recycle Bin Files 496 Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500 Link Files 504 Changing the
Properties of a Shortcut 504 Forensic Importance of Link Files 505 Using
the Link File Parser 509 Windows Folders 511 Recent Folder 515 Desktop
Folder 516 My Documents/Documents 518 Send To Folder 518 Temp Folder 519
Favorites Folder 520 Windows Vista Low Folders 521 Cookies Folder 523
History Folder 526 Temporary Internet Files 532 Swap File 535 Hibernation
File 536 Print Spooling 537 Legacy Operating System Artifacts 543 Windows
Volume Shadow Copy 544 Windows Event Logs 549 Kinds of Information
Available in Event Logs 549 Determining Levels of Auditing 552 Windows
Vista/7 Event Logs 554 Using the Windows Event Log Parser 555 For More
Information 558 Summary 559 Exam Essentials 564 Review Questions 566
Chapter 10 Advanced EnCase 571 Locating and Mounting Partitions 573
Mounting Files 588 Registry 595 Registry History 595 Registry Organization
and Terminology 596 Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605 EnScript and Filters 608 Running EnScripts
609 Filters and Conditions 611 Email 614 Base64 Encoding 619 EnCase
Decryption Suite 622 Virtual File System (VFS) 629 Restoration 633 Physical
Disk Emulator (PDE) 636 Putting It All Together 641 Summary 645 Exam
Essentials 648 Review Questions 649 Appendix A Answers to Review Questions
653 Chapter 1: Computer Hardware 654 Chapter 2: File Systems 655 Chapter 3:
First Response 657 Chapter 4: Acquiring Digital Evidence 658 Chapter 5:
EnCase Concepts 659 Chapter 6: EnCase Environment 661 Chapter 7:
Understanding, Searching For, and Bookmarking Data 662 Chapter 8: File
Signature Analysis and Hash Analysis 663 Chapter 9: Windows Operating
System Artifacts 664 Chapter 10: Advanced EnCase 665 Appendix B Creating
Paperless Reports 667 Exporting the Web Page Report 669 Creating Your
Container Report 671 Bookmarks and Hyperlinks 675 Burning the Report to CD
or DVD 678 Appendix C About the Additional Study Tools 681 Additional Study
Tools 682 Sybex Test Engine 682 Electronic Flashcards 682 PDF of Glossary
of Terms 682 Adobe Reader 682 Additional Author Files 683 System
Requirements 683 Using the Study Tools 683 Troubleshooting 683 Customer
Care 684 Index 685
Computer Hardware Components 2 The Boot Process 14 Partitions 20 File
Systems 25 Summary 27 Exam Essentials 27 Review Questions 28 Chapter 2 File
Systems 33 FAT Basics 34 The Physical Layout of FAT 36 Viewing Directory
Entries Using EnCase 52 The Function of FAT 58 NTFS Basics 73 CD File
Systems 77 exFAT 79 Summary 83 Exam Essentials 84 Review Questions 85
Chapter 3 First Response 89 Planning and Preparation 90 The Physical
Location 91 Personnel 91 Computer Systems 92 What to Take with You Before
You Leave 94 Search Authority 97 Handling Evidence at the Scene 98 Securing
the Scene 98 Recording and Photographing the Scene 99 Seizing Computer
Evidence 99 Bagging and Tagging 110 Summary 113 Exam Essentials 113 Review
Questions 115 Chapter 4 Acquiring Digital Evidence 119 Creating EnCase
Forensic Boot Disks 121 Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125 Other Reasons for Using a DOS Boot
126 Steps for Using a DOS Boot 126 Drive-to-Drive DOS Acquisition 128 Steps
for Drive-to-Drive DOS Acquisition 128 Supplemental Information About
Drive-to-Drive DOS Acquisition 132 Network Acquisitions 135 Reasons to Use
Network Acquisitions 135 Understanding Network Cables 136 Preparing an
EnCase Network Boot Disk 137 Preparing an EnCase Network Boot CD 138 Steps
for Network Acquisition 138 FastBloc/Tableau Acquisitions 151 Available
FastBloc Models 151 FastBloc 2 Features 152 Steps for Tableau (FastBloc)
Acquisition 154 FastBloc SE Acquisitions 163 About FastBloc SE 163 Steps
for FastBloc SE Acquisitions 164 LinEn Acquisitions 168 Mounting a File
System as Read-Only 168 Updating a Linux Boot CD with the Latest Version of
LinEn 169 Running LinEn 171 Steps for LinEn Acquisition 173 Enterprise and
FIM Acquisitions 176 EnCase Portable 180 Helpful Hints 188 Summary 189 Exam
Essentials 192 Review Questions 194 Chapter 5 EnCase Concepts 199 EnCase
Evidence File Format 200 CRC, MD5, and SHA-1 201 Evidence File Components
and Function 202 New Evidence File Format 206 Evidence File Verification
207 Hashing Disks and Volumes 215 EnCase Case Files 217 EnCase Backup
Utility 220 EnCase Configuration Files 227 Evidence Cache Folder 231
Summary 233 Exam Essentials 235 Review Questions 236 Chapter 6 EnCase
Environment 241 Home Screen 242 EnCase Layout 246 Creating a Case 249 Tree
Pane Navigation 255 Table Pane Navigation 266 Table View 266 Gallery View
275 Timeline View 277 Disk View 280 View Pane Navigation 284 Text View 284
Hex View 287 Picture View 288 Report View 289 Doc View 289 Transcript View
290 File Extents View 291 Permissions View 291 Decode View 292 Field View
294 Lock Option 294 Dixon Box 294 Navigation Data (GPS) 295 Find Feature
297 Other Views and Tools 298 Conditions and Filters 298 EnScript 299 Text
Styles 299 Adjusting Panes 300 Other Views 306 Global Views and Settings
306 EnCase Options 310 Summary 318 Exam Essentials 320 Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327 Binary Numbers 327 Hexadecimal 333 Characters 336
ASCII 337 Unicode 338 EnCase Evidence Processor 340 Searching for Data 352
Creating Keywords 353 GREP Keywords 364 Starting a Search 373 Viewing
Search Hits and Bookmarking Your Findings 376 Bookmarking 377 Summary 426
Exam Essentials 428 Review Questions 430 Chapter 8 File Signature Analysis
and Hash Analysis 435 File Signature Analysis 436 Understanding Application
Binding 437 Creating a New File Signature 438 Conducting a File Signature
Analysis 442 Hash Analysis 449 MD5 Hash 449 Hash Sets and Hash Libraries
449 Hash Analysis 462 Summary 466 Exam Essentials 468 Review Questions 469
Chapter 9 Windows Operating System Artifacts 473 Dates and Times 475 Time
Zones 475 Windows 64-Bit Time Stamp 476 Adjusting for Time Zone Offsets 481
Recycle Bin 487 Details of Recycle Bin Operation 488 The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493 Files Restored or
Deleted from the Recycle Bin 494 Using an EnCase Evidence Processor to
Determine the Status of Recycle Bin Files 496 Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500 Link Files 504 Changing the
Properties of a Shortcut 504 Forensic Importance of Link Files 505 Using
the Link File Parser 509 Windows Folders 511 Recent Folder 515 Desktop
Folder 516 My Documents/Documents 518 Send To Folder 518 Temp Folder 519
Favorites Folder 520 Windows Vista Low Folders 521 Cookies Folder 523
History Folder 526 Temporary Internet Files 532 Swap File 535 Hibernation
File 536 Print Spooling 537 Legacy Operating System Artifacts 543 Windows
Volume Shadow Copy 544 Windows Event Logs 549 Kinds of Information
Available in Event Logs 549 Determining Levels of Auditing 552 Windows
Vista/7 Event Logs 554 Using the Windows Event Log Parser 555 For More
Information 558 Summary 559 Exam Essentials 564 Review Questions 566
Chapter 10 Advanced EnCase 571 Locating and Mounting Partitions 573
Mounting Files 588 Registry 595 Registry History 595 Registry Organization
and Terminology 596 Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605 EnScript and Filters 608 Running EnScripts
609 Filters and Conditions 611 Email 614 Base64 Encoding 619 EnCase
Decryption Suite 622 Virtual File System (VFS) 629 Restoration 633 Physical
Disk Emulator (PDE) 636 Putting It All Together 641 Summary 645 Exam
Essentials 648 Review Questions 649 Appendix A Answers to Review Questions
653 Chapter 1: Computer Hardware 654 Chapter 2: File Systems 655 Chapter 3:
First Response 657 Chapter 4: Acquiring Digital Evidence 658 Chapter 5:
EnCase Concepts 659 Chapter 6: EnCase Environment 661 Chapter 7:
Understanding, Searching For, and Bookmarking Data 662 Chapter 8: File
Signature Analysis and Hash Analysis 663 Chapter 9: Windows Operating
System Artifacts 664 Chapter 10: Advanced EnCase 665 Appendix B Creating
Paperless Reports 667 Exporting the Web Page Report 669 Creating Your
Container Report 671 Bookmarks and Hyperlinks 675 Burning the Report to CD
or DVD 678 Appendix C About the Additional Study Tools 681 Additional Study
Tools 682 Sybex Test Engine 682 Electronic Flashcards 682 PDF of Glossary
of Terms 682 Adobe Reader 682 Additional Author Files 683 System
Requirements 683 Using the Study Tools 683 Troubleshooting 683 Customer
Care 684 Index 685
Introduction xxi Assessment Test xxvii Chapter 1 Computer Hardware 1
Computer Hardware Components 2 The Boot Process 14 Partitions 20 File
Systems 25 Summary 27 Exam Essentials 27 Review Questions 28 Chapter 2 File
Systems 33 FAT Basics 34 The Physical Layout of FAT 36 Viewing Directory
Entries Using EnCase 52 The Function of FAT 58 NTFS Basics 73 CD File
Systems 77 exFAT 79 Summary 83 Exam Essentials 84 Review Questions 85
Chapter 3 First Response 89 Planning and Preparation 90 The Physical
Location 91 Personnel 91 Computer Systems 92 What to Take with You Before
You Leave 94 Search Authority 97 Handling Evidence at the Scene 98 Securing
the Scene 98 Recording and Photographing the Scene 99 Seizing Computer
Evidence 99 Bagging and Tagging 110 Summary 113 Exam Essentials 113 Review
Questions 115 Chapter 4 Acquiring Digital Evidence 119 Creating EnCase
Forensic Boot Disks 121 Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125 Other Reasons for Using a DOS Boot
126 Steps for Using a DOS Boot 126 Drive-to-Drive DOS Acquisition 128 Steps
for Drive-to-Drive DOS Acquisition 128 Supplemental Information About
Drive-to-Drive DOS Acquisition 132 Network Acquisitions 135 Reasons to Use
Network Acquisitions 135 Understanding Network Cables 136 Preparing an
EnCase Network Boot Disk 137 Preparing an EnCase Network Boot CD 138 Steps
for Network Acquisition 138 FastBloc/Tableau Acquisitions 151 Available
FastBloc Models 151 FastBloc 2 Features 152 Steps for Tableau (FastBloc)
Acquisition 154 FastBloc SE Acquisitions 163 About FastBloc SE 163 Steps
for FastBloc SE Acquisitions 164 LinEn Acquisitions 168 Mounting a File
System as Read-Only 168 Updating a Linux Boot CD with the Latest Version of
LinEn 169 Running LinEn 171 Steps for LinEn Acquisition 173 Enterprise and
FIM Acquisitions 176 EnCase Portable 180 Helpful Hints 188 Summary 189 Exam
Essentials 192 Review Questions 194 Chapter 5 EnCase Concepts 199 EnCase
Evidence File Format 200 CRC, MD5, and SHA-1 201 Evidence File Components
and Function 202 New Evidence File Format 206 Evidence File Verification
207 Hashing Disks and Volumes 215 EnCase Case Files 217 EnCase Backup
Utility 220 EnCase Configuration Files 227 Evidence Cache Folder 231
Summary 233 Exam Essentials 235 Review Questions 236 Chapter 6 EnCase
Environment 241 Home Screen 242 EnCase Layout 246 Creating a Case 249 Tree
Pane Navigation 255 Table Pane Navigation 266 Table View 266 Gallery View
275 Timeline View 277 Disk View 280 View Pane Navigation 284 Text View 284
Hex View 287 Picture View 288 Report View 289 Doc View 289 Transcript View
290 File Extents View 291 Permissions View 291 Decode View 292 Field View
294 Lock Option 294 Dixon Box 294 Navigation Data (GPS) 295 Find Feature
297 Other Views and Tools 298 Conditions and Filters 298 EnScript 299 Text
Styles 299 Adjusting Panes 300 Other Views 306 Global Views and Settings
306 EnCase Options 310 Summary 318 Exam Essentials 320 Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327 Binary Numbers 327 Hexadecimal 333 Characters 336
ASCII 337 Unicode 338 EnCase Evidence Processor 340 Searching for Data 352
Creating Keywords 353 GREP Keywords 364 Starting a Search 373 Viewing
Search Hits and Bookmarking Your Findings 376 Bookmarking 377 Summary 426
Exam Essentials 428 Review Questions 430 Chapter 8 File Signature Analysis
and Hash Analysis 435 File Signature Analysis 436 Understanding Application
Binding 437 Creating a New File Signature 438 Conducting a File Signature
Analysis 442 Hash Analysis 449 MD5 Hash 449 Hash Sets and Hash Libraries
449 Hash Analysis 462 Summary 466 Exam Essentials 468 Review Questions 469
Chapter 9 Windows Operating System Artifacts 473 Dates and Times 475 Time
Zones 475 Windows 64-Bit Time Stamp 476 Adjusting for Time Zone Offsets 481
Recycle Bin 487 Details of Recycle Bin Operation 488 The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493 Files Restored or
Deleted from the Recycle Bin 494 Using an EnCase Evidence Processor to
Determine the Status of Recycle Bin Files 496 Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500 Link Files 504 Changing the
Properties of a Shortcut 504 Forensic Importance of Link Files 505 Using
the Link File Parser 509 Windows Folders 511 Recent Folder 515 Desktop
Folder 516 My Documents/Documents 518 Send To Folder 518 Temp Folder 519
Favorites Folder 520 Windows Vista Low Folders 521 Cookies Folder 523
History Folder 526 Temporary Internet Files 532 Swap File 535 Hibernation
File 536 Print Spooling 537 Legacy Operating System Artifacts 543 Windows
Volume Shadow Copy 544 Windows Event Logs 549 Kinds of Information
Available in Event Logs 549 Determining Levels of Auditing 552 Windows
Vista/7 Event Logs 554 Using the Windows Event Log Parser 555 For More
Information 558 Summary 559 Exam Essentials 564 Review Questions 566
Chapter 10 Advanced EnCase 571 Locating and Mounting Partitions 573
Mounting Files 588 Registry 595 Registry History 595 Registry Organization
and Terminology 596 Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605 EnScript and Filters 608 Running EnScripts
609 Filters and Conditions 611 Email 614 Base64 Encoding 619 EnCase
Decryption Suite 622 Virtual File System (VFS) 629 Restoration 633 Physical
Disk Emulator (PDE) 636 Putting It All Together 641 Summary 645 Exam
Essentials 648 Review Questions 649 Appendix A Answers to Review Questions
653 Chapter 1: Computer Hardware 654 Chapter 2: File Systems 655 Chapter 3:
First Response 657 Chapter 4: Acquiring Digital Evidence 658 Chapter 5:
EnCase Concepts 659 Chapter 6: EnCase Environment 661 Chapter 7:
Understanding, Searching For, and Bookmarking Data 662 Chapter 8: File
Signature Analysis and Hash Analysis 663 Chapter 9: Windows Operating
System Artifacts 664 Chapter 10: Advanced EnCase 665 Appendix B Creating
Paperless Reports 667 Exporting the Web Page Report 669 Creating Your
Container Report 671 Bookmarks and Hyperlinks 675 Burning the Report to CD
or DVD 678 Appendix C About the Additional Study Tools 681 Additional Study
Tools 682 Sybex Test Engine 682 Electronic Flashcards 682 PDF of Glossary
of Terms 682 Adobe Reader 682 Additional Author Files 683 System
Requirements 683 Using the Study Tools 683 Troubleshooting 683 Customer
Care 684 Index 685
Computer Hardware Components 2 The Boot Process 14 Partitions 20 File
Systems 25 Summary 27 Exam Essentials 27 Review Questions 28 Chapter 2 File
Systems 33 FAT Basics 34 The Physical Layout of FAT 36 Viewing Directory
Entries Using EnCase 52 The Function of FAT 58 NTFS Basics 73 CD File
Systems 77 exFAT 79 Summary 83 Exam Essentials 84 Review Questions 85
Chapter 3 First Response 89 Planning and Preparation 90 The Physical
Location 91 Personnel 91 Computer Systems 92 What to Take with You Before
You Leave 94 Search Authority 97 Handling Evidence at the Scene 98 Securing
the Scene 98 Recording and Photographing the Scene 99 Seizing Computer
Evidence 99 Bagging and Tagging 110 Summary 113 Exam Essentials 113 Review
Questions 115 Chapter 4 Acquiring Digital Evidence 119 Creating EnCase
Forensic Boot Disks 121 Booting a Computer Using the EnCase Boot Disk 124
Seeing Invisible HPA and DCO Data 125 Other Reasons for Using a DOS Boot
126 Steps for Using a DOS Boot 126 Drive-to-Drive DOS Acquisition 128 Steps
for Drive-to-Drive DOS Acquisition 128 Supplemental Information About
Drive-to-Drive DOS Acquisition 132 Network Acquisitions 135 Reasons to Use
Network Acquisitions 135 Understanding Network Cables 136 Preparing an
EnCase Network Boot Disk 137 Preparing an EnCase Network Boot CD 138 Steps
for Network Acquisition 138 FastBloc/Tableau Acquisitions 151 Available
FastBloc Models 151 FastBloc 2 Features 152 Steps for Tableau (FastBloc)
Acquisition 154 FastBloc SE Acquisitions 163 About FastBloc SE 163 Steps
for FastBloc SE Acquisitions 164 LinEn Acquisitions 168 Mounting a File
System as Read-Only 168 Updating a Linux Boot CD with the Latest Version of
LinEn 169 Running LinEn 171 Steps for LinEn Acquisition 173 Enterprise and
FIM Acquisitions 176 EnCase Portable 180 Helpful Hints 188 Summary 189 Exam
Essentials 192 Review Questions 194 Chapter 5 EnCase Concepts 199 EnCase
Evidence File Format 200 CRC, MD5, and SHA-1 201 Evidence File Components
and Function 202 New Evidence File Format 206 Evidence File Verification
207 Hashing Disks and Volumes 215 EnCase Case Files 217 EnCase Backup
Utility 220 EnCase Configuration Files 227 Evidence Cache Folder 231
Summary 233 Exam Essentials 235 Review Questions 236 Chapter 6 EnCase
Environment 241 Home Screen 242 EnCase Layout 246 Creating a Case 249 Tree
Pane Navigation 255 Table Pane Navigation 266 Table View 266 Gallery View
275 Timeline View 277 Disk View 280 View Pane Navigation 284 Text View 284
Hex View 287 Picture View 288 Report View 289 Doc View 289 Transcript View
290 File Extents View 291 Permissions View 291 Decode View 292 Field View
294 Lock Option 294 Dixon Box 294 Navigation Data (GPS) 295 Find Feature
297 Other Views and Tools 298 Conditions and Filters 298 EnScript 299 Text
Styles 299 Adjusting Panes 300 Other Views 306 Global Views and Settings
306 EnCase Options 310 Summary 318 Exam Essentials 320 Review Questions 321
Chapter 7 Understanding, Searching For, and Bookmarking Data 325
Understanding Data 327 Binary Numbers 327 Hexadecimal 333 Characters 336
ASCII 337 Unicode 338 EnCase Evidence Processor 340 Searching for Data 352
Creating Keywords 353 GREP Keywords 364 Starting a Search 373 Viewing
Search Hits and Bookmarking Your Findings 376 Bookmarking 377 Summary 426
Exam Essentials 428 Review Questions 430 Chapter 8 File Signature Analysis
and Hash Analysis 435 File Signature Analysis 436 Understanding Application
Binding 437 Creating a New File Signature 438 Conducting a File Signature
Analysis 442 Hash Analysis 449 MD5 Hash 449 Hash Sets and Hash Libraries
449 Hash Analysis 462 Summary 466 Exam Essentials 468 Review Questions 469
Chapter 9 Windows Operating System Artifacts 473 Dates and Times 475 Time
Zones 475 Windows 64-Bit Time Stamp 476 Adjusting for Time Zone Offsets 481
Recycle Bin 487 Details of Recycle Bin Operation 488 The INFO2 File 488
Determining the Owner of Files in the Recycle Bin 493 Files Restored or
Deleted from the Recycle Bin 494 Using an EnCase Evidence Processor to
Determine the Status of Recycle Bin Files 496 Recycle Bin Bypass 498
Windows Vista/Windows 7 Recycle Bin 500 Link Files 504 Changing the
Properties of a Shortcut 504 Forensic Importance of Link Files 505 Using
the Link File Parser 509 Windows Folders 511 Recent Folder 515 Desktop
Folder 516 My Documents/Documents 518 Send To Folder 518 Temp Folder 519
Favorites Folder 520 Windows Vista Low Folders 521 Cookies Folder 523
History Folder 526 Temporary Internet Files 532 Swap File 535 Hibernation
File 536 Print Spooling 537 Legacy Operating System Artifacts 543 Windows
Volume Shadow Copy 544 Windows Event Logs 549 Kinds of Information
Available in Event Logs 549 Determining Levels of Auditing 552 Windows
Vista/7 Event Logs 554 Using the Windows Event Log Parser 555 For More
Information 558 Summary 559 Exam Essentials 564 Review Questions 566
Chapter 10 Advanced EnCase 571 Locating and Mounting Partitions 573
Mounting Files 588 Registry 595 Registry History 595 Registry Organization
and Terminology 596 Using EnCase to Mount and View the Registry 601
Registry Research Techniques 605 EnScript and Filters 608 Running EnScripts
609 Filters and Conditions 611 Email 614 Base64 Encoding 619 EnCase
Decryption Suite 622 Virtual File System (VFS) 629 Restoration 633 Physical
Disk Emulator (PDE) 636 Putting It All Together 641 Summary 645 Exam
Essentials 648 Review Questions 649 Appendix A Answers to Review Questions
653 Chapter 1: Computer Hardware 654 Chapter 2: File Systems 655 Chapter 3:
First Response 657 Chapter 4: Acquiring Digital Evidence 658 Chapter 5:
EnCase Concepts 659 Chapter 6: EnCase Environment 661 Chapter 7:
Understanding, Searching For, and Bookmarking Data 662 Chapter 8: File
Signature Analysis and Hash Analysis 663 Chapter 9: Windows Operating
System Artifacts 664 Chapter 10: Advanced EnCase 665 Appendix B Creating
Paperless Reports 667 Exporting the Web Page Report 669 Creating Your
Container Report 671 Bookmarks and Hyperlinks 675 Burning the Report to CD
or DVD 678 Appendix C About the Additional Study Tools 681 Additional Study
Tools 682 Sybex Test Engine 682 Electronic Flashcards 682 PDF of Glossary
of Terms 682 Adobe Reader 682 Additional Author Files 683 System
Requirements 683 Using the Study Tools 683 Troubleshooting 683 Customer
Care 684 Index 685