Sep 29, 2023  
2019-2020 Course Catalog 
2019-2020 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 2082 - EnCase Forensics

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: This course provides an in-depth study of EnCase Forensic, a commonly used tool in both corporate and law enforcement environments. Additionally, this course reviews and solidifies important concepts in forensic methodology and forensic artifacts. This course aligns with the objectives of the EnCase Certified Examiner (EnCE) certification. Successful completion of the course requires passing the EnCE written certification exam.
MnTC Goals

Prerequisite(s): CVF 1081  with a grade of C or higher OR instructor consent
Corequisite(s): None
Recommendation: None

Major Content
  1. Acquisition of a hard disk -Write-blocking technologies -The basics of acquiring a forensically sound copy of data from a removable disk -Acquisition using a forensically sound Linux operating system -Drive-to-drive acquisition -Network crossover-cable acquisition -Previewing computer systems -Verification of an evidence file
  2. Analysis Techniques -File types -Creation of keywords and searching -Basic bookmarking -Signature analysis -Hash analysis -Installing external viewers -Detailed copy/UnErase options -Restoring evidence -Timeline view -Single files -Logical evidence files -Examination methods concerning flash cards & similar devices
  3. Compound files -Mounting and searching of compound files -Documenting data contained within these compound files -Pitfalls of not examining compound files properly
  4. Conditions and queries -Uses -Creating an index -Querying an index
  5. EnCase Forensic Concepts and Methodology -Creating an EnCase Forensic case file -Safeguarding and preserving evidential data -Archiving and reopening an archived case
  6. External processing -Using the EnCase Virtual File System (VFS) Module -Using the EnCase Physical Disk Emulator (PDE) Module -Virus scanning -Dynamic mounting of compound files -Running a target system within a virtual environment
  7. Principles of attempting to recover data lost through the partitioning or formatting process -Partition recovery -Folder recovery -Data carving (manually vs. EnScript)
  8. Reporting -Organizing data and creating reports -Report formats -Exporting metadata
  9. Review of Windows artifacts
  10. Review of file systems and disk partitioning
  11. Search techniques -Reviewing search hits and bookmarking -GREP searching
  12. Windows Registry -Elements of the Registry -Registry keys and values -Registry value types -Locating and mounting the Registry hive files -Examination of time zone settings with the Registry -Applying time zones within EnCase Forensic

Learning Outcomes
At the end of this course students will be able to:

  1. demonstrate EnCase forensic methodology
  2. perform imaging and analysis of Windows-based systems
  3. perform advanced searching and filtering techniques with EnCase
  4. perform external analysis in conjunction with EnCase

Competency 1 (1-6)
Competency 2 (7-10)

Courses and Registration

Add to Portfolio (opens a new window)