EnCE Study Guide V7

所需积分/C币:10 2018-05-30 15:15:32 1.11MB PDF
收藏 收藏

官方EnCE Study Guide v7 - Content 4-2016 梳理考点十分有用
Ence@ Study Guide EnCE Prep Course o This course is designed for en case users preparing for certification he certification is based upon the skills and knowledge presented in the Guidance enCase Computer Forensics i and En Case Computer Forensics II courses. The EnCe Prep course is not intended to be a replacement for these two classes; instead it is a thorough but accelerated review of the covered subjects. Students cannot waive or substitute the prerequisite attendance of the guidance en case Computer forensics ii course when applying to attend the ence Preparation course o The Phase I written examination will not be given during class. Once you complete the class you will be given login instructions. You will have ten(10) business days from the last day of class to take Phase I After the 10 days, access to the exam will be terminated o Complete details for this course can be found at https://www2.guidancesoftware.com/training/pages/courses/classroom/ENcase@. v7-EnCE-Prep-Course. aspx?fromDate=1%2f1%2f0001&todate=1%2f1%2f0001 Infuse o Registered attendees at our annual Enfuse conference may elect to take the Phase i test during the conference at no additional charge o All requirements must be met prior to attending Enfuse. Anyone interested in taking the Phase I test at Enfuse must fill out an application and return it to the certification coordinator one(1)month prior to the conference via fax, email, or mail. Only those who have preregistered and been approved will be admitted to take the Phase I test at enfuse oPleasevisitwww.guidancesoftware.com/enfuseformoreinformation Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide Maintaining Your Certification Payment of 75 USd via credit card, check, or purchase order is required for renewal completion. The payment must accompany a completed renewal form and the supporting documentation detailed as follows EnCase Certified Examiners are required to achieve one of the following items prior to their expiration date in order to renew Attend a minimum of thirty-two (32)credit hours of documented, continuing education in computer forensics or incident response to maintain the certification The training should either be from Guidance, your agency,or an accredited source. Training should be either in a classroom lab setting or online. Proof of attendance should be provided via a certificate transcript, or official letter o Earn one(1) credit hour for each classroom hour of training and v2 credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor Achieve a computer forensics or incident response related certification within the renewal period. A certificate of completion must be submitted as documentation Attend one enfuse conference within the renewal period Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE Register online at www.guidancesoftware.com/enfuse.Renewalformswillbeavailablefor download from printing stations during the conference please check the box on the renewal form, and registration will be on file with guidance Training and teaching hours may be combined to reach the total 32 hours required Documentation may be a certificate of completion, official letter from the provider, or transcript Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide The following guidelines for submitting renewal credit for attendance at any other computer forensic conference other than enfuse are o Only labs count(seminars or product demos are not considered) o Calculate one(1) CPe for every hour in a lab o Send a copy of the conference agenda and indicate the labs attended and how many Cpe each one is worth Please do not submit your renewal documents separately Keep all certificates together and only send them when you have the requirement fulfilled. When you are ready send the renewal form and any certificates/letters/documents via fax, email, or regular mail The requirements must be met within the renewal period.(i.e,if the renewal date is June 1, 2012, the requirements must have been achieved between June 1, 2009 and June 1, 2012) Should your certification expire, you will be required to restart the ence process from Phase I. Extensions will not be granted. If you are unsure of your expiration datepleaseemailcertification@guid.com Complete renewal details are available at https://www2.quidancesoftware.com/training/pages/ence-certification-pRogram.aspx other Study material This study guide highlights the topics contained in the EnCE test, including good forensic practices, legal issues, computer knowledge, knowledge of EnCase evidence discovery techniques, and understanding file system artifacts. If yo oU need reference materials to prepare for a specific topic or portion of the exam, some recommended study materials are listed below: EnCasee computer forensics i manual by guidance software En Case@ Computer Forensics ll manual by Guidance Software En Case@ legal journal by guidance software EnCase users manual by guidance software Handbook of computer Crime by Eoghan Casey How Computers work by ron white Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide EnCE. Preparation Training Examining computer-based evidence with Encase software(En Case) Computer knowledge Good forensic practices Examining Computer-based Evidence The En casee evidence file En Case concepts The en case environment En Case Evidence processor Index queries and raw key word searching File signature and hash analysis The en Case Evidence file Bit stream image of evidence written to a file The En case Evidence file Contains Case data Cannot be changed after evidence file is created Contains o Case number o Examiner name o Evidence number Unique description o Date /time of computer system clock o Acquisition notes o Serial number of physical hard drive Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide The En Case Evidence Fille Verification Cyclical redundancy check 32-bit CRC for(by default)64 sectors(32 KB)of data If no compression is used o Calculated when evidence file is added to a case and rechecked every time the data block is accessed Verification hash -"digital signature"of all data in evidence file MD5-128-bit/32 characters SHA1-160 bit Can choose either, one, or neither The En Case Evidence file characteristics Logical file that can be renamed and moved Can be broken into multiple segments, with a maximum segment size dependent on the file system to which the evidence file is written Can be compressed during acquisition and or reacquired with compression for archival without changing the hash value Can be password protected or encrypted and can be reacquired to remove or change password/encryption Individual segments can be verified by the crcs when compression is not used If compression is used, the decompression algorithm is used Error granularity is often used to adjust the writing of data to an evidence file, when a read error of the subject media occurs o Standard-Size of the data blocks o Exhaustive- Sector-by-sector Evidence file verification Data in the entire evidence file is verified by verification hash compared to the acquisition hash value of the original evidence Data in each data block is verified by a CrC when no compression is used Both the MD5 and or SHA-1 hash and crcs must match for the evidence file to be verified o If any compression is used the compression algorithm is used to verify data blocks Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide En Case Concepts The case file -, case o Compound file containing Pointers to the locations of evidence files on forensic workstation Results of file signature and hash analysis Bookmarks nvestigator's notes a case file can contain any number of hard drives or removable media The case file should be archived with the evidence cache and evidence files as it contains all of the investigators notes o Use the" Create Packagefeature The Configuration ini Files Contain"global options"used for all cases Some configuration ini files FileTypes.ini Organizes files into groups by extension; determines which viewer to use File signature table o Localini Global configuration settings Viewers. ini Installed viewers associated to En Case The EnCase@ Methodology ● Case management o Use large-capacity, high-RPM(revolutions per minute) hard drives with single partition for evidence files o Wipe the drive to eliminate any claims or arguments of cross contamination o Give the hard drive a unique label prior to acquisitions to differentiate your drives from that of the suspect Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide o Separate folders for each case are recommended Use unique directory names Each case requires an Export, Temp, and Evidence cache folder Evidence Cache- Storing cache files and containers for processed evidence Export-Default folder for exporting evidence Temp-Default temporary folder for file viewing Evidence processor After adding evidence to a case and confirming that the data is valid and browsable the first task you undertake is to run the en Case evidence Processor The evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation ● The followi g evidence processing functions are available o Recover folders-Recover files that have been deleted or corrupted on Fat and ntfsⅴ olumes o Hash analysis-Generate MD5 and/or SHA-1 hash values for files and compare against your case Hash Library o Expand compound files -Expand compound and compressed files, such as ZIP rar, and gz o Find email- Extract individual messages from email archive files, such as PST(Microsoft Outlook), NSF (Lotus@ Notes), DBX (Microsoft Outlook Express), EDB(Microsoft Exchange), AOL, and MBOX o find internet artifacts- Collect internet-related artifacts, such as browser histories and cached web pages You also have the option to search unallocated space for the Internet artifacts o Search for keywords- Search raw(not transcript) text for specific keywords Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. Ence@ Study Guide o Index text - Create an index for when you need to search for keywords in compound files( microsoft Office 2007 and 2010)and across large amounts of data You can adjust the parameters for index creation such as the minimum word length to index and whether to use a noise file o File signature analysis- Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file's header o Protected file analysis-Identify encrypted and password-protected files o Creating thumbnails from images-Creates image thumbnails for faster display in the enCase gui Search Queries- Index The case index is created with the en Case evidence processor Creating an index will allow you to instantly search for terms in a variety of ways You can adjust parameters for index creation, such as the minimum word length to index or whether to use a noise file(a file containing specific words to ignore Compared to keyword searches that search on the raw text, index searches will search on the transcript output of the file, which is critical for Microsoft Office 2007 and 2010 files generating an index can take time however the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times Guidance software recommends always indexing your case data Search Queries-Index Once your case has been indexed keyword searched, tagged, or any combination of the three, you can then search for desired information To create a unified search do the following o Go to the home screen and click the search button In the Index window, enter the key word(s)to query the index a dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index Copyright@ 2016 Guidance Software, Inc May not be copied or reproduced without the written permission of Guidance Software, Inc. 10

试读 42P EnCE Study Guide V7
立即下载 低至0.43元/次 身份认证VIP会员低至7折
EnCE Study Guide V7 10积分/C币 立即下载
EnCE Study Guide V7第1页
EnCE Study Guide V7第2页
EnCE Study Guide V7第3页
EnCE Study Guide V7第4页
EnCE Study Guide V7第5页
EnCE Study Guide V7第6页
EnCE Study Guide V7第7页
EnCE Study Guide V7第8页
EnCE Study Guide V7第9页

试读结束, 可继续读4页

10积分/C币 立即下载