Description

Book Synopsis
The official, Guidance Software-approved book on the newest EnCE exam!

The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software''s EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.

  • Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
  • Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
  • Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
  • Includes hands-on exercises, practice questions, and up-to-date legal inform

    Table of Contents

    Introduction xxi

    Assessment Test xxvii

    Chapter 1 Computer Hardware 1

    Computer Hardware Components 2

    The Boot Process 14

    Partitions 20

    File Systems 25

    Summary 27

    Exam Essentials 27

    Review Questions 28

    Chapter 2 File Systems 33

    FAT Basics 34

    The Physical Layout of FAT 36

    Viewing Directory Entries Using EnCase 52

    The Function of FAT 58

    NTFS Basics 73

    CD File Systems 77

    exFAT 79

    Summary 83

    Exam Essentials 84

    Review Questions 85

    Chapter 3 First Response 89

    Planning and Preparation 90

    The Physical Location 91

    Personnel 91

    Computer Systems 92

    What to Take with You Before You Leave 94

    Search Authority 97

    Handling Evidence at the Scene 98

    Securing the Scene 98

    Recording and Photographing the Scene 99

    Seizing Computer Evidence 99

    Bagging and Tagging 110

    Summary 113

    Exam Essentials 113

    Review Questions 115

    Chapter 4 Acquiring Digital Evidence 119

    Creating EnCase Forensic Boot Disks 121

    Booting a Computer Using the EnCase Boot Disk 124

    Seeing Invisible HPA and DCO Data 125

    Other Reasons for Using a DOS Boot 126

    Steps for Using a DOS Boot 126

    Drive-to-Drive DOS Acquisition 128

    Steps for Drive-to-Drive DOS Acquisition 128

    Supplemental Information About Drive-to-Drive

    DOS Acquisition 132

    Network Acquisitions 135

    Reasons to Use Network Acquisitions 135

    Understanding Network Cables 136

    Preparing an EnCase Network Boot Disk 137

    Preparing an EnCase Network Boot CD 138

    Steps for Network Acquisition 138

    FastBloc/Tableau Acquisitions 151

    Available FastBloc Models 151

    FastBloc 2 Features 152

    Steps for Tableau (FastBloc) Acquisition 154

    FastBloc SE Acquisitions 163

    About FastBloc SE 163

    Steps for FastBloc SE Acquisitions 164

    LinEn Acquisitions 168

    Mounting a File System as Read-Only 168

    Updating a Linux Boot CD with the Latest Version of LinEn 169

    Running LinEn 171

    Steps for LinEn Acquisition 173

    Enterprise and FIM Acquisitions 176

    EnCase Portable 180

    Helpful Hints 188

    Summary 189

    Exam Essentials 192

    Review Questions 194

    Chapter 5 EnCase Concepts 199

    EnCase Evidence File Format 200

    CRC, MD5, and SHA-1 201

    Evidence File Components and Function 202

    New Evidence File Format 206

    Evidence File Verification 207

    Hashing Disks and Volumes 215

    EnCase Case Files 217

    EnCase Backup Utility 220

    EnCase Configuration Files 227

    Evidence Cache Folder 231

    Summary 233

    Exam Essentials 235

    Review Questions 236

    Chapter 6 EnCase Environment 241

    Home Screen 242

    EnCase Layout 246

    Creating a Case 249

    Tree Pane Navigation 255

    Table Pane Navigation 266

    Table View 266

    Gallery View 275

    Timeline View 277

    Disk View 280

    View Pane Navigation 284

    Text View 284

    Hex View 287

    Picture View 288

    Report View 289

    Doc View 289

    Transcript View 290

    File Extents View 291

    Permissions View 291

    Decode View 292

    Field View 294

    Lock Option 294

    Dixon Box 294

    Navigation Data (GPS) 295

    Find Feature 297

    Other Views and Tools 298

    Conditions and Filters 298

    EnScript 299

    Text Styles 299

    Adjusting Panes 300

    Other Views 306

    Global Views and Settings 306

    EnCase Options 310

    Summary 318

    Exam Essentials 320

    Review Questions 321

    Chapter 7 Understanding, Searching For, and Bookmarking Data 325

    Understanding Data 327

    Binary Numbers 327

    Hexadecimal 333

    Characters 336

    ASCII 337

    Unicode 338

    EnCase Evidence Processor 340

    Searching for Data 352

    Creating Keywords 353

    GREP Keywords 364

    Starting a Search 373

    Viewing Search Hits and Bookmarking Your Findings 376

    Bookmarking 377

    Summary 426

    Exam Essentials 428

    Review Questions 430

    Chapter 8 File Signature Analysis and Hash Analysis 435

    File Signature Analysis 436

    Understanding Application Binding 437

    Creating a New File Signature 438

    Conducting a File Signature Analysis 442

    Hash Analysis 449

    MD5 Hash 449

    Hash Sets and Hash Libraries 449

    Hash Analysis 462

    Summary 466

    Exam Essentials 468

    Review Questions 469

    Chapter 9 Windows Operating System Artifacts 473

    Dates and Times 475

    Time Zones 475

    Windows 64-Bit Time Stamp 476

    Adjusting for Time Zone Offsets 481

    Recycle Bin 487

    Details of Recycle Bin Operation 488

    The INFO2 File 488

    Determining the Owner of Files in the Recycle Bin 493

    Files Restored or Deleted from the Recycle Bin 494

    Using an EnCase Evidence Processor to Determine the Status of Recycle Bin Files 496

    Recycle Bin Bypass 498

    Windows Vista/Windows 7 Recycle Bin 500

    Link Files 504

    Changing the Properties of a Shortcut 504

    Forensic Importance of Link Files 505

    Using the Link File Parser 509

    Windows Folders 511

    Recent Folder 515

    Desktop Folder 516

    My Documents/Documents 518

    Send To Folder 518

    Temp Folder 519

    Favorites Folder 520

    Windows Vista Low Folders 521

    Cookies Folder 523

    History Folder 526

    Temporary Internet Files 532

    Swap File 535

    Hibernation File 536

    Print Spooling 537

    Legacy Operating System Artifacts 543

    Windows Volume Shadow Copy 544

    Windows Event Logs 549

    Kinds of Information Available in Event Logs 549

    Determining Levels of Auditing 552

    Windows Vista/7 Event Logs 554

    Using the Windows Event Log Parser 555

    For More Information 558

    Summary 559

    Exam Essentials 564

    Review Questions 566

    Chapter 10 Advanced EnCase 571

    Locating and Mounting Partitions 573

    Mounting Files 588

    Registry 595

    Registry History 595

    Registry Organization and Terminology 596

    Using EnCase to Mount and View the Registry 601

    Registry Research Techniques 605

    EnScript and Filters 608

    Running EnScripts 609

    Filters and Conditions 611

    Email 614

    Base64 Encoding 619

    EnCase Decryption Suite 622

    Virtual File System (VFS) 629

    Restoration 633

    Physical Disk Emulator (PDE) 636

    Putting It All Together 641

    Summary 645

    Exam Essentials 648

    Review Questions 649

    Appendix A Answers to Review Questions 653

    Chapter 1: Computer Hardware 654

    Chapter 2: File Systems 655

    Chapter 3: First Response 657

    Chapter 4: Acquiring Digital Evidence 658

    Chapter 5: EnCase Concepts 659

    Chapter 6: EnCase Environment 661

    Chapter 7: Understanding, Searching For, and Bookmarking Data 662

    Chapter 8: File Signature Analysis and Hash Analysis 663

    Chapter 9: Windows Operating System Artifacts 664

    Chapter 10: Advanced EnCase 665

    Appendix B Creating Paperless Reports 667

    Exporting the Web Page Report 669

    Creating Your Container Report 671

    Bookmarks and Hyperlinks 675

    Burning the Report to CD or DVD 678

    Appendix C About the Additional Study Tools 681

    Additional Study Tools 682

    Sybex Test Engine 682

    Electronic Flashcards 682

    PDF of Glossary of Terms 682

    Adobe Reader 682

    Additional Author Files 683

    System Requirements 683

    Using the Study Tools 683

    Troubleshooting 683

    Customer Care 684

    Index 685

EnCase Computer Forensics The Official EnCE

    Product form

    £44.00

    Includes FREE delivery

    RRP £55.00 – you save £11.00 (20%)

    Order before 4pm today for delivery by Fri 3 Jul 2026.

    A Paperback / softback by Steve Bunting

    2 in stock

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of EnCase Computer Forensics The Official EnCE by Steve Bunting

      Publisher: John Wiley & Sons Inc
      Publication Date: 07/09/2012
      ISBN13: 9780470901069, 978-0470901069
      ISBN10: 0470901063
      Also in:
      Computer security Forensic science

      Description

      Book Synopsis
      The official, Guidance Software-approved book on the newest EnCE exam!

      The EnCE exam tests that computer forensic analysts and examiners have thoroughly mastered computer investigation methodologies, as well as the use of Guidance Software''s EnCase Forensic 7. The only official Guidance-endorsed study guide on the topic, this book prepares you for the exam with extensive coverage of all exam topics, real-world scenarios, hands-on exercises, up-to-date legal information, and sample evidence files, flashcards, and more.

      • Guides readers through preparation for the newest EnCase Certified Examiner (EnCE) exam
      • Prepares candidates for both Phase 1 and Phase 2 of the exam, as well as for practical use of the certification
      • Covers identifying and searching hardware and files systems, handling evidence on the scene, and acquiring digital evidence using EnCase Forensic 7
      • Includes hands-on exercises, practice questions, and up-to-date legal inform

        Table of Contents

        Introduction xxi

        Assessment Test xxvii

        Chapter 1 Computer Hardware 1

        Computer Hardware Components 2

        The Boot Process 14

        Partitions 20

        File Systems 25

        Summary 27

        Exam Essentials 27

        Review Questions 28

        Chapter 2 File Systems 33

        FAT Basics 34

        The Physical Layout of FAT 36

        Viewing Directory Entries Using EnCase 52

        The Function of FAT 58

        NTFS Basics 73

        CD File Systems 77

        exFAT 79

        Summary 83

        Exam Essentials 84

        Review Questions 85

        Chapter 3 First Response 89

        Planning and Preparation 90

        The Physical Location 91

        Personnel 91

        Computer Systems 92

        What to Take with You Before You Leave 94

        Search Authority 97

        Handling Evidence at the Scene 98

        Securing the Scene 98

        Recording and Photographing the Scene 99

        Seizing Computer Evidence 99

        Bagging and Tagging 110

        Summary 113

        Exam Essentials 113

        Review Questions 115

        Chapter 4 Acquiring Digital Evidence 119

        Creating EnCase Forensic Boot Disks 121

        Booting a Computer Using the EnCase Boot Disk 124

        Seeing Invisible HPA and DCO Data 125

        Other Reasons for Using a DOS Boot 126

        Steps for Using a DOS Boot 126

        Drive-to-Drive DOS Acquisition 128

        Steps for Drive-to-Drive DOS Acquisition 128

        Supplemental Information About Drive-to-Drive

        DOS Acquisition 132

        Network Acquisitions 135

        Reasons to Use Network Acquisitions 135

        Understanding Network Cables 136

        Preparing an EnCase Network Boot Disk 137

        Preparing an EnCase Network Boot CD 138

        Steps for Network Acquisition 138

        FastBloc/Tableau Acquisitions 151

        Available FastBloc Models 151

        FastBloc 2 Features 152

        Steps for Tableau (FastBloc) Acquisition 154

        FastBloc SE Acquisitions 163

        About FastBloc SE 163

        Steps for FastBloc SE Acquisitions 164

        LinEn Acquisitions 168

        Mounting a File System as Read-Only 168

        Updating a Linux Boot CD with the Latest Version of LinEn 169

        Running LinEn 171

        Steps for LinEn Acquisition 173

        Enterprise and FIM Acquisitions 176

        EnCase Portable 180

        Helpful Hints 188

        Summary 189

        Exam Essentials 192

        Review Questions 194

        Chapter 5 EnCase Concepts 199

        EnCase Evidence File Format 200

        CRC, MD5, and SHA-1 201

        Evidence File Components and Function 202

        New Evidence File Format 206

        Evidence File Verification 207

        Hashing Disks and Volumes 215

        EnCase Case Files 217

        EnCase Backup Utility 220

        EnCase Configuration Files 227

        Evidence Cache Folder 231

        Summary 233

        Exam Essentials 235

        Review Questions 236

        Chapter 6 EnCase Environment 241

        Home Screen 242

        EnCase Layout 246

        Creating a Case 249

        Tree Pane Navigation 255

        Table Pane Navigation 266

        Table View 266

        Gallery View 275

        Timeline View 277

        Disk View 280

        View Pane Navigation 284

        Text View 284

        Hex View 287

        Picture View 288

        Report View 289

        Doc View 289

        Transcript View 290

        File Extents View 291

        Permissions View 291

        Decode View 292

        Field View 294

        Lock Option 294

        Dixon Box 294

        Navigation Data (GPS) 295

        Find Feature 297

        Other Views and Tools 298

        Conditions and Filters 298

        EnScript 299

        Text Styles 299

        Adjusting Panes 300

        Other Views 306

        Global Views and Settings 306

        EnCase Options 310

        Summary 318

        Exam Essentials 320

        Review Questions 321

        Chapter 7 Understanding, Searching For, and Bookmarking Data 325

        Understanding Data 327

        Binary Numbers 327

        Hexadecimal 333

        Characters 336

        ASCII 337

        Unicode 338

        EnCase Evidence Processor 340

        Searching for Data 352

        Creating Keywords 353

        GREP Keywords 364

        Starting a Search 373

        Viewing Search Hits and Bookmarking Your Findings 376

        Bookmarking 377

        Summary 426

        Exam Essentials 428

        Review Questions 430

        Chapter 8 File Signature Analysis and Hash Analysis 435

        File Signature Analysis 436

        Understanding Application Binding 437

        Creating a New File Signature 438

        Conducting a File Signature Analysis 442

        Hash Analysis 449

        MD5 Hash 449

        Hash Sets and Hash Libraries 449

        Hash Analysis 462

        Summary 466

        Exam Essentials 468

        Review Questions 469

        Chapter 9 Windows Operating System Artifacts 473

        Dates and Times 475

        Time Zones 475

        Windows 64-Bit Time Stamp 476

        Adjusting for Time Zone Offsets 481

        Recycle Bin 487

        Details of Recycle Bin Operation 488

        The INFO2 File 488

        Determining the Owner of Files in the Recycle Bin 493

        Files Restored or Deleted from the Recycle Bin 494

        Using an EnCase Evidence Processor to Determine the Status of Recycle Bin Files 496

        Recycle Bin Bypass 498

        Windows Vista/Windows 7 Recycle Bin 500

        Link Files 504

        Changing the Properties of a Shortcut 504

        Forensic Importance of Link Files 505

        Using the Link File Parser 509

        Windows Folders 511

        Recent Folder 515

        Desktop Folder 516

        My Documents/Documents 518

        Send To Folder 518

        Temp Folder 519

        Favorites Folder 520

        Windows Vista Low Folders 521

        Cookies Folder 523

        History Folder 526

        Temporary Internet Files 532

        Swap File 535

        Hibernation File 536

        Print Spooling 537

        Legacy Operating System Artifacts 543

        Windows Volume Shadow Copy 544

        Windows Event Logs 549

        Kinds of Information Available in Event Logs 549

        Determining Levels of Auditing 552

        Windows Vista/7 Event Logs 554

        Using the Windows Event Log Parser 555

        For More Information 558

        Summary 559

        Exam Essentials 564

        Review Questions 566

        Chapter 10 Advanced EnCase 571

        Locating and Mounting Partitions 573

        Mounting Files 588

        Registry 595

        Registry History 595

        Registry Organization and Terminology 596

        Using EnCase to Mount and View the Registry 601

        Registry Research Techniques 605

        EnScript and Filters 608

        Running EnScripts 609

        Filters and Conditions 611

        Email 614

        Base64 Encoding 619

        EnCase Decryption Suite 622

        Virtual File System (VFS) 629

        Restoration 633

        Physical Disk Emulator (PDE) 636

        Putting It All Together 641

        Summary 645

        Exam Essentials 648

        Review Questions 649

        Appendix A Answers to Review Questions 653

        Chapter 1: Computer Hardware 654

        Chapter 2: File Systems 655

        Chapter 3: First Response 657

        Chapter 4: Acquiring Digital Evidence 658

        Chapter 5: EnCase Concepts 659

        Chapter 6: EnCase Environment 661

        Chapter 7: Understanding, Searching For, and Bookmarking Data 662

        Chapter 8: File Signature Analysis and Hash Analysis 663

        Chapter 9: Windows Operating System Artifacts 664

        Chapter 10: Advanced EnCase 665

        Appendix B Creating Paperless Reports 667

        Exporting the Web Page Report 669

        Creating Your Container Report 671

        Bookmarks and Hyperlinks 675

        Burning the Report to CD or DVD 678

        Appendix C About the Additional Study Tools 681

        Additional Study Tools 682

        Sybex Test Engine 682

        Electronic Flashcards 682

        PDF of Glossary of Terms 682

        Adobe Reader 682

        Additional Author Files 683

        System Requirements 683

        Using the Study Tools 683

        Troubleshooting 683

        Customer Care 684

        Index 685

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account