EnCEsecrets.com

I thought I should mention that we at EnCEsecrets.com are so certain that our EnCE Study Guide, the Forensic Secrets eBook, will help you pass the EnCE exam that we offer a money-back guarantee.  The terms of the money-back guarantee are listed on our FAQ page, but basically the deal is that if you pass the written portion of the EnCE and then buy the Forensic Secrets eBook and don’t feel that the eBook helped you pass the practical we will refund the full purchase price of the eBook to you. 

That is it.  We want our customers to be happy and if you can honestly say that the eBook did not help you pass the EnCE exam, we will refund your money.

The best advice that I can give to those who are about to begin the EnCase Certified Examiner Practical exam is to develop a test taking strategy and to not procrastinate.  When you receive the practical exam and evidence files, read all of the questions and develop a strategy for your analysis so that it flows logically.  If, for example, when reading the test questions you notice that the second to last question is going to require a hash analysis, part of your strategy might be to hash all of the files as soon as you get the evidence added to your case.  While you are at it, run a file signature analysis as well and potentially search for internet history and email.  

By doing these steps up front (i.e. prior to the second to last question) and together, you may uncover evidence that will lead you to the answer of other questions on the exam.  Because EnCase allows you to complete these steps simultaneously, you are also enhancing the efficiency of your analysis.  These steps should be obvious to experienced examiners but some people have a tendency to “hunt” for answers to individual questions in a test taking scenario. 

Back to the point regarding procrastination, by starting your analysis as soon as you receive the EnCE Practical you will allow yourself time to complete the required analysis and develop a thorough report.  Obviously, I don’t grade the EnCE Practical but my guess is the report that you submit is weighted very heavily in terms of whether you pass or fail the exam.  The report should clearly state your findings and be free from spelling and grammatical errors.  

In addition to being free from spelling and grammatical errors, the report should not be so technical that you have to be an expert in computer forensics to understand it.  Think of the audience for your reports (law enforcement, juries, management) and write your report so that they can understand it without you there to explain it. 

This and other strategies and techniques are fully discussed in the EnCE Study Guide available at EnCEsecrets.com.

Good luck with your EnCase Certification!

As I mentioned elsewhere on my site, I had the luxury of attending the EnCE Prep Class offered by Guidance Software.  In the class we reviewed various techniques and we received an EnCE study guide that was essentially a compilation of the manuals for the Guidance Software Computer Forensics 1 and Computer Forensics 2 courses.  I had also purchased The Official EnCE Study Guide by Steve Bunting and William Wei to augment my studies.  

After passing the written portion of the exam, I felt as though studying the questions at the end of the chapters in The Official EnCE Study Guide would have been sufficient to pass the written exam.  I thoroughly enjoyed the class and if you have the means I’d suggest taking it.  If you are unable to take it, just be sure that you are very comfortable answering the questions at the end of each chapter of The Official EnCE Study Guide.   

The EnCE practical exam, however, was a different beast.  While the Bunting and Wei book helped me out with much of the exam, I also had to do a good deal of digging on the internet in order to find the information that I needed to complete the practical. As I’ve also previously mentioned, I believe the EnCase certification process has helped me become a better examiner. I routinely use the skills I used\learned while completing the EnCE practical and it was for these two reasons that I documented my notes and developed the Forensic Secrets eBook.

 The Forensic Secrets eBook contains in-depth coverage of:

• First response techniques
•  Recovering deleted partitions and files
• Registry analysis techniques
• Resident vs. Non-resident files
• Internet cookie analysis
• Concise definitions for unused disk area, unallocated clusters, pagefile.sys, hiberfil.sys, volume slack, file slack and RAM slack.
• Tips for EnCase reporting
• Link file analysis
• Removable media (USB) analysis
• SID analysis
• $MFT analysis
• Internet history analysis
• Recycle bin analysis
• Microsoft Office file analysis
• Data hiding techniques
• Password guessing techniques
• and much more 

To be clear, the Forensic Secrets eBook is not a braindump of the EnCE practical exam.  If that is what you are looking for, please look elsewhere.  If you are looking for a concise guide to the principals and techniques that are tested on the EnCE practical, the Forensic Secrets eBook is for you. 

In conclusion, if you are looking to obtain EnCase Certification my first recommendation would be to take the EnCE Prep class offered by Guidance Software to refresh your skills and prepare you for the written portion of the exam.  If you are unable to attend the EnCE Prep class, I would highly recommend purchasing The Official EnCE Study Guide and the Forensic Secrets eBook.  The official study guide will help you prepare for the written exam and the Forensic Secrets eBook will help you ace the EnCE practical.

The value of certification is debatable.  For many certifications it is possible to simply study a book, maybe purchase some Transcenders, take the exam and call yourself “certified.”  I know several people who have brought “certified” individuals in for interviews and sat them down in front of relevant operating system or piece of equipment only to find that this person either has no idea how to log on or to power on the equipment. 

Guidance Software has nullified this concern with the EnCase Certified Examiner (EnCE) certification.  While you could theoretically pass the written portion of the exam by studying a book such as The Official EnCase Certified Examiner Study Guide by Steve Bunting and William Wei, the practical portion of the exam requires at least a moderate amount of experience with computer forensic analysis. 

Even for the experienced examiner there are portions of the exam that can prove challenging.  In some cases the challenge is derived from the fact that the certification candidate has not performed a particular analysis technique before.  In other instances the challenge is in bringing seldom used analysis techniques to the forefront of one’s mind. Regardless of how the certification candidate is challenged, one thing holds true: Guidance Software has built the EnCE exam to test and reinforce the tenets of computer forensic analysis.  

I read a post in a computer forensics forum recently in which the poster was asking about computer forensics certifications.  The post is several years old but still relevant and somewhat humorous.  The individual was looking for information about the EnCE certification. He claimed to be looking for a certification that would help him increase his salary and enhance his ability “to get girls” and wondered whether the EnCE was his ticket.

In terms of the EnCE’s ability to help him increase his salary, I’d say it depends on the employer.  Some employers value the commitment that it takes to obtain a certification and will reward the individual appropriately, whether by salary increase or perhaps a bonus.  Other employers will view a certification as something that is just “nice to have” and let you go on your merry way.  In my opinion, certification (and the EnCE in particular) is a way to validate your skills. 

Computer forensics is a niche skill and while there may be a number of people out there who say they have used EnCase or “done forensics” before, there are not a tremendous number of people who have validated their skills by becoming certified. My advice to the previously mentioned prospective certification candidate is that the EnCE certification will make you stand out from the rest of the application pool being received by potential employers. Sure, there is always that guy who has no education beyond high school and no technical certifications but is an absolute genius when it comes to things IT. 

Unless you know this guy and have worked with him and can vouch for his skills, he’s just a guy who has some computer experience when it comes to the interview.  If you go in to the same interview with some experience and the EnCE, you win (in my opinion) because you have the experience and the certification to validate that experience,

I was married prior to obtaining the EnCE, so I can’t really opine on whether or not said certification enhances one’s ability “to get girls.”  If I were a betting man, which I am, I’d say no.  A technical certification may have worked to his advantage in the mid-Nineties, but these days most certifications are so dime-a-dozen that girls just aren’t impressed anymore.

I’ve decided to offer a free sample of the Forensic Secrets eBook.  The sample includes 27 pages of the eBook itself and will give you the opportunity to review the table of contents and quality of the book.  Click the following link and get ready to pass the EnCE exam:  Forensic Secrets eBook sample.

Anti-forensics

While it may seem contradictory for me to mention the value of anti-forensics on a site dedicated to providing EnCEe practical help, I cannot stress the value of such information to EnCE candidates and computer forensic examiners in general.
When I think “anti-forensics,” the first thing that comes to mind is someone is trying to hide his tracks.  As a computer forensic examiner, I am interested in the exact opposite.  But wait, isn’t the exact opposite of “hiding his tracks” finding those tracks? 
On some cop shows such as Law & Order you periodically hear an investigator or someone mentioning the value of being able to “think like a criminal.”  If we can do the same as computer forensic examiners, we can effect better forensic examinations which, in turn, lead to better results (whether that result is the EnCE practical exam or an actual criminal investigation).
I have recently had the opportunity to speak with the site owner of www.anti-forensics.com.  I was previously unaware of this site and I really wish I had found it earlier.  The site has excellent coverage of forensic\anti-forensic topics.  This includes coverage of topics ranging from secure disk wiping to deleting USB device history to disabling thumbnail caching.
To provide a brief example, suppose that you are conducting a forensic examination of a user’s home computer.  On a typical system you would expect to find some photographs and by extension thumbs.db files.  Thumbs.db files contain thumbnail versions of photographs that were opened on a computer.  The Thumbs.db files will exist in the same directory as the photographs whether the photos have been deleted or not (pay attention EnCE students).
Suppose the system that you are investigating does not have any thumbs.db files on it. Personally, I would find that odd.  So you can either conclude that thumbs.db files are not resident on the system and end your analysis there, or you can head over to www.anti-forensics.com and find out why the thumbs.db files may not have been on the system.

As I mentioned in another post, www.anti-forensics.com is an excellent resource for learning how “the bad guys” may be trying to hide their tracks.  I was over at the site this morning and I have to say again that there is really some excellent content there for EnCE candidates and computer forensics examiners alike.  If you are interested in learning to think like the bad guy,  I highly recommend that you head over to the site. 

Please don’t take that last statement to mean that I think the anti-forensics site is for “bad guys.”  The information there could just as easily be used by privacy advocates or people who are just genuinely interested in the topic.  When I put on my computer forensics hat, though, I start thinking about catching the bad guy and that may slightly bias my writing…

I’ve read a number of posts in computer forensics forums that have to do with education.  Generally, the questions have to do with either how to get started in computer forensics or what type of degree (AA, BS, MS, PhD) one should pursue.

In my opinion, and this applies to any field, the amount of education necessary is a function of how far “up the ladder” you want to go.  In terms of the computer forensics field, if you want to be a technician you could get an Associate’s degree or go the certification route.  With no further education though, you may spend your career imaging hard drives or building forensic workstations.

With a Bachelor’s degree, some experience and perhaps a certification such as the EnCE you could land a solid role as a forensic investigator or forensic analyst.  If you put in some time in this role and continue to pursue certifications and training, you could work your way into a team lead\deparment manager role and honestly probably go about as high up the corporate ladder as anyone.

A Master’s degree is a good way to get into a computer forensic analyst role if you already have a Bachelor’s degree in another field.  If you couple the MS with a certification such as the EnCE you can probably expect the same career path as described above for the Bachelor’s degree.  Depending on the company though, you may have an advantage over the individual with the Bachelor’s degree and your path to the top may be a bit more expedient.

I’m not aware of a PhD program in Computer Forensics but if one exists, I would think it would be appropriate for someone who either wants to instruct at the university level or wants to start his\her own company.

If you have some IT experience already and you are trying to determine which route to go in terms of a degree, I’d recommend taking some of the training courses from Guidance Software. Perhaps obtain the EnCase Certified Examiner certification as your entry point to the computer forensics field. 

Once you are actually working in the field, you can make a better assessment of the route you’d like your career to follow and then you can make your decision regarding the correct degree program.

There are a number of computer forensics certifications that one could choose to challenge including the Encase Certified Examiner (EnCE), AccessData Certified Examiner (ACE), Certified Computer Examiner (CCE), GIAC Certified Forensics Analyst (GCFA) and Certified Computer Forensic Examiner (CFCE) to name a few.

How then, does one choose the appropriate certification to pursue?  While all of the certifications listed above are valuable, I would recommend pursuing one that includes a practical examination and one in which you can use the tools with which you are most familiar.  As an example, it is going to be difficult for you to pass the ACE if the only forensic utility that you’ve used is EnCase Enterprise.

If you are trying to obtain a certification in order to break into the computer forensics field, I’d recommend searching the job boards for computer forensics positions to see the utilities that they are most often listing as required skills. About.com provides a good overview of most of the computer forensics certifications so I’m not going to go into the nitty gritty of each certification.  Instead, here is a link to the appropriate About.com page:

http://certification.about.com/cs/securitycerts/a/compforensics.htm. 

Call me biased, but I am personally a fan of the EnCE certification.  EnCase is a standard of the industry and found in most, if not all, computer forensics shops.  So having the EnCE certification demonstrates to employers that you have mastered the tools that they use in their forensic labs. 

In addition, passing the EnCE practical was a major confidence booster for me and I have used many of the techniques that I learned as a result of the EnCE practical during my “real” analyses.

In summary, in order to determine the proper computer forensics certification I would look at the following:

1. certifications that require a practical.

2. certifications that demonstrate mastery of an industry-standard tool\utility.

3. certifications that you see in job listings.

4. certifications that allow\require you to use a forensics utility with which you already have experience.