The best advice that I can give to those who are about to begin the EnCase Certified Examiner Practical exam is to develop a test taking strategy and to not procrastinate. When you receive the practical exam and evidence files, read all of the questions and develop a strategy for your analysis so that it flows logically. If, for example, when reading the test questions you notice that the second to last question is going to require a hash analysis, part of your strategy might be to hash all of the files as soon as you get the evidence added to your case. While you are at it, run a file signature analysis as well and potentially search for internet history and email.
By doing these steps up front (i.e. prior to the second to last question) and together, you may uncover evidence that will lead you to the answer of other questions on the exam. Because EnCase allows you to complete these steps simultaneously, you are also enhancing the efficiency of your analysis. These steps should be obvious to experienced examiners but some people have a tendency to “hunt” for answers to individual questions in a test taking scenario.
Back to the point regarding procrastination, by starting your analysis as soon as you receive the EnCE Practical you will allow yourself time to complete the required analysis and develop a thorough report. Obviously, I don’t grade the EnCE Practical but my guess is the report that you submit is weighted very heavily in terms of whether you pass or fail the exam. The report should clearly state your findings and be free from spelling and grammatical errors.
In addition to being free from spelling and grammatical errors, the report should not be so technical that you have to be an expert in computer forensics to understand it. Think of the audience for your reports (law enforcement, juries, management) and write your report so that they can understand it without you there to explain it.
This and other strategies and techniques are fully discussed in the EnCE Study Guide available at EnCEsecrets.com.
Good luck with your EnCase Certification!
