Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

OpenText EnCase - Incident Investigation

( Duration: 4 Days )

The OpenText EnCase - Incident Investigation training course focuses on the use of EnCase Endpoint Investigator (EnCase) and other tools to acquire and analyze data in a manner that demonstrates the relevance of various file system, network, and memory-based artifacts in the context of an investigative scenario. You will examine the different factors that affect incident investigations, including planning, basic forensic principles, and examination and response options. You will observe how failing to take note of important issues and implement suitable policies can lead to weaknesses in IT infrastructure and the loss of evidential data. Conversely you will learn to appreciate the benefits of forward planning, employee education, audit and event logging, and suitable access-control policies. This course is very much focused on the recovery of data for the purposes of an investigation and the context in which said data may prove valuable.

By attending OpenText EnCase - Incident Investigation workshop, delegates will learn:

  • Incident investigation/response considerations
  • How to capture disk and memory data using EnCase Endpoint Investigator and other tools
  • The significance of Windows Registry and file-system metadata, paying particular attention to the NT file system (NTFS) and timestamp analysis
  • How to identify and recover data encrypted using the Microsoft Encrypting File System (EFS) and BitLocker; also how properly applied group policies can help to recover said data and the potential significance of NTFS alternate data streams
  • The benefits of USN change log and ShellBag analysis and how they may complement one another
  • The significance and analysis of shortcut link files and jumplists
  • Windows event log and $LogFile analysis
  • Microsoft Windows Recycle Bin mechanics and analysis
  • Examination of volume shadow copies
  • Memory analysis using Volatility; also the recovery of passwords, encryption keys, and other data from memory dumps
  • Determining the nature, identity, and provenance of files and folders using hash, signature, and USN change log analysis
  • Identification and recovery of artifacts from Internet Explorer, Edge, Firefox, and Chrome

  • Attend a training on OpenText EnCase Digital Forensics - Essentials or equivalent practical experience
The OpenText EnCase - Incident Investigation class is ideal for:
  • Digital Forensic Investigators, including IT Specialists, Security Analysts, DFIR Practitioners & Traditional Digital Investigators.

COURSE AGENDA

1

Day 1

  • Understanding incident response considerations, including education, planning, policy implementation, training and equipment.Learning the benefits of capturing disk, network and RAM data.
  • Learning the importance of capturing non-digital evidence.
  • Understanding the consequences of pursuing different examination methodologies when weighed against the need to acquire evidential data.
  • Learning how to use EnCase to preview and acquire data pertinent to your investigation and take a snapshot of volatile data.
  • Learning how to acquire an image from RAM.
  • Examining the concept of network sniffing, capturing network packet data and factors that can affect the process.
  • Understanding the Microsoft Windows operating system registry.
  • Learning to locate and decode registry data manually, using native EnCase functionality or programs written in the EnScript programming language.
2

Day 2

  • Understanding the nature of NTFS metadata and how it is stored, as well as the basic layout of a $MFT record.
  • Examining the contents of the $Standard Information attribute ($SIA) and the $Filename attribute ($FNA), paying particular regard to the time stamps they contain.
  • Examining how the NTFS $MFT $Data attribute is used to either store or reference a file's data on an NTFS volume, along with the nature and potential importance of alternate data streams.
  • Tackling data encrypted using the Microsoft Windows Encrypting File System (EFS) and BitLocker.
  • Extracting NTFS USN change-log journal records and subsequent analysis.
  • Examining the NTFS $Logfile and its significance.
3

Day 3

  • Learning how event-log data can be processed, searched and bookmarked using EnCase.
  • Understanding how to examine event-log data using Windows, as well as the importance of prefetch file analysis.
  • Operating shortcut link files and jump lists, their significance and how to examine them.
  • Analyzing the Windows Recycle Bin folder and its contents.
  • Studying the significance of Windows ShellBag data and its importance when deter-mining the provenance of folders accessed by the user.
  • Operating the Volume Shadow Service (VSS) and learning the importance and analysis of volume shadow copies.
4

Day 4

  • Understanding the operation of RAM, its analysis using the Volatility memory framework and the importance of timely analysis of volatile data, particularly where encryption and cloud-based file storage is concerned.
  • Learning Internet Explorer, Microsoft Edge, Firefox and Chrome artifact overview

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X