Encase Computer Forensics: The Official EnCE - Computer Forensics Certified Examiner Paperback – 7 March 2006
|New from||Used from|
There is a newer edition of this item:
- ASIN : 0782144357
- Language: : English
- Paperback : 576 pages
- ISBN-10 : 0764595814
- ISBN-13 : 978-0764595813
- Customer reviews:
From the Back Cover
Written by two law enforcement professionals who are EnCE and computer forensics experts, this official guide prepares you for both phases of the EnCE exam: a computer-based test and a hands-on test that requires you to examine computer evidence.
Key topics include:
- Understanding Computer Hardware. Understanding computers is crucial for computer forensics experts who are frequently asked to describe systems to juries. The book explains a computer's components, boot process, partitions, and files systems.
- First Response. What to do and how to follow procedures when first entering a scene.
- Acquisition of Digital Evidence. Creating EnCase boot disks; booting with EnCase boot disks; and drive-to-drive, network cable, FastBloc, Linen and Enterprise acquisitions.
- EnCase Forensic Software Overview. Tour of EnCase environment including software, menus, and capabilities.
- Report Writing. Sample reports from real-life cases (names changed).
- EnCase Legal Journal. Essential information on operating within the law and giving expert testimony.
Visit www.sybex.com for all of your professional certification needs.
Featured on the DVD
SYBEX TEST ENGINE
Test your knowledge with advanced testing software, bonus exams, and challenging exam practice questions.
Reinforce what you've learned with flashcards that can run on PC, Pocket PC, or Palm handheld.
Also on the DVD, the entire book in searchable and printable PDF
About the Author
No customer reviews
|5 star (0%)||0%|
|4 star (0%)||0%|
|3 star (0%)||0%|
|2 star (0%)||0%|
|1 star (0%)||0%|
Review this product
Most helpful customer reviews on Amazon.com
Now for the book:
It does exactly as advertised. I scored a 95% on the written. This book does NOT fall short of expectation. The book is organized not assuming any technical areas of expertise, but does assume some familiarity with computers overall. The basics are reviewed and are not intended to bore more savvy readers, but to re familiarize us with some of the lost or forgotten knowledge required for this exam. It's arranged in an order that maximized information intake and once you've completed chapter 10, you'll understand the overall objective of the arranged order. Nitpicking typos is just ridiculous if the subject matter is mastered.
The book is geared around FAT. This is done in my opinion because FAT is more useable as a training subject. The differences between the two (NTFS) are major, but from an EnCase standpoint regarding testing it's trivial. The book was never intended to train someone on FAT or NTFS. Why confuse someone with the intricacies of NTFS if it's not relevant to the software itself? It's a manual on EnCase software. Any attempts to train operating system specifics not directly related to the forensic software and would be beyond the scope of this book. They could have used Linux, Windows, or Mac. The mounting, searches, and use of EnCase tools would have been nearly the same. Note: the majority of home users and corporate desktops are in fact using Windows! Many USB supported devices now prevalent are using FAT. In my office, I am one of two persons out of 60 that have Linux loaded. Most of your exposure will be with Windows formatted devices. To learn about OS file systems, there are books that will teach this as their specialty.
My personal review of this book is not influenced by being a co-author of another book. Authors should work cooperatively even if competitive. Believe me, when a book is sub-par or blatantly wrong I will be on Amazon trashing it (look at prior reviews). The included CD has been trashed on past reviews. I cannot really get into why I am saying this, but those people trashing the flip cards and practice tests have in fact NOT sat down for the exam. If you are planning to sit for the exam and don't use the included study materials on this CD you are 100% missing the ball. EnCase 5 loads and works for the included materials and was never attached to the book with the intent of imaging your own hard drive and playing with the software. Again, the Q&A and materials included are specific to "Study Guide" for the EnCE exam.
EnCase is the court recognized software used for forensic analysis. Regardless of opinion, this is a fact. If you're going to expose yourself to any forensic software, you should learn this one. If you're curious and not preparing for an exam, this book is more than suitable for your needs for learning the process in concept. When you're finished reading you will understand it.
I'll update this review when I hear back from the publisher.
In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.
In terms of overall book value, ECF is the weakest of the three previously mentioned -- but it is the only book on EnCase. As such it is the one independent book which will help you understand the king of the commercial forensics world. I was particularly interested in using the accompanying DVD, which offered a demo version of EnCase. I did encounter the same limitations as mentioned in previous reviews, but I was able to at least perform most of the numbered exercises in the text. I thought the fairly crippled version of EnCase packaged with the book was a drawback, but I know Guidance Software is paranoid about even discussing their product outside of their training environment.
As far as covering EnCase goes, ECF is a pretty good book. I am an EnCase newbie, but I was able to follow most of the book's discussion of the product's interface. Since the lead author is a police officer, I also thought that perspective was valuable. His mindset appeared in the chapter where securing the crime scene was discussed. The inclusion of short case studies also kept the tone lively and relevant.
I had two major problems with ECF, hence the three star review. First, a book that includes a demo copy of EnCase and sample evidence files should use them throughout the text. When introducing EnCase's interface, use a sample evidence file from the DVD so the reader can follow along. While the book's exercises use the DVD evidence files, the textual explanation of the interface seldom do. That was frustrating. The authors should have either said "You need a fully license copy of EnCase to follow along" or they should have run all their examples as if they were a reader using the sample DVD. They would have learned you can't "Add Devices" using the DVD version and you can't save bookmarks -- argh.
The second major problem I found with ECF involved indications of technical misunderstandings and questionable vernacular. Examples follow. "BSD" is not "a Linux variant" (p 91). There is no such thing as "BSD Linux" (p 231). The authors' faith in MD5 should be positioned against research from the last few years. The "approved solution" for shutting down a Unix server ("synch; synch; halt") plus lack of non-Windows material made me question the relevance of the book to non-Windows platforms. On the language side, I didn't like reading about "NIC cards" (p 381) and "RAM memory" (p 381). These are the sorts of issues that make me wonder if I'm reading another book about "the Windows," thereby undermining my faith in ECF's recommendations.
On the operational forensics side, the book is strongly in the traditional "pull the plug, image the hard drive, grep for strings" camp. This model dominated host-centric forensics for decades, but it has been largely inadequate for the past 10 years. For example, there's nothing really useful on live analysis or memory forensics. NTFS is barely addressed, unlike FAT -- another sign of being somewhat backward. I think a second edition of this book would be a lot stronger -- and it would catch the error of using the word "Sudy" on the cover in place of "Study".
Still, because this is the only book on EnCase, it does share plenty of helpful suggestions on using that software. One possible use case for the book would be using it to apply EnCase to data provided on the DVD we ship with "Real Digital Forensics," looking for Windows artifacts described in WF, based on your understanding of hard drives from Brian Carrier's FSFA.