Course Description

This EnCase Training OnDemand course focuses on the use of OpenText™ Endpoint Investigator and other tools to acquire and analyze data in a manner that demonstrates the relevance of various file system, network, and memory-based artifacts in the context of an investigative scenario. Students will examine the different factors that affect incident investigations, including planning, basic forensic principles, and examination and response options. They will observe how failing to take note of important issues and implement suitable policies can lead to weaknesses in IT infrastructure and the loss of evidential data. Conversely students will learn to appreciate the benefits of forward planning, employee education, audit and event logging, and suitable access-control policies. This course is very much focused on the recovery of data for the purposes of an investigation and the context in which said data may prove valuable. Students will participate in practical exercises throughout the course to underscore and drive home the skills taught.

CPE Credits - 0

Students attending this course will learn the following:

• Incident investigation/response considerations
• How to capture disk and memory data using OpenText Endpoint Investigator and other tools
• The significance of Windows Registry and file-system metadata, paying particular attention to the NT file system (NTFS) and timestamp analysis
• How to identify and recover data encrypted using the Microsoft® Encrypting File System (EFS) and BitLocker®; also how properly applied group policies can help to recover said data and the potential significance of NTFS alternate data streams
• The benefits of USN change log and ShellBag analysis and how they may complement one another
• The significance and analysis of shortcut link files and jumplists
• Windows event log and $LogFile analysis
• Microsoft Windows® Recycle Bin mechanics and analysis
• Examination of volume shadow copies
• Memory analysis using Volatility; also the recovery of passwords, encryption keys, and other data from memory dumps
• Determining the nature, identity, and provenance of files and folders using hash, signature, and USN change log analysis
• Identification and recovery of artifacts from Internet Explorer, Edge, Firefox, and Chrome

Please note that this course touches on subjects covered by other EnCase Training courses, so attendees of those courses may experience a small overlap.

SYSTEM REQUIREMENTS

• A desktop/laptop computer.
  • Microsoft® Windows operating system is recommended.
• Internet access
• Latest Adobe® Reader software http://www.adobe.com
• Some courses offer the ability to conduct optional practical exercises on a remote workstation. Chrome and Firefox are recommended.

***OpenText Learning Subscription, Security Edition holders may only be registered in two (2) Training OnDemand courses concurrently

You are registering for an online class. EnCase Training OnDemand courses can be accessed online 24/7.

Contact:encasetraining@opentext.com

1-626-463-7966

TERMS & CONDITIONS

• Access to the course materials for our EnCase Training OnDemand classes will be granted once payment is received.
• The Training OnDemand courses are valid one year from the date of purchase.
• Once a course is accessed, the student will have 60 days to complete the course
• Each Training OnDemand course can only be taken once.
• Students can only be enrolled in two Training OnDemand classes concurrently.
• PHYSICAL MANUALS ARE NOT AVAILABLE FOR TRAINING ONDEMAND COURSES.
• A timed eBook will be assigned for each course and can be viewed for one year. Printing and copying of eBooks are prohibited by the DMR application.

The professional services and/or learning services (if applicable) set out in this quotation will be provided pursuant to the OpenText Professional Services Program Handbook applicable to the services being purchased (available at www.opentext.com/agreements ) For your reference, the direct link to the Handbook is here: https://www.opentext.com/file_source/OpenText/en_US/PDF/opentext-encase-program-handbook-en.pdf

Prerequisites

Participants should have attended the OpenText™ course, DF120–Foundations in Digital Forensics.