View RSS Feed

JDMurray's Blog at www.TechExams.Net

The EnCase Certified Examiner (EnCE) Certification Experience

Rate this Entry
by , 08-19-2011 at 11:21 PM (81783 Views)
The EnCase Certified Examiner certification, or EnCE®, attempts to measure and verify a person’s knowledge and skill in the use of computer hardware, operating systems, file systems, forensic investigation methodology, and the EnCase digital forensics software.

The EnCE certification was introduced in November 2001 by Guidance Software Incorporated GSI) of Pasadena, California USA. GSI produces hardware and software that is widely used in computer forensics, and offers digital forensics and eDiscovery services. GSI is also the creator and owner of EnCase, the forensics software product for which the EnCE certification was
created.

Both EnCase and the EnCE certification are well-known and well respected within the computer forensics community. EnCase has been proven multiple times in state and federal courts to be forensically sound by withstanding challenges using the Daubert Standard and the Frye Standard. With currently over 3000 EnCE-certified individuals worldwide, EnCE is possibly the most-widely held certification in the field of computer forensics.

Note: This article describes my certification experience with the EnCE for EnCase version 6. The EnCE v6 exam will only be available until the end of 2011, after which it will be replaced by the new EnCE certification for EnCase version 7. People interested only in the EnCE v7 certification should still find most of the information in this article relevant and useful.


What’s in the EnCE Certification?

The EnCE certification is achieved by completing the necessary EnCasetraining, or obtaining a minimum two years of professional computer forensics experience, paying an exam fee, and achieving a passing score on two exams. There is no exception for waiving any of these requirements.

The first EnCE exam, referred to as EnCE v6 Phase I, istaken online and gives the exam candidate an opportunity to demonstrate his or her understanding of the following areas of knowledge:
  • Understanding and use of the EnCase program
  • Features and functional concepts of the EnCase program
  • PC hardware components and operational concepts
  • The Windows operating system and how it stores and tracks information
  • Information storage file systems and the life cycle of file information
  • Information storage devices components, mechanics, and operation
  • Binary, decimal, and hexadecimal numbering systems and conversions
  • Proper evidence handling procedures for computer forensics investigators
  • United States Federal laws and regulations regarding computer forensics
The second EnCE exam, referred to as EnCE v6 Phase II, is a practical exam which tests the candidate’s ability to use the EnCase program to examine information on a Windows computer, perform and analysis for the presence of inculpatory or exculpatory evidence, and document the findings. I will cover the EnCE Phase II exam in a future blog article.


Signing Up for the EnCE Exam

Signing up to take the EnCE exam is a multi-part process. First, you are required to submit an Application For EnCase® Certified Examiner to the EnCase Certification Coordinator at GSI. In this application youwill declare your intention to acquire the EnCE certification and state how you have met the requirements.

For EnCE v6, the requirements are that the candidate have at least 24 months of professional computer forensics experience, or have completed at least 64 hours of computer forensics training. You will need to include details of where you received your work experience and training. There is no application processing fee.

In my case, I have no practical lab or field computer forensics experience. Instead, I completed a series of courses from a Southern California university given by the Director of Risk Management at GSI, Andy Spruill, and the Director of the Orange County FBI Regional Computer Forensics Lab (OCRCFL), Jason G. Weiss. The courses totaled 92 hours of classroom and hands-on instruction in the forensic examination of computers and electronic storage systems using EnCase. This satisfied the training requirements for the EnCE certification.

Once you have submitted your application (by mail or email), you will be notified via email of your approval status. If you are approved to take the EnCE exam, the email will include information on how the exam is administered and the cost. Payment options for the EnCE include credit card, bank check, money order, wire transfer, purchase order, prepaid testing vouchers, or as part of the fee for an EnCE Prep Course. When I signed up for the EnCE exam in August 2011, the cost was $200USD, and I paid by credit card over the phone.

After payment for the exam has been approved, you will receive an email containing your online exam login information and the link to start your EnCE Phase I exam. You have 30 days to start the Phase I exam once you have received this email.


The EnCE Phase I Exam

The EnCE Phase I exam contains 180 multiple choice and true/false questions, each with only a single correct answer selection. For international candidates, there are only 174 question, as the exam questions referring to US laws have been removed. The candidate is given 120 minutes to complete the exam and the passing score is 80%. Candidates failing to pass the Phase I exam will be required to wait 60 days and pay the exam fee again before retaking it.


Taking the EnCE Phase I Exam

The EnCE Phase I exam is provided online through ***********.com. It can be taken either as part of an EnCase preparation course at a training facility (or at a conference, like CEIC), or it can be taken online anywhere you have access to an Internet connection. Once you start the exam, you must complete it. You are allowed to flag and skip questions, and to review and change your answers before either submitting the exam or time runs out. Your score is shown immediately upon completion.

Once you pay your exam fee you will have only 30 days to complete the EnCE Phase I exam. When you pass Phase I, you will be sent the Phase II exam materials promptly. I was able to start my Phase I exam the same day I submitted my exam fee, and I receive my Phase II exam materials (via United Parcel Service) about 36 hours after I passed Phase I. Don’t start the EnCE exam process unless you are willing to devote plenty of time to the practical assignments in Phase II.


So the EnCE v6 Phase I is an “Open Book” Exam?

Taking an online exam in the comfort of your own home would tend to suggest that the EnCE Phase I exam is open book, open note, open Internet, and even open EnCase. There is no indication in the emailed EnCE exam instructions that books, notes, the Internet, and even EnCase itself cannot be used to complete the exam. There is only explicit instructions that, while taking either the Phase I or II exam, the EnCE candidate may not contact any EnCE-certified individuals for assistance.

Once you start the Phase I exam, the exam instructions presented specify that the exam candidate may not have any assistance in taking the exam other than using his or her own personal knowledge, skills, and experience. Although not explicitly stated, this does rule out the EnCE being an “open book” exam, and the honor system is used to ensure that the EnCE candidate will not treat it as such. Unlike some other IT certification exams, there is no explicit Code of Ethics that the candidate must sign to this effect.

In my experience, online exams are designed so that the candidate has very little time to spend on each question. Spending time thumbing through books, searching online notes or Web sites, or even poking around in EnCase, are therefore not time-wise things to do.

The exam questions that are easy to look up you should already be able to answer quickly. Many questions will also not be answerable from your study notes, such as the meaning of complex grep expressions, search terms, and binary-to-hexadecimal conversions. With books, notes, and the Internet available, you may tend to search for most answers rather than trust your own knowledge and experience; doing so will only slow you down.

The bottom line is you should be taking the EnCE exam because you know the EnCE material code and not because you think that you can quickly look up the answers.


Studying for the EnCE Exam

The EnCE Study Guide, 2nd edition by Steve Bunting is literally the only book you will need to pass the EnCE Phase I exam. Of course, you also need to know how to use EnCase v6 itself, and unless you have access to EnCase Forensic in a classroom or at your place of work, you will be spending quite a bit of money to buy EnCase Forensic for yourself. There is a demonstration version of EnCase on the study guide’s DVD, but it does not support all of the features that you will need to know for the exam.

So the EnCE is easy to study for. All you need is the EnCase Study Guide, a working installation of the EnCase program, and experience using EnCase, which will come in either the classroom, on the job, or both. You therefore don’t need to collect a desk full of books, a computer full of PDFs, instructional videos, and practice exams, and begpeople on TechExams for their EnCE study tips–but I will give you mine anyway.


Tips for the Exam

Before reading each chapter in the EnCE study guide, read the Summary section at the end of the chapter. The Summary contains a boiled-down view of the information presented in the chapter. This will give you an idea of what you are trying to learn from the chapter’s material. Also read the Exam Essentials section following the Summary section. This section explains what you will specifically need to know from the chapter for the exam. In fact, the information in the Exam Essentials sections makes a great checklist for creating your own EnCE study plan.

After reading the Summary and Exam Essential sections, read the chapter and high-light the important facts and information. When you go back and re-read the chapter, copy your high-lights to your study notes. A week or two before you take the exam, you should only be studying the factual information in your notes and not reading through the entire book.

Thoroughout the study guide are exercises in the use of EnCase and other concepts in the book. Do these exercises to get the experience of learning the concepts that you do not know. There are mistakes in these exercises, so check the publisher’s site for an errata (none was there the last time I checked).

The DVD included with the study guide contains a set of a set of electronic flash cards used to learn many concepts that you may see on the exam. Use these and the Review Questions at the end of each chapter to test your understanding of EnCE concepts. Be honest with yourself about what you do not know or understand. In addition to passing an exam, you are attempting to make yourself a better forensics examiner and EnCase user, so missing a chance to acquire new knowledge is just cheating yourself.

Even a seasoned EnCase user will be bewildered after thumbing throughthe EnCE study guide. Although you really should try to learn it all, here are a few things that I recommend you should really know for the EnCE Phase I exam:
  • How dates work in Windows
  • Windows PC boot-up and shutdown procedure
  • The user interface features of EnCase
  • EnCase’s search terms (keyword searches) work and what any given term will match
  • EnCase’s grep syntax and what any grep expression will and won’t match
  • How to interpret the results of a file signature analysis
  • Where FAT and NTFS file, folder, and partition information is stored on a hard disk and how it is interpreted
  • The E01 file format and how EnCase uses it to preserve confidentiality and integrity of the evidence
  • The proper treatment of evidence both on-scene and in the lab
Of course, don’t make the information in this list the only thing you try to remember for the exam.


My Result

After all my classroom learning and preparation, I scored an 87% on the EnCE v6 Phase I exam (80% needed to pass). Not a bad score considering I only have academic experience with computer forensics examinations and do not use EnCase on a daily (or weekly) basis. I was impressed with the quality of the EnCE Phase I exam and the exam experience at ***********.com.

I would really like to know what exam questions I missed, but that information is not available. Anyway, I just received the EnCE v6 Phase II exam materials and I need to get cracking on that for my next blog article!
Categories
Uncategorized

Comments

  1. airhack's Avatar
    Hi JDMurray,

    Thank you for such an informative article.
    I have a few doubts can you clear them ?

    I have around 1+ years of experience in Computer forensics, but its not dealing with Encase but open source softwares, So i have no experience with Encase currently and taking a prep course is not financially possible at this moment.
    How do i prepare for the EnCE certification, Can i get an evaluation copy of Encase version 7 and gets my hands dirty on it and is it possible to clear the certification without taking the prep course from Encase.

    My skills and work experience in Open source forensic soft wares is strong.
  2. rmartinez2448's Avatar
    thanks for your input. How are you doing with Phase Ii and any input you can give.

    thanks

Trackbacks

Total Trackbacks 0
Trackback URL: