The EnCase Certified Examiner (EnCE) Certification Experience - The Practical Exam
by, 10-17-2011 at 06:52 PM (28013 Views)
Part 1 of this two-part article may be found at The EnCase Certified Examiner (EnCE) Certification Experience.
The second EnCE exam, referred to as EnCE v6 Phase II, is taken as a practical examination using EnCase v6 and E01 evidence files. The Phase II exam gives the exam candidate an opportunity to demonstrate his or her understanding of using EnCase to examine the contents of evidence files, perform an analysis of the information discovered, and sum up their findings in a formal report. In other words, the exam candidate is given a chance to give a practical, competent demonstration of what a forensic examiner does at work every day.
Note: This article describes my certification experience with the EnCE for EnCase version 6. The EnCE v6 exam will only be available until the end of 2011, after which time it will be replaced by the new EnCE certification for EnCase version 7. People interested only in the EnCE v7 certification should still find most of the information in this article relevant and useful.
If you pass the EnCE Phase I exam, the Phase II exam materials will be sent to you within a few days. You will complete the Phase II exam at your own pace and send your results and exam materials back to GSI for grading. The basic rules for taking EnCE Phase II exam are as follow:
- You have 60 days to complete the exam and return your exam report, the EnCE materials and dongle to GSI. The clock starts five days after the materials are shipped from GSI via United Parcel Service (mine arrived 36 hours after getting my Phase I results). The candidate can request another 30-days if needed, but 60 days is more than enough if you make completing your exam a priority.
- The exam is given on the honor system. You may not contact anyone with regards to the exam’s contents or completing the exam except for the EnCE Certification Coordinator. Unacceptable contact is considered cheating and is grounds for immediate failure and exclusion from admittance from future GSI exams.
- The exam candidate shall not make exam materials available to anyone, including both materials produced by the candidate and provided by GSI. Unacceptable information disclosure is considered cheating and is grounds for immediate failure and exclusion from future exams.
- The passing score for EnCE Phase II is 85%. If you fail Phase II, you will be given another 60-day opportunity to retake it. If you fail Phase II a second time, you will need to retake the Phase I exam before re-attempting Phase II.
I have heard that the pass rate for the EnCE Phase II is around 90%. If this is true, a Phase II candidate will likely pass because the exam should not contain too many requirements that you are not already familiar with.
Prepping for the EnCE Phase II Exam
The EnCE Phase II exam materials you will receive are a CD and a USB dongle. The ENCEPHASE2 CD contains EnCase evidence files, the EnCase installation program, and the README file you will need to complete your exam. The dongle is for running EnCase Forensic Training v6, which you will need to complete the exam. The dongle has an expiration date and will only open the evidence files supplied on the CD.You will install EnCase on a Windows XP, Vista, or Windows 7 system. Both 32- and 64-bit installations of EnCase 6.18 are included on the ENCEPHASE2 CD. Using the standard EnCase folder structure, you will create your target folder and store the evidence files on your hard drive along with the final report submission you will write.
I decided to install EnCase on Windows XP 32-bit in a virtual machine running in VMware Workstation 7 and save my case files and report to a thumb drive. I also installed my favorite forensic tools and a word processor in the VM’s guest OS too. I did this so I could port my EnCE data between my big i7-950 Windows 7 64-bit workstation when working in my home office and my dual-core Atom Windows 7 64-bit Netbook while working at my local, Wi-fi-enabled coffee house. It all worked very well. Remembering to move the dongle and case folder thumb drive between machines was the only tricky part.
Tackling the EnCE Phase II Exam
The EnCE Phase II exam itself is composed of 16 questions that should be answered in the most thorough detail you can deliver. The questions are multi-part and vary considerable in complexity, difficulty, and scoring value. The timeline of your investigation should be clearly reported.The exam questions need not be answered in a specific order. You can skip around as much as you like. If you get bogged-down on answering one questions, skip to another for a while and come back to it later with a fresh perspective.
I’m not going to go into any detail about how to actually examine digital evidence using EnCase. You already know how to do that yourself or you wouldn’t be taking the EnCE exam. If you use EnCase for a living, you already have a triage procedure, analysis workflow, and time budgeting methodology that you will use on the Phase II exam, so you don’t need much help from me.
However, if you are like me, a digital forensics student with no actual professional computer forensics work experience, what I hope to give you is some strategy and tactics on taking the exam itself that will hopefully help you expedite completing your own EnCE exam. If you lack an examination strategy, you will find that just “hunting and pecking” at digital evidence is inefficient and is a waste of your time, and is a symptom of analysis paralysis.
The state of analysis paralysis leaves you constantly asking yourself , “Where do I start?”, “What do I do next?”, and “How do I explain this in my report?” In any forensic examination, this is definitely the state of mind you want to avoid by having an examination strategy. If you still don’t understand what I am talking about, have a look at the section “Putting It All Together on page 549 in The Official EnCE: EnCase Certified Examiner Study Guide, and this article on the ForensicKB Web site.
The Correct Frame of Mind
You must believe that 60 days is plenty of time to complete this exam. Don’t get in a crazy panic about being short on time unless you have been slacking-off for a few weeks and ignoring your exam. Your goal should be to work on the exam every day in at least a 2-3 hour session. Try to get in two sessions a day on your off-work days. Also remember that the 60 days you are given (and the few extra days before that) includes the time it takes to send your EnCE exam results back to GSI.
I think it helped me not to have too specific of a goal for each session. It’s OK to plan, “I’ll find out as much as I can about test question N in the next two hours.” But if I were to say, “I will finish test question N today,” and I wasn’t able to, then I might either go into time-management anxiety or just feel discouraged. I found to best to strive for the feeling of exploration and discovery without pressuring myself to discover results at a specific point in time. If you know your computer forensics examination stuff, findings will jump out at you from everywhere anyway.
Strategy and Tactics
Having only academic experience with EnCase, I approached the problem of answering the exam questions by first creating the outline of my report and writing in each answer section how I thought that I might determine the answer. For example, if an exam question required bookmarking all of the files in the evidence that contained the string “THIS IS EVIDENCE”, I would research and write down the procedure I would use. When this procedure turned up no results, I would go back and revise my procedure.
After a few procedural revisions with still no result, I would need to consider the possibility that I either did not understand the question, or I really needed to expand my understanding of computer forensic examination methods and techniques. (Be forewarned that the EnCE exam experience will require you to expand your existing digital evidence examination skill set.)
I found it very helpful to keep a written notebook of my finding rather than putting them in a file in a text editor. While researching one exam question, you will likely discover information useful to other exam questions. You will need your notes to save time remembering when and where you made your findings, and to jot down your own ideas. It’s also convenient to flip through pages of your notes when looking for information that might help you with a problem. If you are a forensic examiner that works with paper case files, you write yards of notes for every report anyway, so you already know what I mean.
It Is What It Is
A state of Never-ending Analysis can occur when you start asking yourself, “Have I found everything?”, “Should I keep searching for more findings?”, and “Should I be even more detailed in my documentation?” You must be able determine when you have truly finished answering an exam question or you will be wasting a lot of your time.
If you are unsure that you have completed your analysis, start to work on another question. You might stumble across some more findings relevant to previous questions you have worked on, or get an idea of how to modify your analytic methodology to discover other findings.
And finally, save all and save often. Few events are more discouraging than spending hours searching, bookmarking, and writing your report only to loose it because you for forgot to occasionally hit Crtl+S. Make sure that both your word processor’s and EnCase’s autosave feature is enabled and running every few minutes.
Can I Use my Favorite Forensic References?
One thing the EnCE Phase II instruction do not address is the use of reference materials for computer forensic analysis. Any exam you can take at home is an open book exam, so surely any reference that is not considered cheating materials (e.g., brain dumps, “study guides” claiming to have actual test questions, other EnCE candidate’s notes or reports) should be good to use for the EnCE. I didn’t confirm this with GSI’s EnCE Coordinator, but it seems a reasonable assumption.Of course, the one reference book you must have is the The Official EnCE: EnCase Certified Examiner Study Guide (for Version 6) by Steve Bunting. This book doesn’t have everything you will need to complete the EnCE exam, but it is the single best reference source. Harlan Carvey’s Windows Registry Forensics and Brian Carrier’s File System Forensic Analysis are good to have close by too. You will find useful supplemental information at the Forensics Wiki, ForensicKB blog, the EnCase 6 help file, and the EnCE Study Guide Version 6 PDF from GSI.
I happen to know that GSI is very diligent about scanning the Internet for information leaks regarding the EnCE exam, so the likelihood of finding cheating materials is quite small. And any cheating materials that are public can be rendered useless by GSI making small changes in the EnCE exam.
Can I Use My Favorite Forensic Tools Too?
The EnCE exam will show you how well, or how little, you know EnCase 6 and where you use it effectively and inefficiently. Although EnCase is a great digital forensics analysis tool, there is no one tool that can do everything. So very soon into the exam you will start asking yourself, “Am I allowed to use forensics analysis tools other than EnCase for the EnCE Phase II exam?”
This was one question I certainly had. I can’t see myself tacking a Windows forensics examination without using RegRipper, OpenOffice Calc, my favorite hex editor, 3rd-party EnScripts, and few other miscellanies programs I use for data visualization.
I searched through the EnCE Phase II instructions, but found no explicit requirement or exclusion stating that only EnCase Forensic Training v6 could be used to complete the exam. I should have emailed GSI’s EnCase Coordinator and asked, but I decided that such a limitation to be unreasonable, so I took a chance. As it turned out, doing so was not only allowed, but also a great time-saver. (There are just some analysis operations that EnCase v6 doesn’t do quickly or at all.)
In a proper forensic report, all of the hardware and software used to obtain the analysis results should be listed. After reviewing my own list, I was rather surprised at how many other software tools I did end up using. I just glad that a few of them wouldn’t be challenged for their “forensic soundness” in a U.S. court of law.
Writing the EnCE Phase II Report
I can’t emphasize enough not to underestimate the amount of time it will take you to write your EnCE Phase II final report. If you do, as one of my CF professors says, “You will find yourself really hating life.”
Hopefully you have completed at least one full case file in your computer forensics experience and know what what a load of detailed work a forensic report can be. I actually started writing my EnCE final report before I received my EnCE Phase II materials. I used the templates and reports I had written in my EnCase classes as the basic framework and content for my report. This turned out to be a huge time-saver for me.
Writing the actual final report for EnCE Phase is probably not what you would expect. The exam requires that you save all of your report information in EnCase bookmarks and export the bookmarks to an RTF file. You can use any bookmark structure and report format that you like, but the information required to answer each question must be present in your final report bookmarks.
After creating the outline of your report, start writing the answer to each exam question. There is actually a lot of detail you can write about each answer before digging into the evidence files with EnCase. Use a “fill in the blank” format for the parts of the answer you will fill in later. This will also allow you to get a mental grasp of the entire scope of the exam and what you will need to do to complete it. If you are writing notes, you can transfer them to your report later.
Find files, folders, and other data and bookmark it for later analysis. It is very handy to access files via bookmarks rather than performing subsequent searches, or scrolling through long lists of home-plated folders and files. (I actually learned a lot about EnCase bookmarks thanks to the EnCE exam.) Be sure to note any bookmarks you make in your written notes so you don’t forget about them.
The exam’s instructions mentions writing sections of your report in a word processor, like Microsoft Word or OpenOffice Writer, and copy-and-pasting the text into your bookmarks. This method worked very well for me and I recommend it. But don’t waste you time on fancy word processor text formatting. There isn’t much support for formatted bookmark text in EnCase v6.
After you perform the final save of your report in RTF format, you can clean it up in a word processor too. I the sake of readability, I fixed spelling and grammar, pagination, a few tables, and the title page in my final report. I considered making headers, footers, section heading styles, and a table of contents, but that fancy stuff is not part of the exam grading. The report only needs to be readable in content and structure and contain the information necessary to answer the exam questions, of course.
After the report is graded at GSI, it is tossed into the shredder. So unless you plan on adding your EnCE report to your computer forensics portfolio that you present at job interviews, don’t go to too much trouble to make it look fancy.
Regardless if you know how to write a forensics examination report using EnCase or not, you should read the section “Bookmarking” in Chapter 7 and “Creating Paperless Reports” in Appendix A of the EnCE Official Study Guide. There is also some academic information on EnCase reports to be found via Google.
Submitting Your EnCE Final Report
Once you are satisfied that your examination and final report are complete, you will need to turn your findings into GSI. You will save your entire case folder, along with your finished report, to a CD, DVD, or Flash drive and mail it to the EnCE Coordinator at GSI. Emailed exam submissions are not accepted.
On the CD or DVD you burn, your case folder should contain your case file, report file, and any exhibits saved to the Export folder. You might as well also include the evidence files in case GSI needs to look at your case file, bookmarks, search keywords, etc. in EnCase itself. It is not necessary to include a printed copy of your report, so let GSI print out their own hardcopy if they need it.
I packaged my burned DVD, dongle, and a cover letter in a padded envelope. You must remember to include the EnCase dongle that came with your ENCEPHASE2 CD, or you will not be granted certification until it is returned. The EnCE Phase II instructions didn’t mention that the ENCEPHASE2 CD must be returned too; as the EnCE v6 exam is due to be retired in just a couple of months, I decided to keep the CD as a souvenir.
I sent my results to GSI using Federal Express. I highly recommend using a courier service because of the tracking receipt. GSI does not send you an email confirming that they received your EnCE exam submission. I live only about 35 miles from GSI (as the crow flies) and it was delivered the next day. This event marked the beginning of…
…wasn’t that bad for me. I was notified by email 12 days later that I had successfully passed the EnCE. The notification email contained my certification number and information on the EnCE certificate, wallet card, logo, and that the EnCE certification has a 3-year renewal period.
EnCE candidates are only given a PASS or FAIL notification, and no breakdown of how well they did—and didn’t—do on their report. This “a PASS is a PASS” philosophy allows all EnCE-certified examiners to be considered equal, which I agree with as being the proper thing to do (although I’d still like to know what my score was).
How long you wait for your EnCE results depends on how many exams are waiting in the queue ahead of yours, so the wait time can vary. The certificate is shipped by UPS 4 to 8 weeks after passing the EnCE Phase II, also depending on the number of candidates ahead of you in the queue.
The EnCE certification exams are a very good test of a computer forensic examiner’s ability to use Guidance Software’s EnCase Forensic software product. Although not every feature available in EnCase may be tested, the level of knowledge, understanding, and competency necessary to pass the EnCE exams is a indication that an EnCE-certified individual has a clear and strong understanding of computer forensic methodology, techniques, and the ability to competently use EnCase for retrieving and analyzing real world evidence, and properly documenting methods, procedures, and findings.
Total Trackbacks 0