ence v6 study guide
TRANSCRIPT
-
8/2/2019 EnCE v6 Study Guide
1/46
EnCE Study GuideVersion 6
-
8/2/2019 EnCE v6 Study Guide
2/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 1
Certification Background
The EnCase Certified Examiner program was created to meet the requests ofEnCase users as well as to provide a recognized level of competency for theexaminer. While many different certifications exist, the EnCE provides anadditional level of certification and offers a measure of professional advancement
and qualifications.
Certain qualifications must be met to enter the certification process. An applicationand a detailed explanation can be found at:
http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm
The cost is USD 200.00 US and Canada, and USD 225.00 International payableby credit card, check, or purchase order. The certification program does notgenerate profits for Guidance Software; the testing fee covers the cost of thewritten test provided by ExamBuilder. Once payment has been received andprocessed, the certification coordinator will email testing instructions to you.
The certification process addresses both EnCase software (EnCase) and generalareas of computer forensics. It involves a written test consisting of 180 questions(174 for international candidates; no legal questions). Two hours are provided tocomplete the written exam, which is true/false and multiple choice.
Once the Phase I results are received, the certification coordinator will ship thePhase II exam to you at the address you provided on your application. You will benotified via email when your package has been shipped. If you fail the Phase I test,you will be required to wait two (2) months from the date the test was taken to beissued a new voucher and re-test.
In your Phase II package you will receive a compact disc that has a certificationversion of EnCase Forensic, evidence files, and objectives or issues you mustaddress. You must work the case, compile your report, and then send the reportto Guidance Software for review and grading within 60 days. If you do not finishthe Phase II in the time allotted, you will be required to wait two (2) months fromthe date that the test was due and restart from the beginning.
-
8/2/2019 EnCE v6 Study Guide
3/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 2
Those who fail the EnCE Phase II exam must wait two (2) months prior toretesting. We will not provide feedback on what was missed on the exam. If afterresubmitting Phase II you fail again, you must begin the retesting process fromPhase I.
Beginning the Certification Process
The first step toward certification is to review the qualifications and complete theapplication available at:
http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm
Submit the completed application to the EnCE certification coordinator at theaddress provided. Once your application has been received and accepted, youwill be provided with a voucher to enroll in Phase I of the testing process.
Phase I Testing Options
ExamBuilder
o ExamBuilder provides online testing services available at all times.
o Once you receive email instructions from the certification coordinator,visit the ExamBuilder website at https://testing.exambuilder.com/ toenroll in the Phase I testing process. Follow the instructions for log inand complete the enrollment form.
o If you have questions about the enrollment process, contact the
Guidance Software certification coordinator at (626) 229-9191, ext. [email protected]
EnCEPrep Course
o This course is designed for EnCaseusers preparing for certification. Thecertification is based upon the skills and knowledge presented inGuidance Softwares EnCase
Computer Forensic I and EnCase
Computer Forensic II courses. The EnCE Prep course is notintended tobe a replacement for these two classes; instead it is a thorough butaccelerated review of the covered subjects. Students cannot waive orsubstitute the prerequisite attendance of Guidance Softwares EnCaseComputer Forensics II course when applying to attend the EnCEPreparation course.
o The Phase I written examination will be administered on the finalafternoon of the course in a monitored, timed environment.
-
8/2/2019 EnCE v6 Study Guide
4/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 3
o The examination will be administered onlyat Guidance-owned sites inLos Angeles, Chicago, Houston, Washington DC, and London;
Authorized Training Partners cannot conduct the test as part of thiscourse.
o Complete details for this course can be found at:
http://www.guidancesoftware.com/computer-forensics-training-encase-ence.htm
CEIC
o Registered attendees at our annual CEIC conference may elect to takethe Phase I test at no additional charge during the conference.
o All requirements must be met prior to attending CEIC. Anyone interestedin taking the Phase I test at CEIC must fill out an application and return itto the certification coordinator via fax, email, or mail one (1) month priorto the conference. Only those who have preregistered and beenapproved will be admitted to take the Phase I test at CEIC.
o Please visit www.ceicconference.com for more information.
Maintaining Your Certification
As of November 1, 2008 EnCase Certified Examiners are required to achieve oneof the following items prior to their expiration date in order to renew. For thosewho have been certified prior to November 1, 2008, the current expiration date willremain the same, but the new requirements listed below will now apply. Oncerenewed, the expiration date will be changed to a three-year cycle (for example ifrenewing in 2009, the next renewal date will not be until 2012, and then every 3
years from then on).
Attend a minimum of thirty-two (32) credit hours of documented continuingeducation in computer forensics or incident response to maintain thecertification: *
o The training should either be from Guidance, your agency, or anaccredited source. Training should be either in a classroom lab setting oronline. Proof of attendance should be provided via a certificate,transcript, or official letter.
o Earn one (1) credit hour for each classroom hour of training and 1/2
credit hour for each one hour of instruction as a computer forensics orincident response curriculum instructor.
Achieve a computer forensics or incident response related certificationwithin the renewal period. A certificate of completion must be submitted asdocumentation.
*Training and teaching hours may be combined to reach the total 32 hours required.Documentation may be a certificate of completion, official letter from the provider, or transcript.
-
8/2/2019 EnCE v6 Study Guide
5/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 4
Attend one CEIC conference within the renewal period. Your certificationmust be current at the time of the conference and you must attend at least10 sessions to fulfill the requirement to renew your EnCE. Register online athttp://www.ceicconference.com/Default.aspx . Renewal forms will be
available at the registration desk during the conference. Please check thebox on the renewal form, and registration will be on file with GuidanceSoftware, Inc.
Guidelines for submitting renewal credit for attendance at any othercomputer forensic conference other than CEIC are:
o Only labs count (seminars or product demos are not considered)
o Calculate one (1) CPE for every hour in a lab
o To submit credits please send a copy the conference agenda andindicate the labs attended and how many CPE each one is worth
Please do not submit your renewal documents separately. Keep allcertificates together and only send them when you have the requirementfulfilled. When you are ready, send the attached form and anycertificates/letters/documents via fax, email, or regular mail.
The requirements need to have been met within the renewal period. (i.e., ifthe renewal date is June 1, 2009, the requirements must have beenachieved between June 1, 2007 and June 1, 2009.)
Should your certification expire, you will be required to restart the EnCE processfrom Phase I. Extensions will not be granted. If you are unsure of your expiration
date, please email: [email protected]
Complete renewal details are available at:
http://www.guidancesoftware.com/computer-forensics-training-encep-program-application.htm
-
8/2/2019 EnCE v6 Study Guide
6/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 5
Other Study Material
This Study Guide highlights the topics contained in the EnCE test, including goodforensic practices, legal issues, computer knowledge, knowledge of EnCase,evidence discovery techniques, and understanding file system artifacts. If youneed reference materials to prepare for a specific topic or portion of the exam,some recommended study materials are listed below:
EnCaseComputer Forensics Imanual by Guidance Software
EnCaseComputer Forensics IImanual by Guidance Software
EnCaseLegal Journalby John Patzakis
EnCaseUser's Manualby Guidance Software
Handbook of Computer Crime by Eoghan Casey
How Computers Workby Ron White
EnCaseComputer Forensics: The Official EnCE: EnCase Certified ExaminerStudy Guide by Steve Bunting, Second Edition
-
8/2/2019 EnCE v6 Study Guide
7/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 6
EnCaseEnvironment
All lab media should maintain a unique volume label and a unique directoryto receive the evidence file(s).
All lab media should be forensically sterile wiped of all data, verified to beabsent of any data, freshly partitioned, and formatted.
Upon starting a new case, default Export and Temp directories should bedefined.
These folders will provide a default location for exported data as well as aspecific folder to contain files that are created through the use of externalviewers.
Both of these folders are case specific and can be modified as to location at
any time.
When an examiner double-clicks on a file, the data is copied to the definedTemp directory, and the associated viewer is then called to display the filedata.
When EnCase is properly shut down, EnCase will delete the files from theTemp folder.
E01 File
Bit-stream image of the source media written to a file(s).
Contains case information as first block.
Header is always compressed and is verified through the use of thecompression algorithm used.
No alteration to case information block can be made.
There is no limit to the EnCase evidence file segment size.
Content of the evidence file cannot be changed data cannot be added toan existing evidence file.
-
8/2/2019 EnCE v6 Study Guide
8/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 7
Case File
Contains your work search results, bookmarks, and report.
It is simply a text file containing information specific to a singlecase/investigation.
There is no limit to the number of evidence files that can be added to asingle case 8 hdds, 200 diskettes, 24 CDRs as example.
Case file is updated by utilizing the SAVE button or selecting SAVE from the menu. This only affects the .case file.
Evidence file verification results are stored within the .case file.
Backup File (.CBAK)
Is created at preset intervals if auto save is enabled and not set to 0
Captures current state of the case
EnCaseConfiguration Files
Contain global changes to the EnCase environment external viewers,hash sets/libraries, signature table.
This global environment dictates information/tools available for all cases not case specific.
Example EnCase configuration .ini files:
o FileSignatures.ini File Signature Table
o FileTypes.ini organizes files into groups by extension; determineswhich viewer to use
o Keywords.ini global keywords list
o Filters available filters
o Viewers.ini installed external viewers
File Types table dictates the action that will occur if a user double-clicks ona specific file.
External viewers are associated with file extensions through the File Types.
-
8/2/2019 EnCE v6 Study Guide
9/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 8
Verification of E01
A CRC (32 bit) is computed for every 64 sectors of an uncompressedevidence file.
The decompression algorithm is used to verify the evidence file when theevidence file is compressed.
MD5 (128 bit) computed during acquisition and placed at the end of theevidence file.
SHA1 hashing verification option.
To fully verify an uncompressed evidence file, all CRCs as well as the hashvalue(s) must validate and verify.
For a compressed evidence file the decompression algorithm as well as thehash value(s) must validate and verify.
If any changes occur to an evidence file, the CRC for the affected block(s)will no longer verify, and EnCase will display an error when any data withinthe block is accessed.
EnCase will also indicate an error if the evidence file is verified again.
Three (3) aspects of an existent evidence file can be changed/altered:
o
Password +/-, compression, and evidence file segment sizeo The applied filename of the evidence file can be changed, and/or the
evidence file(s) can be moved to another location; however EnCasewill prompt you to locate the renamed evidence file if it is changedafter it is added to a case
o Individual segments of an evidence file can be verified(ToolsVerify Single Evidence File)
Compression does not have an impact on the verification of an evidencefile; hash value will remain constant.
-
8/2/2019 EnCE v6 Study Guide
10/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 9
Searches
General Information
Searches within the Windows environment are both physical and logical.
Within the EnCase
Windows environment, keywords that spannoncontiguous clusters will still be located within logical files. No searchingtool will find keywords spanning noncontiguous clusters in unallocatedspace.
Searches in unallocated space are physical only as no logical definitionsexist in this area.
GREP Most Commonly Used Symbols
[ ] Square brackets form a set, and the included values within the set haveto match a single character [1-9] will match any single numeric valuefrom 1 to 9.
- Denotes a range such as above.
^ States not [^a-z] = no alpha characters from a to z.
+ States to repeat the preceding character or set any number of times, butat least once.
* States to repeat the preceding character or set any number of times,including zero times.
\x Indicates that the following value is to be treated as a hexadecimal value- \xFF\xD8\xFF
? Means or not joh?n will yield both JOHN and JON
You must indicate via the check box that the created expression is a GREPterm.
Unicode
Selecting Unicode will cause EnCase to search for the keyword in bothASCII and Unicode. Unicode uses two bytes for each character allowing therepresentation of 65,536 characters.
-
8/2/2019 EnCE v6 Study Guide
11/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 10
File Signatures
Simply compares the displayed extension with the files header/signature. Fourpossible results will be obtained:
!Bad Signature - The extension is in the File Signature table but the headeris incorrect, and the header is not in the File Signature table.
* [Alias] - The header is in the table and the extension is incorrect. Thisindicates a file with a renamed extension.
MATCH - The header matches the extension. If the extension has noheader in the File Signature table, then EnCase will return a Match as longas the header of the file does not match any header in the File Signaturetable.
UNKNOWN - Indicates that neither the header/signature nor the extensionis listed in the table. If either the header/signature or the extension is listedin the table, you will notobtain a value of UNKNOWN.
To examine the results of the File Signature effort, sort on the File Signaturecolumn.
Remember that the Gallery view will not display supported image files thatmaintain extensions inconsistent with image files until and unless theSignature Analysis has been run.
The Signature Table can be edited and/or added to by accessing the tableand choosing right-click New.
-
8/2/2019 EnCE v6 Study Guide
12/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 11
Hash Analysis
Hash sets can be created from selected files, and the set(s) can then beadded to the library.
The hash value computed for a given file is based upon the logical filecontent only not the slack area of the file.
File names are maintained within the folder/directory and have no bearingon the computed hash value of a given file.
EnCase will compute a hash value of each file in the case and thencompare these computed values to the values present in the library.
Hash analysis allows the examiner to identify files that are known either
as innocuous files that can be ignored or as files that are evidentiary incontent.
Hash sets contain only the computed hash values of the files not the filecontent. A file cannot be created from the computed hash value.
ASCII and Binary
ASCII table is a 7-bit table, and the acronym stands for the AmericanStandard Code for Information Interchange.
The resultant 128 values represent alpha/numeric values, commonpunctuation, and other values.
Hexadecimal notation employs two characters to represent one byte.
A single byte (8 bits) can represent one of 256 possible values; a nibble (4bits) can represent one of 16 possible values.
The LE indicator within EnCase indicates the number of bytes that havebeen selected/swept/highlighted.
Nibble = 4 bits
Byte = 8 bits
Word = 2 bytes = 16 Bits
Dword = 4 bytes = 32 Bits
-
8/2/2019 EnCE v6 Study Guide
13/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 12
File Systems
FAT file systems (FAT12, 16, 32) group one or more sectors in powers of 2into clusters.
The number of clusters that the file system can manage is determined bythe available bits employed by the FAT.
FAT16 (2/16) allows 65,536 clusters.
FAT32 (2/28) allows 268,435,456 clusters.
The FAT maintains information regarding the status of all the clusters on thevolume (available -0, in use), indicated cluster number, containing the endof a file (EOF), and containing one or more defective sectors (BAD).
The FAT also tracks file fragmentation.
Directory entries maintain the file name, logical file size, and starting cluster.
FAT is read to begin locating the files data.
Each FAT volume maintains two copies of the FAT FAT1 and FAT2.
Each sector contains 512 data bytes, and this size is consistent acrossdifferent media types. (ZIP disks, floppies, HDD, etc.)
Logical file size is the actual number of bytes that the file contains.
Physical file size is the amount of actual media space allocated to the file.
Only one file can occupy a cluster at one time no two files can occupy thesame cluster.
Slack
Displayed in EnCase as red text. It is the data from the end of the logical fileto the end of the physical file.
EnCase also displays FAT directory entries in red text because neitherslack nor FAT directories have any logical file size
-
8/2/2019 EnCE v6 Study Guide
14/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 13
Deleted Files
Two actions occur when a file is deleted from a FAT system the firstcharacter of the directory entry(s) pertaining to the file is/are changed to
E5h, and the values within the FAT that pertain to this file are reset to 0(available).
Deleting a file has no effect on the actual data in FAT or NTFS.
EnCase reads the directory entry for a deleted file and will obtain thestarting extent. It then will determine the number of clusters the file requiresby dividing the logical file size by the bytes per cluster.
EnCase reads the FAT to determine if the indicated starting extent (cluster)is in use by any other file.
If the indicated starting extent (cluster) is in use by another file, EnCasedeems this file to be overwritten.
Computer Hardware and Systems
BIOS Basic Input Output System
The BIOS is responsible for the initial checking of the system componentsand initial configuration of the system once power is turned on.
Examiners should access the BIOS and determine the boot sequence aswell as the indicated date/time.
Depending on the settings, the computer system may or may not attempt toboot from a diskette drive.
The BIOS is typically contained within a chip located on the systemmotherboard, which is the main circuit board within a computer system.
Add-in cards video controller, SCSI controller, NIC, etc.
SCSI host adapters manage SCSI devices and make them accessible to
the OS.
RAM Random Access Memory stores data temporarily and is accessibleimmediately to the OS.
-
8/2/2019 EnCE v6 Study Guide
15/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 14
ROM Read Only Memory
CPU the actual processor chip notthe whole computer.
POST Power On Self Test first activity following the application of powerto the computer system.
The POST activity includes the testing of identified attached devices on thesystem bus, including the HDD(s), diskette drives, installed memory, etc.
Drive letters are assigned by the OS during the boot process, but are notrecorded to the media involved.
Bootable media must maintain a bootable partition/volume, which in thecase of HDDs, must be set as active.
HDDs
IDE drives are set for Master/Slave/Cable. Select through jumper pinning onthe physical drive.
SCSI drives do notmaintain Master/Slave settings; rather they areassigned ID numbers, again usually through jumper settings.
When employing CHS geometry, the formula for determining the HDDcapacity is CxHxSx512.
The first sector on every HDD contains the Master Boot Record, and thepartition table for the drive is located within this sector for Windows andLinux offset 446-509.
The partition table within the MBR can maintain 4 entries, each 16 bytes inlength.
Each defined partition on a physical HDD will contain a Volume BootRecord as the first sector within the partition.
Selecting the Volume Boot sector, right-clicking and choosing Add Partition
can recover deleted partitions.
-
8/2/2019 EnCE v6 Study Guide
16/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 15
First Response
Systems will either be on or off if they are on, they must be shut down.Review recommendations regarding the different file systems and shut-
down options.
Preview options FastBloc, network cable
Boot Disks must have the OS system files, and these system files must bealtered to prevent access to the fixed disk drive(s).
EnCase will create the forensic boot disk, make the proper alterations toIO.SYS and Command.COM, and delete DRVSPACE.BIN.
This must be done to prevent writes to any attached HDDs and prevent the
mounting of a compressed volume file.
A forensically sound bootable CD that includes the LinEn utility may beused.
Procedures
o Photograph, external inspection, label connections, internalinspection, disconnect power/data cables from HDD(s), boot withEnCase boot disk or a forensically sound CD with the LinEn utility,and access the BIOS note boot sequence and date/time. Allowboot to continue to confirm drive and diskette function. Power down,
attach target and destination (lab) HDDs, and reboot with boot disk.o Using an EnCase boot disk will start the computer to the DOS OS.
Logical partitions under NT, Linux (EXT2/3), UNIX, and Mac HFS willnot be seen as DOS does not understand those file systems. Obtaina physical disk evidence file, and EnCase will resolve the filestructure once the E01 file is added to the case.
-
8/2/2019 EnCE v6 Study Guide
17/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 16
Restoring E01 Files
Evidence files can be restored to media of equal or greater size.
The hash value of a properly restored evidence file will match the valuemaintained within the evidence file, which is the value computed against theoriginal source media.
Restoring evidence files of physical media must be made to a physicaldrive, logical evidence files to a defined logical partition.
Logical restores must be made to a created partition equal to or larger thanthe evidence file partition, and must be of the same file system FAT16/32.
Restored drives are validated by the MD5 value.
OS Artifacts
Review Recycle Bin functions DC0.TXT, DC1.JPG, etc.
On Windows XP/2003 and below, the date/time deleted stems from theINFO record within the Recycle Bin.
FAT directory entries in DOS/Windows are 32 bytes in length.
Review directory structure parent/child relationships.
Review Windows XP/2000 artifact locations: C\Windows\Recent, Desktop,Send To, and Temporary Internet Files.
Review LNK files linking a diskette to the computer that wrote to it embedded date/time as well as full path and file name of the target file.
Review EMF files, SPL, and SHD files definition and content.
BASE64 encoding common to email attachments.
Windows 2000 and XP have user personal folders stored under
C:\Documents and Settings.
-
8/2/2019 EnCE v6 Study Guide
18/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 17
Legal
Every printed document from a computer is considered an original.
Any printout or other output readable by sight shown to accurately reflectthe data stored in a computer system is considered an original.
Compression of the evidence file has no bearing on the validity oradmissibility of the data. Courts have ruled that the manner in which data ismaintained while in storage is not relevant, as long as the data is accuratelyportrayed when accessed and presented in a printout or other output,readable by sight.
The EnCase evidence file may be considered the best evidence,depending on the events and circumstances of the case.
Daubert legal test employed by US courts to determine if a scientific ortechnical process is acceptable.
o Has the process been tested and subjected to peer review?
o Does the process/application maintain general acceptance within therelated community?
o Can the findings be duplicated/repeated?
-
8/2/2019 EnCE v6 Study Guide
19/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 18
2011 Guidance Software, Inc. All Rights Reserved.
EnCase Certified Examiner
Preparation Training
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 1
EnCE Preparation Training
Examining computer-based evidence with EnCase software
(EnCase)
Computer Knowledge
Good Forensic Practices
Legal
-
8/2/2019 EnCE v6 Study Guide
20/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 19
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 2
Examining computer-based evidence
The EnCase Evidence File
EnCase Concepts
The EnCase Environment
Searching
File Signature and Hash Analysis
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 3
The EnCase Evidence File
Bit stream image of evidence written to a file
Header Case information
CRCs (Cyclical Redundancy Check)
Data Blocks
-
8/2/2019 EnCE v6 Study Guide
21/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 20
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 4
The EnCase Evidence File
Header Case Information
Header is always compressed and is verified through the use of
the compression algorithm used
Can not be changed after evidence file is created
Contains:
Case number
Examiner name
Evidence number
Unique description
Date/time of computer system clock
Acquisition notes
Serial number of physical hard drive
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 5
The EnCase Evidence File
Cyclical Redundancy Check
32-bit CRC for (by default) 64 sectors (32 KB) of data
If no compression is used
Calculated when evidence file is added to case and rechecked
every time the data block is accessed
Message Digest 5 Hash
128-bit digital signature of all data in evidence file
Optional
-
8/2/2019 EnCE v6 Study Guide
22/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 21
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 6
The EnCase Evidence File
Logical file that can be renamed and moved
Can be broken into multiple segments with a maximum segment size
dependent on the file system to which the evidence file is written
Can be compressed during acquisition and/or reacquired with
compression for archival without changing the hash value
Can be password protected and can be reacquired to remove or
change password
Individual segments can be verified by the CRCs when compression is
not used. If compression is used the decompression algorithm is used
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 7
The EnCase Evidence File
Block size can be adjusted to range from 64 to
32768 sectors
Error granularity is often used to adjust the writing of data to an
evidence file when a read error of the subject media occurs
Quick reacquisition is used on an existing evidence file to quickly
change file segment size, password +/-, and/or the applied name of
the evidence file.
-
8/2/2019 EnCE v6 Study Guide
23/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 22
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 8
The EnCase Evidence File
Evidence File Verification
Data in the entire evidence file is verified by Verification hash
compared to the Acquisition hash value of the original evidence
Data in each data block is verified by a CRC when no
compression is used
Both the MD5 hash and CRCs must match for the evidence file to
be verified
If any compression is used, the compression algorithm is used toverify data blocks
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 9
EnCase Concepts
The Case File - .case
Text file containing:
Pointers to evidence files locations on forensic workstation
Results of searches and analysis (file signature and hash)
Bookmarks
Investigators notes
A case file can contain any number of hard drives or removablemedia
A backup file (.cbak) is updated by default every 10 minutes
Save the case file regularly during an examination
The case file should be archived with the evidence files as itcontains all of the investigators notes
-
8/2/2019 EnCE v6 Study Guide
24/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 23
2011 Guidance Software, Inc . A ll Rights Reserved.
P A G E 10
EnCase Concepts
The Configuration .ini Files
Contain Global Options used for all cases
Some configuration .ini files:
FileSignatures.ini File Signature Table
FileTypes.ini organizes files into groups by extension; determines
which viewer to use
Keywords.ini global keywords list
Filters.ini available filters
Viewers.ini installed external viewers
2011 Guidance Software, Inc . A ll Rights Reserved.
P A G E 11
The EnCase Environment
The EnCase Methodology
Case Management
Separate folders for each case is recommended; use uniquedirectory names
Use large capacity, high RPM (revolutions per minute) hard driveswith single partition for evidence files
Wipe the drive to eliminate any claims or arguments of cross-
contamination Give the hard drive a unique label prior to acquisitions to
differentiate your drives from the suspects
Create default Evidence, Export, and Temp folders for each case
-
8/2/2019 EnCE v6 Study Guide
25/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 24
2011 Guidance Software, I nc. All Rights Reserved.
P A G E 12
The EnCase Environment
The EnCase Methodology
Export Folder
Create a separate Export folder for each case
The name and location of the Export folder can be changed at anytime
Used by many EnScript programs for exporting files
Selected by EnCase as starting folder when using Copy/Unerase
Temporary Folder
Used to receive files sent to an external viewer
Redirect files away from the examiners operating system drive
Files in the Temporary folder are deleted when EnCase is shut downproperly
2011 Guidance Software, I nc. All Rights Reserved.
P A G E 13
Searching
EnCase for Windows
Physical searching is conducted on logical f iles and the
unallocated areas of the physical disk.
Logical search will find a word fragmented between two
noncontiguous clusters, whereas a physical search will miss the
fragmented word.
-
8/2/2019 EnCE v6 Study Guide
26/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 25
2011 Guidance Software, Inc . A ll Rights Reserved.
P A G E 14
Searching
Adding Keywords
Case Sensitive
Not set by default. Selecting willlimit hits to exact case of wordsentered. Can be used with GREP and Unicode.
GREP
Box must be selected for EnCase to use GREP expression,otherwise EnCase will search for the literal entered characters. Canbe used with Case Sensitive and Unicode.
Unicode
Selecting this box will enable EnCase to search for keywords in bothANSI and Unicode. Recommended to be selected for mostsearches. Can be used with GREP and Case Sensitive. Unicodeuses two bytes for each character allowing the representation of65,536 characters.
2011 Guidance Software, Inc . A ll Rights Reserved.
P A G E 15
Searching
Global Regular Expression and Print (GREP)
. A period matches any singlecharacter
\xFFA Character represented by its ASCIIvalue in hex. \x09 is a tab. \x0A is a
line feed. Both hex digits should be
present even if they are 0.
\wFFFF Unicode 16 bit character
? The question mark says repeat thepreceding character (or set) one or
zero times.
-
8/2/2019 EnCE v6 Study Guide
27/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 26
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 16
Searching
GREP
* An asterisk after a character matches any number of occurrences ofthat character, including zero. For example, john,*smith wouldmatch john,smith, john,,smith, and johnsmith.
+ A plus sign after a character matches any number of occurrences ofthat character except zero. For example john,+smith would matchjohn,smith or john,,smith, but would NOT match johnsmith.
# A pound / hash sign matches any numeric character [0-9].For example ###-#### matches any phone number in the form327-4323.
(ab) The parentheses allows the examiner to group individual characterstogether as an AND statement.
{m,4} The curly braces state number of times to repeat, i.e. m four times
| The pipe is an OR statement and can be used with the parentheses,i.e., (com)|(net)|(org) for the end of an email address.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 17
Searching
GREP
[] Characters in brackets match any one character that appearsin the brackets. For example smit[hy] would match smithand smity.
[^] A circumflex at the start of the string in brackets means NOT.
Hence [^hy] matches any characters except h and y.
[-] A dash within the brackets signifies a range of characters. For
example, [a-e] matches any character from a through e,inclusive.
\ A backslash before a character indicates that the character is
to be treated literally and not as a GREP character.
-
8/2/2019 EnCE v6 Study Guide
28/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 27
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 18
File Signature and Hash Analysis
File Signature Table
Stored in the EnCase configuration file, FileSignatures.ini
File signatures can be added manually
The terms file signature and file header mean the same thing,
the standard hex characters at the beginning of a certain file type
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 19
File Signature and Hash Analysis
File Signature Table Viewers
EnCase uses the Viewers.ini file to store external viewer
information and the FileTypes.ini file to associate file extensions
with external viewers.
When the examiner double-clicks on a file, EnCase will copy the
file to the Temporary folder and launch the Windows-associatedviewer or user-defined external viewer to read the file.
The examiner can also right-click on a file and use the Send To
feature to send the file to an external viewer.
-
8/2/2019 EnCE v6 Study Guide
29/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 28
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 20
File Signature and Hash Analysis
File Signature Analysis
Signature Table Analysis Explained
Signature / Header Extension Comparison Results Displayed
LISTED LISTED CORRECT MATCH
NOT LISTED NOT LISTED N/A UNKNOWN
NOT LISTED LISTED INCORRECT ! BAD SIGNATURE
LISTED LISTED INCORRECT * FILE ALIAS
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 21
File Signature and Hash Analysis
Hash Sets and Hash Library
Hash sets can be built with one file or any number of selected
files. The sets contain the hash values of the file(s) in the set.
The hash value of a file is computed only from the logical file
independent of the file name, time/date stamps, and the slack
space of the physical file.
The Hash Library is built from selected hash sets. The examiner
can exclude specific hash sets to remain within the scope of the
examination.
-
8/2/2019 EnCE v6 Study Guide
30/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 29
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 22
File Signature and Hash Analysis
Signature and Hash Analysis
File extensions are compared to the file signature (header)
according to the File Signature Table.
The hash value of each logical file is computed and compared
with the Hash Library composed of the selected hash sets.
Both analyses can be used to help identify suspect files and/or
exclude known or benign files. The results of both analyses are
viewed in the Table view.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 23
Computer Knowledge
Understanding Data and Binary
The BIOS
Computer Boot Sequence
File Systems
Computer Hardware Concepts
-
8/2/2019 EnCE v6 Study Guide
31/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 30
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 24
Understanding Data and Binary
Bits and Bytes
Bit Name Binary
1 = Bit 1
4 = Nibble 0000
8 = Byte 0000-0000
16 = Word 0000-0000 0000-0000
32 = Dword 0000-0000 0000-0000
0000-0000 0000-0000
64 = Qword You get the idea
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 25
Understanding Data and Binary
ASCII and Unicode
The ASCII table (American Standard Code for Information Interchange)
is based on an 7-bit system. The first 128 characters make up the ASCII
table. The remaining 128 characters are called high-bit characters and
represent alpha/numeric values common punctuation and other values.
Together 256 characters can be addressed.
Selecting Unicode will cause EnCase to search for the keyword in both
ASCII and Unicode. Unicode uses two bytes for each character,
allowing the representation of 65,536 characters.
Decimal Hexadecimal Character Binary Code
0 00 NUL 0000-0000
1 01 SOH 0000-0001
2 02 STX [1] 0000-0010
-
8/2/2019 EnCE v6 Study Guide
32/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 31
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 26
The BIOS
Basic Input/Output System
The BIOS checks and configures the computer system after
power is turned on.
The BIOS chip is usually found on the motherboard.
The BIOS should be checked during each examination of a
computer to check the boot sequence and settings of the internal
clock.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 27
Computer Boot Sequence
Power Button
BIOS
POST
BIOS FROM
ADD-IN CARDS
The BIOS immediately
runs POST and then
prepares the system for
the first program to run.
LOAD RAM WITH
BIOS DATA
POST (Power On Self
Test) checks the system
board, memory (RAM),
keyboard, floppy disk,
hard disk, etc., for
presence and reliability.
Add-in cards such as SCSI
drive controller cards can
have a BIOS on the card
that loads at this time.
These BIOS normally detect
devices and load
information into the BIOS
data area in RAM.
A special RAM BIOSdata area of 256 bytes
contains the results of
the system check
identifying the location of
attached devices.
Boot
Sequence?
-
8/2/2019 EnCE v6 Study Guide
33/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 32
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 28
Computer Boot Sequence
Boot
Sequence?A: C:
Other Devices
Present? No
YesMay display error
or shift to boot
another device
Boot
Record?No
Yes
Command.Com
Config.sys
Msdos.sys
Io.sys
Autoexec.bat
Master Boot Record
Go to Boot Partition
Boot Record
Io.sys
Msdos.sys
Config.sys
Command.Com
Autoexec.bat
Optional
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 29
File Systems
File Allocation Table
FAT tracks
File fragmentation
All of the addressable clusters in the partition
Clusters marked bad
Directory records
File name
Date/time stamps (Created, Accessed, Written)
Starting cluster
File logical size
A directory (or folder) is a f ile with a unique header and a
logical size of zero
-
8/2/2019 EnCE v6 Study Guide
34/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 33
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 30
File Systems
Directory
Entry
Name Cluster Length Accessed Written Created
.
..MyNote .TXT 1000 952 8/25/00 8/22/00 8/22/00
Picture1.GIF 1002 890 8/25/00 6/15/98 6/15/98
Picture2.JPG 1004 5000 8/25/00 7/12/99 7/12/99
Job Search.DOC 24888 11000 8/25/00 8/25/00 8/1/00
Report.DOC 79415 34212 8/25/00 7/31/00 6/20/00
Personal Letter.DOC 88212 10212 8/25/00 8/25/00 8/25/00
File AllocationTable
Clusters
(Allocation Units)
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 31
File Systems
Directory Entry
Name Cluster Length
MyNote.TXT 1000 952
Picture1.GIF 1002 890
Picture2.JPG 1004 5000
Job Search.DOC 24888 11000
Report.DOC 79415 34212
Personal Letter.DOC 88212 10212
-
8/2/2019 EnCE v6 Study Guide
35/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 34
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 32
File Systems
1000
EOF
1001
0
1002
EOF
1003
0
1004
1005
2
EOF
3
EOF
4
EOF
5
EOF
6
EOF
7
EOF
1005
EOF
File Allocation
Table
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 33
FAT
When a file is deleted from a FAT system
1st character of directory entry changed to E5h
FAT entry values change from allocated to unallocated (0)
No effect on the data within the clusters
When EnCase virtually undeletes a file
Directory entry read
Obtains starting extent, logical size
Obtains number of clusters by dividing logical size by bytesper cluster
FAT examined to determine if starting cluster/extent is in use
If starting extent is in use, EnCase deems this file to beDeleted/Overwritten
-
8/2/2019 EnCE v6 Study Guide
36/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 35
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 34
File Systems
File Allocation Table
FAT 16
2 ^ 16 = 65,536 total allocation units available (clusters)
FAT 32
2 ^ 28 = 268,435,456 total allocation units
4 bits are reserved by Microsoft
Two copies of the FAT are stored for backup purposes.
A cluster is composed of multiple sectors. A sector contains 512
user addressable data bytes.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 35
NTFS
Master File Table (MFT) administratively documents all files/folders
on NTFS volume
MFT comprised of records 1024 bytes each
MFT grows but doesnt shrink
At least one MFT record is allocated to each file and folder on
volume
Bitmap file documents if clusters are allocated or unallocated
Two types of files: Resident and Nonresident
-
8/2/2019 EnCE v6 Study Guide
37/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 36
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 36
NTFS
Resident files
Data resides within MFT record for file
Data does not begin at the beginning of a sector/cluster
Logical size = physical size
Nonresident files
Data not within MFT Record
MFT record houses pointers to clusters storing file
Pointers in the form of a data run
Both types of files may be hashed as long as logical size is greater
than 0
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 37
File Systems
Logical and Physical File Size
My Pic.jpg
File Slack
Physical File bytes
(1 cluster)
Logical File
3045 Bytes
-
8/2/2019 EnCE v6 Study Guide
38/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 37
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 38
Slack Space
File slack is comprised of drive slack and RAM slack
Drive Slack
Data that is contained in the remaining sectors of a logical file that
are not a part of the current logical file. A logical file of 10 bytes
stored in a 4-sector cluster will have 3 sectors of drive slack.
RAM Slack
Data from the end of the logical file to the end of that sector. The
10-byte file from above will have 502 bytes of RAM slack in the
same sector that contains the logical data.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 39
Slack Space
RAM slack is zeroed out prior to writing it to the drive in
Windows 95B and newer
In Windows 95A and older RAM slack will contain actual data from
RAM and it will be stored on the drive with the file
-
8/2/2019 EnCE v6 Study Guide
39/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 38
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 40
Computer Hardware Concepts
The computer chassis or case is often incorrectly referred to as
the CPU
The CPU is the Central Processing Unit installed on the motherboard
Also installed on the motherboard are the Random Access Memory,
the Read Only Memory, and add-in cards such as video cards,
Network Interface Cards (NIC), Small Computer System Interface
(SCSI) cards
Integrated Drive Electronics (IDE) hard disk drives can be attached
directly to the motherboard with a ribbon cable
SCSI hard disk drives require a controller card on the motherboard
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 41
Computer Hardware Concepts
Geometry of hard drives
Cylinder/Heads/Sectors (older drives)
C x H x S x 512 bytes per sector = total bytes
Logical Block Addressing
Total number of sectors available x 512 bytes = total bytes
Master Boot Record
Volume Boot Record
Partition Tables
Partition Recovery
-
8/2/2019 EnCE v6 Study Guide
40/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 39
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 42
Good Forensic Practice
First Response
Acquisition of Digital Evidence
Operating System Artifacts
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 43
First Response
At the Scene
Photograph, take notes, sketch
Take down the system whether pull plug or shut down depends
on circumstances
Shut Down if UNIX/Linux or Server
Pull Plug it depends on circumstances
-
8/2/2019 EnCE v6 Study Guide
41/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 40
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 44
First Response
Forensic Boot Floppy/CD/Thumb Drive
Appropriate applications
Drivers for SCSI, NIC cards, etc.
Modified files
command.com
io.sys
drvspace.bin if not removed, will mount a compressed drive
space volume
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 45
First Response
Onsite Triage
FastBloc Fastest
Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript modules, etc.
Network Cable Preview Fast
Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript programs, etc.
-
8/2/2019 EnCE v6 Study Guide
42/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 41
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 46
Acquisition of Digital Evidence
Computer Forensic Examiner
Must be trained
Must use best forensic practices available
Must avoid damaging or altering evidence
Should test and validate computer forensic tools and techniques
prior to using them on original evidence
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 47
Acquisition of Digital Evidence
File Systems Supported by EnCase
FAT 12, 16, 32
NTFS
EXT2/3 (Linux)
Reiser (Linux)
UFS (Solaris)
CDFS (Joliet, ISO9660, UDF)
DVD
Macintosh HFS/HFS+, Mac OS X (BSD)
HP-UX
Etc
NOTE: Only FAT partitions will be viewable if booted in DOS environment.
-
8/2/2019 EnCE v6 Study Guide
43/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 42
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 48
Acquisition of Digital Evidence
File Systems Supported by EnCase
If the file system is not supported by EnCase, the examiner can
still conduct a physical text search, run EnScript programs for file
headers and footers, etc.
The examiner can also restore the physical drive to a drive of
equal or larger size. The restored drive is verified by the MD5
Hash.
A volume may also be restored to a partition containing the same
file system.
Restored image is verified by the MD5 hash value.
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 49
Acquisition of Digital Evidence
Laboratory Procedures
Cross contamination
Wipe lab examination drives
Use EnCase case management methodology
Chain-of-Custody
Controlled access to lab area Evidence locker or depository
Storage
Clean, temperature-controlled environment
Portable electronic devices may lose battery power erasing all data
-
8/2/2019 EnCE v6 Study Guide
44/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 43
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 50
Operating System Artifacts
Recycle Bin and Info2 file
FAT/NTFS Directory Entries and Structure
Windows Artifacts
Recent
Link Files
Desktop
Send To
Temp
Internet Explorer history, cache, favorites, cookies
Enhanced MetaFiles; Print Spooler
2000/XP C:\Documents and Settings
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 51
Operating System Artifacts
Windows Artifacts (continued)
Registry files global and user account specific
Swap file
Hibernation/Standby file
Thumbs.DB
Restore Point
-
8/2/2019 EnCE v6 Study Guide
45/46
EnCE Study Guide
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 44
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 52
Legal Issues
Best Evidence Rule
A printout of data stored in a computer can be considered as an
original under the Federal Rules of Evidence if it is readable by
sight and accurately reflects the stored data
Compression of acquired data does not affect admissibility under
the Best Evidence Rule
If original evidence must be returned to the owner, the forensic
image could be considered the Best Evidence
2011 Guidance Software, Inc. All Rights Reserved.
P A G E 53
Legal Issues
Daubert/Frye
Legal test to determine if a scientific or technical process
Elements of Daubert
Has the process been tested and subject to peer review?
Does the process enjoy general acceptance in the related
community?
Can the findings be duplicated or repeated?
Commercially available software has a greater opportunity for peer
review, testing, and validation
-
8/2/2019 EnCE v6 Study Guide
46/46
EnCE Study Guide