[Intermediate] DF210 – Building an Investigation with EnCase

Level: Introductory
CPE Credits: 32
Duration: 4 Days
Prerequisites: DF120 – Foundations in Digital Forensics with EnCase

There are currently no sessions scheduled for this program.
Please contact us at info@e-forensic.ca to be put on a waiting list.

Training Overview

This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the OpenText™ EnCase™ software (EnCase). This course builds upon the skills covered in the DF120–Foundations in Digital Forensics course and enhances the examiner’s ability to work efficiently using the unique features of EnCase. During this course, students will build an investigation using analysis techniques, such as recovering deleted volumes, registry analysis, Recycle Bin examination, and examining compound files. Other analysis techniques, such as searching unallocated clusters, parsing current Windows artifacts, examining email and Internet artifacts, and analyzing USB device artifacts will be included.

Students must understand EnCase Forensic concepts, the structure of the evidence file, creating and using case files, and data acquisition and basic analysis methods. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting indexed queries and keyword searches across logical and physical media, creating, and using EnCase bookmarks, file signature analysis, and exporting evidence.

**Course formerly known as EnCase v7 Computer Forensics II.

Course Details

  • Language: English
  • NASBA defined level: Intermediate
  • Duration: 4 Days
  • Price: $3,200 USD; CAD price is calculated on registration date
  • Delivery Method: Group-Live
  • Location: Best Western Plus, Kanata Hotel & Conference Centre, 1876 Robertson Road, Ottawa ON, K2H 5B8


Course syllabus

Students attending this course will learn the following:

  • How to identify and open a volume that was encrypted using Windows BitLocker™
  • How to locate and recover deleted partitions
  • How to deal with compound file types
  • How to determine time zone offsets and properly adjust for the time zone in EnCase
  • About the Windows® Registry
  • How to create and use conditions for effective searching
  • About the ExFAT and NT file system through an overview of the systems
  • How to identify Window system artifacts, such as the User folders, pagefile.sys, Recycle Bin, and other folders
  • How to locate and examine shortcut files
  • How to identify and recover data relating to the use of removable USB devices
  • How to recover data from the Recycle Bin
  • How to conduct a search for email and email attachments
  • How to examine email and Internet artifacts
  • How to employ the EnCase Media Analyzer during an investigation
  • How to employ GREP operators to enhance searching techniques
  • How to recover artifacts from the print spooler
  • How to search and recover files from unallocated space
  • How to use the EnCase Physical Disk Emulator (PDE) Module
  • How to create reports to present investigation findings


This course is intended for cybersecurity professionals, litigation support, and forensic investigators.


Participants should have attended the previous EnCase course: DF120–Foundations in Digital Forensics.

Students are required to bring a suitable laptop configured such that the user has admin credentials with the ability to install software without hindrance from antivirus, security software or corporate access settings.

Register for DF210 and other courses here: https://e-forensic.ca/registration/