[Intermediate] DF210 – Building an Investigation with EnCase

Level: Introductory
CPE Credits: 32
Duration: 4 Days
Prerequisites: DF120 – Foundations in Digital Forensics with EnCase


  • City: Ottawa
    Date: 2023-11-06

Register for a Session


Training Overview

**Formerly EnCase v7 Computer Forensics II.

This hands-on course is designed for investigators with strong computer skills, prior computer forensics training, and experience using the OpenText™ EnCase™ software (EnCase). This course builds upon the skills covered in the DF120–Foundations in Digital Forensics course and enhances the examiner’s ability to work efficiently using the unique features of EnCase. During this course, students will build an investigation using analysis techniques, such as recovering deleted volumes, registry analysis, Recycle Bin examination, and examining compound files. Other analysis techniques, such as searching unallocated clusters, parsing current Windows artifacts, examining email and Internet artifacts, and analyzing USB device artifacts will be included.

Students must understand EnCase Forensic concepts, the structure of the evidence file, creating and using case files, and data acquisition and basic analysis methods. It is also important that the students are familiar with the methods for recovering deleted files and folders in a FAT environment, conducting indexed queries and keyword searches across logical and physical media, creating, and using EnCase bookmarks, file signature analysis, and exporting evidence.

Course Details

  • Language: English
  • Duration: 4 Days, November 6-9 2023
  • Delivery: Group-Live
  • Venue: Best Western Plus Ottawa Kanata Hotel & Conference Centre, 1876 Robertson Road, Ottawa, Ontario, K2H 5B8**
  • NASBA defined level: Intermediate
  • Tuition: $3,200.00 USD; CAD price calculated at registration date

**Attendees staying at the hotel should ask for the EFS group rate.

Lunch is provided and included in the cost. Free parking is available at the course location.


Course syllabus

Students attending this course will learn the following:

  • How to identify and open a volume that was encrypted using Windows BitLocker™
  • How to locate and recover deleted partitions
  • How to deal with compound file types
  • How to determine time zone offsets and properly adjust for the time zone in EnCase
  • About the Windows® Registry
  • How to create and use conditions for effective searching
  • About the ExFAT and NT file system through an overview of the systems
  • How to identify Window system artifacts, such as the User folders, pagefile.sys, Recycle Bin, and other folders
  • How to locate and examine shortcut files
  • How to identify and recover data relating to the use of removable USB devices
  • How to recover data from the Recycle Bin
  • How to conduct a search for email and email attachments
  • How to examine email and Internet artifacts
  • How to employ the EnCase Media Analyzer during an investigation
  • How to employ GREP operators to enhance searching techniques
  • How to recover artifacts from the print spooler
  • How to search and recover files from unallocated space
  • How to use the EnCase Physical Disk Emulator (PDE) Module
  • How to create reports to present investigation findings


This course is intended for cybersecurity professionals, litigation support, and forensic investigators.


Participants should have attended the previous EnCase course: DF120–Foundations in Digital Forensics.

Students are required to bring a suitable laptop configured such that the user has admin credentials with the ability to install software without hindrance from antivirus, security software or corporate access settings.

Register for DF210 and other courses here: https://e-forensic.ca/registration/