EnCE - EnCase Certified Examiner

Stats

• Study time: 50 hours
• Exam time: 100 minutes (Phase I) + 75 hours (Phase II)
• Result: PASS

Study resources

• The Official EnCE Study Guide: https://www.wiley.com/en-us/EnCase+Computer+Forensics+The+Official+EnCE%3A+EnCase+Certified+Examiner+Study+Guide%2C+3rd+Edition-p-9781118058985
• EnCase Forensic 21.4 User Guide
• EnCase v8 basics: https://youtube.com/playlist?list=PLMDkMkv1VKGSsqj4GV9uLe0XvNeynJTOn

Review

The employer has asked me to get the certificate to grasp the fundamentals of computer forensics. Given that I have brief experience in the field and to reduce the cost, I did not take the official training provided by OpenText. As recommended by my colleagues, I read The Official EnCE Study Guide, which should cover sufficient information to prepare for the certificate.

It took me ages to read through the book word by word. I wish there were other resources available that are more updated (the book was referring to EnCase v7) and preferably in videos, a format that I can learn more efficiently. Since the certificate is no longer the trend (well, EnCase itself is no longer the trend and I feel like even OpenText themselves gave up on the certificate as well), all I could find was this YouTube playlist that covered the basics of EnCase v8. Although the videos only covered a small part of the syllabus, they did help me to strengthen the most fundamental part of how to use EnCase.

The section quizzes and practice questions provided in the book were claimed to be similar to the actual exam. Since I did pretty well on those questions, I decided to go for the written test even though I am not confident about remembering all the details mentioned in the book. Most of the questions were alright but still took me longer than expected as some were not covered in the book nor videos at all (regarding the newer versions of EnCase, should have gone through the user guide for the more recent versions) and some detailed questions that I just do not recall the correct answer right away. Luckily, I still managed to pass Phase I and was allowed to proceed to Phase II for the practical questions.

I read somewhere online that two months might sound a lot, but the time is actually quite tight, especially when you still have a daytime job. I took the advice, started the exam as early as possible, and worked on it whenever I was free from work. I read through the questions and started exploring the image.

My plan was to bookmark all the answers and jot down my process briefly in a text file, then write the report all at once when I was done finding all the answers. In hindsight, I could have written the report right away as I spent a lot of time redoing the investigation process to ensure I did not miss any steps. In other words, I basically did the whole investigation multiple times while I could have just done it once.

Also, I was stuck on two of the questions that I just kept exploring around with an empty report. I eventually decided to give up on that two questions when I only had two weeks left. I started writing the report for the other questions and hoping to still have one week to have a final look at the remaining two questions. The reporting time took longer than I thought (as mentioned above), and I only had three days left.

Since 16 questions are sufficient to have the report marked, I considered submitting the report directly as I have already spent hours on that two questions previously, and I literally ran out of ideas. I’m glad I did not. It was like a miracle when I finally found the answers to the last two questions. I was deep down in a rabbit hole and somehow refused to let go of it. Anyhow, got the last part of the report written quickly and submitted just in time (half a day before the deadline just in case of technical issues).

It took me about 75 hours to complete Phase II, of which a third was contributed by that two questions, and a third was wasted by redoing the investigation. This is probably the most inefficient certificate experience I have had, but I guess I don’t always have to be efficient all the time (excuses, I know). On the bright side, I think I am getting better at reading books and I have learnt my lesson on rabbit holes. Most importantly, got the “Congratulations!” email about one month after I submitted the report.