I have recently attended CFI and II and was looking to further my understanding of some of the concepts - in particular what EnCase is actually doing when running certain automated processes such as
Partition Finder
Recover Folders
Recover Email
File Mounter
Hash and Sig Analysis
Case Initialiser
Can anyone shed some light on them or point me in the right direction as to where to look? I am not after anything tooooooo technical, just a basic rundown of what each process is looking for and/or does.
It's too easy to simply push buttons and get results - I am seeking to try and understand what is happening behind the scenes to further my knowledge and appreciation of the software used.
Any help appreciated!
Alty
I would start with the Encase Certification Guide book
Try their Advanced Forensics course. In that course, you do each of these tasks manually in order to learn how Encase does them. Brian Carrier's book File Systems Forensics is also a good resource, not only for FAT and NTFS forensics, but other file systems as well, but it is highly technical (as is the Advanced Forensics course).
Ditto on the Encase book.
I keep a PDF of it on my Swiss-bit thumb drive and my laptop. Good source of refresher and other info on the software.
Brian's book is the bible.