The EnCase Certified Examiner (EnCE)
The EnCase Certified Examiner (EnCE) is the vendor's flagship credential. It targets professionals who actively conduct computer examinations, including forensic analysts, incident responders, and litigation support specialists.
Guidance Software enforces strict prerequisites for the EnCE. Candidates must submit an application proving they have either completed authorized training or accrued at least 12 months of verifiable computer forensics experience. The certification process consists of two phases: a multiple-choice written exam and a hands-on practical exam where candidates receive a mock case, analyze evidence files, and submit a formal investigative report.
Exam Breakdown: GD0-100 and GD0-110
The written Phase I exam exists in two distinct versions based on geography. Legal standards for search, seizure, and privacy vary by jurisdiction, and the exam structure reflects this reality.
The GD0-100 (Certification For ENCE North America) contains 180 questions. It tests your knowledge of the EnCase interface, forensic methodology, and file system mechanics, alongside questions regarding United States legal procedures. You must understand concepts like search warrants, the admissibility of electronic evidence, and specific federal guidelines that govern digital investigations.
The GD0-110 (Certification for EnCE Outside North America) drops the US-specific legal questions. It contains 174 questions focused entirely on the technical application of digital forensics and the mechanics of the EnCase software. International candidates face the same rigorous testing on hashing algorithms, file signatures, and artifact recovery, but without the expectation of knowing American legal precedent.
Both exams demand a minimum passing score of 80 percent.
Career Value in Digital Investigations
Holding an EnCE carries specific weight in the forensics community. While vendor-neutral certifications prove you understand the theory of digital investigations, the EnCE proves you can execute one using the industry's most common software suite.
Law enforcement agencies frequently list the EnCE as a preferred or required credential for digital forensic examiner roles. In the private sector, consulting firms and incident response teams look for EnCE holders to lead data breach investigations. When a corporation faces a cyber intrusion, they need personnel who can identify the root cause, quarantine the affected systems, and extract evidence without altering the original data. The EnCE signals to employers—and to opposing counsel in a courtroom—that an investigator knows how to preserve data integrity.
Technical Expectations
The written exams test deep technical knowledge rather than high-level concepts. You must know how EnCase creates its proprietary .E01 evidence files and how the software calculates MD5 and SHA1 hash values to verify data authenticity.
The GD0-100 and GD0-110 require candidates to understand the underlying structures of common file systems, particularly FAT and NTFS. You will face questions on how operating systems allocate clusters, where directory entries are stored, and how to identify a file by its hexadecimal signature rather than its file extension. If a suspect renames a JPEG image to a text file to hide it, an EnCE candidate must know how the software's signature analysis feature flags the discrepancy.
If you fail the Phase I written exam, Guidance Software mandates a 60-day waiting period before you can attempt it again. Once you pass Phase I and the subsequent Phase II practical exam, the EnCE credential remains valid for three years. Maintaining active status requires earning 32 Continuing Professional Education (CPE) credits in computer forensics or incident response prior to the expiration date.