DF410 - NTFS Examinations with EnCase

Duration: 4 Days

This hands-on course provides technical information about the NT File System (NTFS), its role within the Microsoft® Windows operating system, and other related topics, such as Windows device management and the Windows boot process. The class addresses the on-disk structure of NTFS, including an in-depth analysis of the Master File Table ($MFT), its records, and the MFT record attributes contained within those records. Detailed information is provided with regards to deleted NTFS file/folder recovery and a significant practical exercise demonstrates how sector-level recovery is made possible using advanced knowledge of NTFS. Additional information is provided with regards to the manipulation of alternate data streams as well as the way in which reparse points act as mount-points for volumes, folders, and external data. The value and structure of Update Sequence Number (USN) change-log data is discussed following which detailed information is provided with regards to the structure of NTFS indexes (folders) and how the index records relating to deleted files and folders may be located and parsed.

Delivery method: Group-Live. NASBA defined level: advanced

CPE Credits - 32

The course provides in-depth coverage on artifacts, including:

• The Common Log File System (CLFS)
• Windows device management, device drivers, system services, and device configuration
• Use of the Windows Data Protection API (DPAPI) to store removable disk passwords in the user’s Registry
• The Windows BIOS/UEFI boot process and Boot Configuration Database (BCD)
• The NTFS volume boot record and other metadata files
• The structure of the Master File Table ($MFT), $MFT records, and $MFT record attributes
• Sector-level recovery of a fragmented file from an overwritten NTFS volume
• Alternate data streams
• Reparse points
• The Update Sequence Number (USN) change-log journal
• NTFS directories (filename indexes), index entries and index buffers
• Link files, object IDs, and the Link Tracking Service (LTS)
• NTFS compression
• Windows user accounts, security groups, and security descriptors

Course Syllabus

Audience

This course is intended for law enforcement officers, corporate and private investigators, computer forensic examiners, and network security personnel. A basic understanding of the concepts of computer forensics and is required. The class curriculum builds upon the instruction included in the DF210-Building an Investigation course, continuing with a focus on NTFS and advanced Windows examinations.

Prerequisites

DF210 - Building an Investigation with EnCase or EnCE Certification. Advance preparation for this course is not required.