Investigating File Systems

Students will gain a thorough understanding of FAT32 and NTFS file systems, learning how to parse and analyze their structures and utilize the data. They will also build the skills necessary to competently and quickly analyze file systems to uncover and interpret digital evidence.

Regular Enrollment

$50.00

Enroll Now

With Virtual Lab

$100.00

Enroll Now

The Investigating File Systems course offers a comprehensive, hands-on exploration of how file systems operate and how yet-uncovered artefacts provide critical insights during forensic investigations. Participants will learn to navigate file system structures, recover deleted or hidden data, and trace user and application behaviour across different storage environments. Through practical exercises, learners explore file systems (such as NTFS, FAT32, EXT4), master forensic acquisition techniques, and uncover key artifacts that support investigations of incidents, breaches, and malicious activity. By the end of this course, participants will have the skills and confidence to interpret complex file system evidence and contribute significant findings to forensic reports.

1. Welcome & Lab Access
1. What is File System
2. Ext4
3. NTFS vs EXT4
4. Timestamps and File Operations
5. Required Files
6. Exercise 02 -- Inspecting Timestamps
7. Exercise 02 - Solutions
8. NOTICE
1. Required Files (FAT Analysis)
2. FAT File System - Basics - Slides
3. Intro to FAT File System
4. Lab - Analyzing FAT Structure
5. FAT File System - Directory Entry - Slides
6. FAT File System - Timestamps - Slides
7. Lab - Analyzing FAT File System #1
8. Lab - Analyzing FAT File System #2
1. NTFS
2. Required Files (NTFS Analysis)
3. NTFS Basics - Slides
4. NTFS MFT - Slides
5. Lab - Analyzing the MFT File #1
6. Lab - Analyzing the MFT File #2
7. Lab - Working with Data Attributes
8. NTFS Dataruns and Fragmented Files
9. MFT Slack Space
10. NTFS Fixups - Slides
11. Lab - Working with Links
12. NTFS INDX Buffers - Slides
13. NTFS Journaling - Slides
14. Lab - Working with UsnJrnl
15. Lab - Working with Journals and Indexes
16. Lab - NTFS Challenge
17. Lab - NTFS Challenge (Solution A)
18. Lab - NTFS Challenge (Solution B)
1. Extra Reading

About this course

$50.00
36 lessons

Frequently asked questions

How do I purchase a course?

You can enroll in any course directly through our platform using secure online payment.
How do I access my course after enrollment?

Once payment is complete, you will be redirected to the course and receive a confirmation email. You may also log in at any time to access your content via the My Dashboard section.
How long will I have access to the course material?

Lifetime access while the course remains available, with a guaranteed minimum of 1 year, even if it is updated or retired.
What are the general technical requirements?
Our platform is accessible from any device with internet access. For hands-on labs, we recommend:

A modern operating system capable of running virtual machines

8 GB RAM (minimum)

500 GB disk space

Hypervisor software: Virtualbox, VMWare, HyperV, etc

Alternatively, we offer fully hosted Virtual Labs that allow you to complete technical exercises via the cloud. Please check our labs at: labs.cyber5w.com.
Can I ask for help if I don't understand something?

Of course! Reach out by email anytime.
What is the expected time commitment for each course?

Each course is self-paced and designed to accommodate different learning speeds. The time you'll need depends on your current knowledge, experience, and how deeply you choose to engage with the materials and hands-on labs.
Do you offer student discounts?

Yes, we offer a 25% discount to verified university or college students (must register with a valid academic email). Please contact us at [email protected] after registering and before purchasing.
Do you offer law enforcement and military professionals discounts?

Yes, we offer a 25% discount to active law enforcement and military professionals (official verification required). Please contact us at [email protected] after registering and before purchasing.
Do you offer corporate training or customized training solutions?

Absolutely. We provide customized training solutions for teams, security operations centers, and government entities, including on-site workshops, simulations, and private lab access. Please contact us at [email protected] for arrangement.
Do your courses include Certificate of Completion?

All of our courses include a Certificate of Completion, awarded upon successful completion of lessons, labs, or a final exam (where applicable). These certificates are designed to support your professional development in the DFIR and cybersecurity fields.
Do you deliver on-site training for employees?

Yes, we tailor on-site training programs to your team's specific needs. Please contact us to discuss options, dates, and pricing.
Do you travel internationally?

Yes. Our instructors can deliver on-site training globally. Travel expenses will apply.
How long are your on-site training sessions?

Courses can range from one-day workshops to multi-week immersive programs, depending on your goals.
Can we customize the syllabus?

Absolutely! We work with you to design a tailored syllabus that matches your team's skill level and focus areas.
Do you provide virtual lab access?

Yes, all labs are accessible at labs.cyber5w.com.
What if my computer isn't good enough for the labs?

No worries, you can complete all exercises in our prebuilt virtual lab environment. No special hardware is needed, only a modern web browser to access the online labs.
What software or tools are installed in the virtual labs?

Each lab comes preloaded with the tools you'll need to successfully complete the exercises in the course you are learning.
How long do I have access to the labs?

Your virtual lab access comes with a predefined set of hours, but you can extend the lab access time as preferred (optional).
What professional certifications can I earn?
Cyber5W offers a series of hands-on, industry-recognized certifications to validate your expertise in digital forensics and threat analysis. These certifications are available as optional exams after completing the relevant training.

Cyber 5W Certified Digital Forensic Analyst (CCDFA)

Cyber 5W Certified Linux Forensic Analyst (CCLFA)

Cyber 5W Certified Malware Analyst (CCMA)

Cyber 5W Certified Threat Analyst (CCTA)

Note: Detailed exam requirements, structure, and registration links are available on each certification's dedicated page. Each exam comes with 1 retake.
I'm new to DFIR, which professional certifications are available for beginners?
Cyber 5W Certified Digital Forensics Evidence Handler

Cyber 5W Certified Digital Forensics Foundations)

Note: DetailedDetailed exam requirements, structure, and registration links are available on each certification's dedicated page.
Can I retake a test if I do not pass the exam?

Yes, we allow multiple retake attempts. Check your exam specifics or contact support if you need further help.
What support is available during an exam?

You may email [email protected] for logistics and technical issues, but no exam-specific assistance will be provided.
How are CYBER 5W certification exams different from traditional tests?

At CYBER 5W, our certification exams are skill-based, not just multiple-choice. We assess your practical knowledge through real-world tasks to ensure you can apply what you've learned.

Still have questions?

Can't find the answer you're looking for? Please chat to our friendly team.

Get in touch

Stay ahead in DFIR!

Sign up for the latest findings, field advancements, and updates on upcoming webinars, conferences, seminars, and free courses.

Investigating File Systems

Regular Enrollment

$50.00

With Virtual Lab

$100.00

Welcome & Lab Access

Introduction to File Systems

Analyzing FAT32 File Systems

Analyzing NTFS File Systems

Resources

About this course

Frequently asked questions

Still have questions?

Stay ahead in DFIR!