Course curriculum

  • 01

    Intro. to NTFS Forensics

    • Examining NTFS Disks

  • 02

    NTFS Volume Structure

    • NTFS VBR

    • Before we begin...

    • Exercise(s)

  • 03

    Master File Table (MFT)

    • Master File Table (MFT)

    • MFT Entry

    • MFT Entry Layout

    • MFT Entry Fields

    • MFT Entry Header

    • MFT and File Attributes

    • MFT Attribute Layout

    • Attributes

    • Resident Attribute Header

    • Non-Resident Attribute Header

    • Converting between VCN to LCN

    • NTFS Runlists

    • Exercise(s)

  • 04

    Standard Attributes

    • $STANDARD_INFORMATION

    • $FILE_NAME

    • $DATA

    • $ATTRIBUTE_LIST

    • $OBJECT_ID

    • $REPARSE_POINT

    • $SECURITY_DESCRIPTOR

    • $VOLUME_VERSION

    • $VOLUME_INFORMATION

    • $INDEX_ROOT

    • $INDEX_ALLOCATION

    • $BITMAP

    • $SYMBOLIC_LINK

    • $EA_INFORAMTION

    • $EA

    • $LOGGED_UTILTIY_STREAM

    • Exercise(s)

Learning Outcomes

After completing this course, you will learn the following.

  • Learn how to Examining NTFS Disks

  • Understand the NTFS Volume Boot Record (VBR)

  • Learn how to Analyze the Master File Table (MFT)

  • Learn how to Analyze MFT Entry Headers and Attributes

  • Learn how to use Different Forensics Tools for NTFS Forensic Analysis

Technical Requirements

For the hands-on labs in this course

What is next at Cyber 5W?

Add your email to receive updates on new courses