Course curriculum
-
01
Intro. to NTFS Forensics
-
Examining NTFS Disks
-
-
02
NTFS Volume Structure
-
NTFS VBR
-
Before we begin...
-
Exercise(s)
-
-
03
Master File Table (MFT)
-
Master File Table (MFT)
-
MFT Entry
-
MFT Entry Layout
-
MFT Entry Fields
-
MFT Entry Header
-
MFT and File Attributes
-
MFT Attribute Layout
-
Attributes
-
Resident Attribute Header
-
Non-Resident Attribute Header
-
Converting between VCN to LCN
-
NTFS Runlists
-
Exercise(s)
-
-
04
Standard Attributes
-
$STANDARD_INFORMATION
-
$FILE_NAME
-
$DATA
-
$ATTRIBUTE_LIST
-
$OBJECT_ID
-
$REPARSE_POINT
-
$SECURITY_DESCRIPTOR
-
$VOLUME_VERSION
-
$VOLUME_INFORMATION
-
$INDEX_ROOT
-
$INDEX_ALLOCATION
-
$BITMAP
-
$SYMBOLIC_LINK
-
$EA_INFORAMTION
-
$EA
-
$LOGGED_UTILTIY_STREAM
-
Exercise(s)
-
Learning Outcomes
After completing this course, you will learn the following.
-
Learn how to Examining NTFS Disks
-
Understand the NTFS Volume Boot Record (VBR)
-
Learn how to Analyze the Master File Table (MFT)
-
Learn how to Analyze MFT Entry Headers and Attributes
-
Learn how to use Different Forensics Tools for NTFS Forensic Analysis
Technical Requirements
For the hands-on labs in this course
-
Windows 10 Operating System (recommended)
-
MFT Explorer (Eric Zimmerman)
-
MFT Browser (Costas K.)
-
Hex-Editor such as (010 Editor) or (HxD)
-
WinHex (X-Ways)
-
NTFS DiskExplorer (RunTime)
-
Other Useful NTFS Forensic Tools
What is next at Cyber 5W?
Add your email to receive updates on new courses