Investigating Windows Recycle Bin

Windows Forensics

NTFS Forensics - Part #1

In this course you will learn about investigating the MS Windows NTFS File system and learn about all the underlying data structures.

Get started now

Enroll now for $50

Course curriculum

1. Examining NTFS Disks
1. NTFS VBR
2. Before we begin...
3. Exercise(s)
1. Master File Table (MFT)
2. MFT Entry
3. MFT Entry Layout
4. MFT Entry Fields
5. MFT Entry Header
6. MFT and File Attributes
7. MFT Attribute Layout
8. Attributes
9. Resident Attribute Header
10. Non-Resident Attribute Header
11. Converting between VCN to LCN
12. NTFS Runlists
13. Exercise(s)
1. $STANDARD_INFORMATION
2. $FILE_NAME
3. $DATA
4. $ATTRIBUTE_LIST
5. $OBJECT_ID
6. $REPARSE_POINT
7. $SECURITY_DESCRIPTOR
8. $VOLUME_VERSION
9. $VOLUME_INFORMATION
10. $INDEX_ROOT
11. $INDEX_ALLOCATION
12. $BITMAP
13. $SYMBOLIC_LINK
14. $EA_INFORAMTION
15. $EA
16. $LOGGED_UTILTIY_STREAM
17. Exercise(s)

About this course

$50.00
34 lessons
0 hours of video content

Course Type: Theory & Hands-on

Get started now

Learn how to investigate Windows NTFS File System

Enroll now for $50

Learning Outcomes

After completing this course, you will learn the following.

Learn how to Examining NTFS Disks
Understand the NTFS Volume Boot Record (VBR)
Learn how to Analyze the Master File Table (MFT)
Learn how to Analyze MFT Entry Headers and Attributes
Learn how to use Different Forensics Tools for NTFS Forensic Analysis

Technical Requirements

For the hands-on labs in this course

Windows 10 Operating System (recommended)
MFT Explorer (Eric Zimmerman)
MFT Browser (Costas K.)
Hex-Editor such as (010 Editor) or (HxD)
WinHex (X-Ways)
NTFS DiskExplorer (RunTime)
Other Useful NTFS Forensic Tools

What is next at Cyber 5W?

Add your email to receive updates on new courses