Investigating Windows Recycle Bin

Windows Forensics

NTFS Forensics - Part #2

In this course you will continue to learn about investigating the MS Windows NTFS File system and learn about all the underlying data structures.

Get started now

Enroll now for $100

Course curriculum

01
NTFS Metadata Files
- $I30 Files
- NTFS Master File Table
- $MFT
- $LogFile
- $Volume
- $VOLUME_NAME
- $VOLUME_INFORMATION
- $AttrDef
- \ - Root directory
- $Bitmap
- $Boot
- $BadClus
- $Secure
- $UpCase
- $Extend
- $Quota
- $UsnJrnl
- Exercise(s)
02
File Allocation and Deletion
- MFT Records
- NTFS File Allocation
- NTFS File Deletion
- Exercise(s)
03
NTFS Timestamps
- MAC Times in NTFS
- Displaying Timestamps
- Exercise(s)
04
NTFS Data Streams
- Intro. to NTFS Data Streams
- Compressed Files
- Encrypting File System (EFS)
- Exercise(s)
05
Misc
- Questions
- Exercise(s)
- REFERENCES
06
Final Case Exercise
- Final Case Exercise

Course Type: Theory & Hands-on

Get started now

Learn how to investigate Windows NTFS File System

Enroll now for $100

Learning Outcomes

After completing this course, you will learn the following.

Learn how to Examining NTFS Metadata Files
Understand NTFS File Allocation and Deletion
Understand NTFS Timestamps
Learn how to Analyze NTFS Compressed Files and Data Streams
Learn how to use Different Forensics Tools for NTFS Forensic Analysis

Technical Requirements

For the hands-on labs in this course

Windows 10 Operating System (recommended)
MFT Explorer (Eric Zimmerman)
MFT Browser (Costas K.)
Hex-Editor such as (010 Editor) or (HxD)
WinHex (X-Ways)
Other Useful NTFS Forensic Tools

What is next at Cyber 5W?

Add your email to receive updates on new courses