Every degree course on Digital Forensics begins with a study on File System Forensics - which has a guaranteed module on the New Technology File System used by Windows Operating Systems.
- Why this course?
- Why File System Forensics and why NTFS?
- Why should you be interested in this right now?
When I was first exposed to the Windows Operating System, everything about its seamless functioning captivated me. I have speculated time and again about how it all came about. It came to my knowledge that the New Technology File System (NTFS) handles file storage on the Windows Operating System. The proprietary nature of the technology shrouded details about its inner-working.
Despite all that, File System Forensics on NTFS seemed to lift this veil of secrecy and it shed some light about how the ‘file storage magic’ happens! Hankering to share my findings, I have created this course, which involves cruising through the world of bits and bytes to understand the forensic impacts of NTFS.
If you have taken my previous course, Fourth Extended File System Forensics, I hope this course takes you one step closer to communicating with aliens!
Frequently, we hear the words ‘Big Data’, ‘Artificial Intelligence’, and ‘Machine Learning’ being uttered. All of those technologies rely on data and files that are stored methodically. File Systems take care of this intelligent file storage.
Newton’s third law states - ‘For every action, there is an equal and opposite reaction’. Likewise, for every fancy technology developed, there is an equal abominable way of usage. Hackers revel in identifying unconventional ways of using and misusing technology. This calls for competent Forensic Investigators who can unearth the sequence of said unconventional activities.
We use the Windows Operating System where file storage is handled by New Technology File System in the enterprise, at home, for small business and now even IOT devices. When a device in which file storage is performed by NTFS becomes the target of hackers - then proficient forensic guys who can perform File System Forensics on NTFS and uproot evidence are in demand. This course will teach you to interpret forensically relevant information from NTFS.
At present, the competitive job market looks for professionals who can ‘Do one thing well’. Regardless of the amount of theoretical knowledge, practical knowledge and hands-on training sets you apart from your peers. If you wish to learn the internals of the NT file system and how to perform forensic procedures on it, then this is your go-to course.
If you enjoy solving puzzles, this course would be your knowledge-fete!
What will you learn?
- Internals of the New Technology File System
- How the various data structures are organized within the NT File System
- How to interpret the data structures, thereby perceiving how file storage is done by NTFS
- How to perform File System Forensics on NTFS
What skills will you gain?
- Ability to decipher hexadecimal data efficaciously
- Competence to write custom scripts that can be added as plugins to formal forensic tools
- Endurance to operate with hexadecimal data!
What tools will you use?
- Linux command line tools like dd, dcfldd, colordiff, hexdump
- wxHex Editor
- The Sleuth Kit Tool Suite
LAUNCH: June 26th 2019
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What should you know before you join?
Basics of Digital Forensics:
- Forensic Imaging
- File Naming Conventions
What will you need?
- Forensic Images of NT File system will be provided to you. A computer running Ubuntu 16 LTS is required to forensically analyse the file system images. If you wish to take your own forensic images, then a computer running Windows is also required.
- Good internet connection to download tools as we go.
YOUR INSTRUCTOR - DIVYA LAKSHMANAN
Divya Lakshmanan is a graduate in Digital Forensics who has been exploring the field for the past three years. She is an independent researcher who enjoys drifting through the intricate realm of bits and bytes. She has made various contributions to journals and blogs, and developed our EXT4 course.
She enjoys teaching and revels in sharing her findings with fellow curious comrades. During her free time, she wonders about the mystique of the universe.
Module 1: Processing System Files
This module sets the tone for performing File System Forensics on NT File System images. The student shall earn a strong foundation in the layout of the file system and how system files conspicuously “hand-out” information to aid in file system forensics.
- Introduction to NT File System
- How to forensically approach NT File System?
- $Boot File
- $MFT File
- $Volume File
- $AttrDef File
- $Bitmap File
Exercise 1: You will launch an inquest into the given forensic image to garner information about system files.
Module 2: Processing User Files
It is a quotidian habit to deal with an assortment of files on our Windows systems. Have you ever wondered how those files are stored on the hard disk? This module examines how user files are stored on the NT file system and how they appear upon deletion.
- $. (root) File
- Resident File
- Non-resident File
- Behaviour on file/directory deletion
- Behaviour of NT File System on Linux
Exercise 2: You will harvest information about user files from the given forensic image.
Module 3: Features of NTFS
The developers of NT File System have augmented the file storage capabilities by introducing some unique features. In this module, we will explore some of those features.
- File System Journaling
- Object Identifiers
- Links – Soft links, hard links, junctions
- Sparse Files, Compressed Files
Exercise 3: You will examine the given forensic image for special features of NTFS.
Module 4: Some more features and wrapping up
This module concludes the discourse on NTFS features and reviews how The Sleuth Kit Tool Suite behaves on a forensic image of NTFS.
- Access Control Lists
- Alternate Data Streams
- The Sleuth Kit Tool Suite against NTFS
- How to ‘approach’ forensics of NTFS forensic image?
Exercise 4: You will scrutinize the given forensic image for specified features and observe the behaviour of the Sleuth Kit Tool Suite.
The final exam will be a multiple-choice test. Conscientious work on the practical exercises would help you sail through the final exam in a breeze!
If you have questions, feel free to contact our course coordinator Marta at [email protected]