Applied NT Forensics

Overview

​In depth technical knowledge is introduced in a mixture of trainer led presentations and practical sessions allowing students to fully understand and implement their new skills with purpose and effect.

Who should attend

​This course is des​igned for computer forensic professionals seeking to enhance their knowledge of the evidential opportunities within the NT-based system.

Aims

​The release of Microsoft Windows 8.1 and 10 and also the predominance of NT-based computers running on NTFS file systems require forensic examiners to have a robust understanding of these structures. 

This course will enable examiners t​o recover evidence more effectively and have a much better understanding of what their automated forensic tools are doing. 

They will be better prepared to assemble evidence for court that is clear and supportive of evidential needs

Objectives

  • ​Interrogate, interpret and recover potential evidence found on NT-based computers running on NTFS file systems.  The registry,​ recycle bin, Master File Table and other operating system and file system structures likely to hold evidential data will be examined and explained at their fundamental levels.

  • Describe th​​e relevant changes incorporated in Windows 8.1 and Windows 10.

  • Explain the const​​ruction of the NTFS file system.

  • Explain the wo​​​​​rkings of the Master File Table.

  • Define the use​ of metadata, attributes and directories.

  • Describe how data is saved/deleted using NTFS and the working of the Recycle Bin.
  • Describe how Alternate data​ streams work.

  • Explain NTFS com​pression and encryption and the forensic implications.

  • Explain the structure of the registry and locate data of interest.
  • Describe the bu​​ilt-in security capabilities of NTFS, file ownership and user identification.

  • Explain the VSS​​ (Volume Snapshot Service)

  • Discuss method​s of live systems analysis.

Entry requirements

​This five day co​urse is designed for experienced forensic computer analysts.

 Attendees will have attende​d the Core Skills in Data Recovery and Analysis course, Shrivenham Foundation course, or similar and have at least 12 months experience in a forensic computing environment.

Course Dates and Venues

Start dateEnd dateVenuePlaces
22/03/202126/03/2021RytonPlease email

Course duration

​​Five days

Assessment processes / accreditation details

​Students a​​ttending this course will undertake a final assessment.

Additional information

Contact

Email:

DeliveryAdmin@college.pnn.police.uk

Cost to HO forces

Non-residential:

£1197.00 Tuition fee (Prices are valid 1 April 2019 to 31 March 2020) £1231.50 Tuition fee (Prices are valid from 1 Oct 2019 for courses from 1 April 2020 to 31 March 2021)

The College of Policing uses cookies to collect and analyse information about the users of this website. We use this information to enhance the content and other services available on the site. By continuing to use our site, you are agreeing for us to set a small number of cookies. You can manage your preferences for Cookies at any time, for more information please see our Cookies Policy.

Close