Applied NT forensics

Recover evidence more effectively, understand automated forensic tools and be better prepared to assemble evidence for court.

​In-depth technical knowledge is introduced in a mixture of trainer-led presentations and practical sessions allowing students to fully understand and implement their new skills with purpose and effect.

Aims

​The release of Microsoft Windows 8.1 and 10 and also the predominance of NT-based computers running on NTFS file systems require forensic examiners to have a robust understanding of these structures. 

This course will enable examiners to recover evidence more effectively and have a much better understanding of what their automated forensic tools are doing. 

They will be better prepared to assemble evidence for court that is clear and supportive of evidential needs.

Objectives

  • ​Interrogate, interpret and recover potential evidence found on NT-based computers running on NTFS file systems. The registry,​ recycle bin, master file table and other operating system and file system structures likely to hold evidential data will be examined and explained at their fundamental levels.
  • Describe the relevant changes incorporated in Windows 8.1 and Windows 10.
  • Explain the construction of the NTFS file system.
  • Explain the workings of the master file table.
  • Define the use​ of metadata, attributes and directories
  • Describe how data is saved/deleted using NTFS and the working of the recycle bin.
  • Describe how Alternate data​ streams work.
  • Explain NTFS compression and encryption and the forensic implications.
  • Explain the structure of the registry and locate data of interest.
  • Describe the built-in security capabilities of NTFS, file ownership and user identification.
  • Explain the VSS​​ (volume snapshot service).
  • Discuss method​s of live systems analysis.

Key details

Qualification eligibility

Attended​ the core skills in data recovery and analysis course, Shrivenham foundation course, or similar.

Prerequisites

At least 12 months experience in a forensic computing environment.

Practitioner group

Experienced forensic computer analysts.

Duration

Five days.

Accreditation
Yes
Accreditation notes:

Students attending this course will undertake a final assessment.

Cost

Home Office forces (non-residential):

£1,231.50 for courses to 31 March 2021

Course contact
Booking