Applied NT forensics

​In-depth technical knowledge is introduced in a mixture of trainer-led presentations and practical sessions allowing students to fully understand and implement their new skills with purpose and effect.

Aims

​The release of Microsoft Windows 8.1 and 10 and also the predominance of NT-based computers running on NTFS file systems require forensic examiners to have a robust understanding of these structures. 

This course will enable examiners to recover evidence more effectively and have a much better understanding of what their automated forensic tools are doing. 

They will be better prepared to assemble evidence for court that is clear and supportive of evidential needs.

Objectives

• ​Interrogate, interpret and recover potential evidence found on NT-based computers running on NTFS file systems. The registry,​ recycle bin, master file table and other operating system and file system structures likely to hold evidential data will be examined and explained at their fundamental levels.
• Describe the relevant changes incorporated in Windows 8.1 and Windows 10.
• Explain the construction of the NTFS file system.
• Explain the workings of the master file table.
• Define the use​ of metadata, attributes and directories
• Describe how data is saved/deleted using NTFS and the working of the recycle bin.
• Describe how Alternate data​ streams work.
• Explain NTFS compression and encryption and the forensic implications.
• Explain the structure of the registry and locate data of interest.
• Describe the built-in security capabilities of NTFS, file ownership and user identification.
• Explain the VSS​​ (volume snapshot service).
• Discuss method​s of live systems analysis.