Title: Windows File Systems Advanced Forensics
Duration: 1 week
Course Aim
The aim of this course is to provide forensic examiners with an understanding of the technology that underpins the NTFS file system and the practical application of that knowledge from an investigator’s perspective. This will also enable them to better assemble evidence for the court that is clear and supportive of evidential needs. Training will encompass latest best practice, technologies and techniques available to Law Enforcement Specialists.
Prerequisites
This course is an Intermediate level module and relates to Forensic Computing. Students are expected to have successfully participated in basic training for High Tech Crime Investigators prior to attending this course. Ideally, students should have successfully completed the ECTEG Introductory IT Forensics.
Students will need to be able to understand and communicate in English.
Small list of agenda / topics / main points
Content includes:
- exFAT file system properties and associated artefacts
- FAT32 file system properties and associated artefacts
- NTFS file system properties and associated artefacts
- advanced file carving based on bitmap and FAT chaining properties
- advanced damaged NTFS volume data recovery
If you are interested in applying for these courses please read the following page