Applied NT forensics

Recover evidence more effectively, understand automated forensic tools and be better prepared to assemble evidence for court.

​In-depth technical knowledge is introduced in a mixture of trainer-led presentations and practical sessions allowing students to fully understand and implement their new skills with purpose and effect.

Aims

​The release of Microsoft Windows 8.1 and 10 and also the predominance of NT-based computers running on NTFS file systems require forensic examiners to have a robust understanding of these structures. 

This course will enable examiners to recover evidence more effectively and have a much better understanding of what their automated forensic tools are doing. 

They will be better prepared to assemble evidence for court that is clear and supportive of evidential needs.

Objectives

  • ​Interrogate, interpret and recover potential evidence found on NT-based computers running on NTFS file systems. The registry,​ recycle bin, master file table and other operating system and file system structures likely to hold evidential data will be examined and explained at their fundamental levels.
  • Describe the relevant changes incorporated in Windows 8.1 and Windows 10.
  • Explain the construction of the NTFS file system.
  • Explain the workings of the master file table.
  • Define the use​ of metadata, attributes and directories
  • Describe how data is saved/deleted using NTFS and the working of the recycle bin.
  • Describe how Alternate data​ streams work.
  • Explain NTFS compression and encryption and the forensic implications.
  • Explain the structure of the registry and locate data of interest.
  • Describe the built-in security capabilities of NTFS, file ownership and user identification.
  • Explain the VSS​​ (volume snapshot service).
  • Discuss method​s of live systems analysis.

Key details

Qualification eligibility

Attended​ the core skills in data recovery and analysis course, Shrivenham foundation course, or similar.

Prerequisites

At least 12 months experience in a forensic computing environment.

Practitioner group

Experienced forensic computer analysts.

Duration

Five days.

Accreditation
Yes
Accreditation notes:

Students attending this course will undertake a final assessment.

Cost

Home Office forces (non-residential):

£1,231.50 for courses to 31 March 2021

Course contact
Booking
Was this page useful?

Do not provide personal information such as your name or email address in the feedback form. Read our privacy policy for more information on how we use this data

What is the reason for your answer?
I couldn't find what I was looking for
The information wasn't relevant to me
The information is too complicated
Other