Data Storage Foundations
4 Days – 32Hrs
Cost: $2,595
Participants will receive
4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Rob Attoe
Lead Developer
Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.
As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.
Course Objectives
This four-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence. Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals.
This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media. Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data. All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination.
These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.
Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.
Students will use a variety of open-source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.
Primary Learning Objectives
Data Storage Foundations - Day 1
Day 1 of the Spyder Forensics Data Storage Foundations course begins with an overview of the course along with an introduction to the Instructor.
We will then examine how data is collected and how it is best preserved and verified using industry recognized practices. We will then proceed to look at the Data Structures of NTFS so that we can understand how this will aid in locating and recovering evidence.
The most important stage in a digital forensic exam is seizure and preservation. The goal of any examiner should be to collect as much possible data for examination and using the most forensically sound method as possible. During this module we will examine how data is collected using industry recognized practices in the preservation of digital data and verification processes and focus on volatile and remote data.
- Review of Digital Evidence collection principles
- Advanced Imaging techniques using CAINE
- Learn of the importance of imaging RAM
- Introduction to RAM Analysis using RegEx and PowerShell.
Instructor Led Lab
- Review of Digital Evidence collection principles
- Advanced Imaging techniques using CAINE
- Learn of the importance of imaging RAM
- Introduction to RAM Analysis using RegEx and Powershell
Instructor Led Lab
- List file system support for each NT operating system
- Identify NTFS Metadata Files
- List the function of each Metadata file
- Describe a File Record Entry
- List the components of an NTFS Attribute
- Examine the B+ Tree structure of directories
- Describe the effects of data when a file is deleted.
This module describes the data structures that NTFS uses to store and retrieve data that is saved within the volume. Understanding the data structures of NTFS will aid in locating and recovering evidence that would be hidden to the casual user.
- List file system support for each NT operating system
- Identify NTFS Metadata Files
- List the function of each Metadata file
- Describe a File Record Entry
- List the components of an NTFS Attribute
- Examine the B+ Tree structure of directories
- Describe the effects of data when a file is deleted.
Data Storage Foundations - Day 2
During day 2 of the course we will begin to look at file permissions associated with NTFS and discuss why they are such an important weapon in any forensic investugation.
Alongside this we will explore EFS (Encrypting File System) which is built into the NTFS file system.
This module will focus on all aspects of the file permissions associated with NTFS.
NT Rights and Permissions are an important aspect of any forensic investigation and we will look at those along with the many different facets of Access Controls.
- Describe NT Rights and Permissions
- Describe the structure of a Security Descriptor
- Object ID’s
- System Access Control List
- Discretionary Access Control List
- Access Control Entries
- Identify Permissions for NT Objects
Instructor Demonstration
- Describe NT Rights and Permissions
- Describe the structure of a Security Descriptor
- Object ID’s
- System Access Control List
- Discretionary Access Control List
- Access Control Entries
- Identify Permissions for NT Objects
Instructor Led Lab
- Describe the EFS Encryption process
- Identify encrypted files and users that can decrypt
- Describe strategies for decrypting EFS encrypted files
During this module we will explore the Encrypting File System (EFS) built into the NTFS file system.
- Describe the EFS Encryption process
- Identify encrypted files and users that can decrypt
- Describe strategies for decrypting EFS encrypted files
Data Storage Foundations - Day 3
Day 3 of the course looks at the exFAT file system which will enable us to understand the rules of the an exFAT volume and why this in important to the forensic examiner when recovering evidence.
Alongside this we will also look at different core system functions and how we can utilize them to track user activity.
This module describes how the exFAT file system organizes data. Understanding the rules of an exFAT volume will aid with locating and recovering evidence that would be hidden to the casual user.
- Describe the history of exFAT
- Identify the system areas of the volume
- Breakdown the Volume Boot Record
- File Allocation Table
- Describe the function of Bitmap
- Breakdown a directory entry
- Describe the effects of data when a file is deleted and review recovery techniques.
Instructor Led Lab
- Describe the history of exFAT
- Identify the system areas of the volume
- Breakdown the Volume Boot Record
- File Allocation Table
- Describe the function of Bitmap
- Breakdown a directory entry
- Describe the effects of data when a file is deleted and review recovery techniques.
Instructor Led Lab
- Examination of the Windows Search Database
- Explore Windows Backup options and analysis
- Extraction of data in Shadowcopy stores
During this module we will review core system functions that track user activity and provide built-in backup options.
- Examination of the Windows Search Database
- Explore Windows Backup options and analysis
- Extraction of data in ShadowCopy store
Data Storage Foundations - Day 4
On day 4 of the course we will bring all of the learnt knowledge together and also look at the Windows Registry and understsnd the forensic benefits of examining the Registry.
We will also look at the artifacts left behind when a user interacts with the host system.
Finally we will look at the artifacts found on the system after usser interaction with the Chromium based Edge browser.
During this module we will be reviewing the purpose of the registry and define how to read its structure in different applications. Students will learn of the forensically relevancy of Windows 10 registry files.
- Define the Windows Registry
- Review the forensic benefits of examining the Registry
- Introduction to the recovery of evidentially relevant data from deleted cells within a registry file
- Analysis of recorded user activity across multiple registry files
Instructor Led Lab
- Define the Windows Registry
- Review the forensic benefits of examining the Registry
- Introduction to the recovery of evidentially relevant data from deleted cells within a registry file
- Analysis of recorded user activity across multiple registry files
Instructor Led Lab
- Review Windows Shortcuts
- Explore advanced Link File tracking processes
- Review of Windows Jump Lists
- Perform Jump List Analysis
- Introduction into Windows 10 Timeline functions and SQLite analysis
During this module students will explorer the function of Windows Link files and the many artifacts left behind through user interaction with the host system.
- Review Windows Shortcuts
- Explore advanced Link File tracking processes
- Review of Windows Jump Lists
- Perform Jump List Analysis
- Introduction into Windows 10 Timeline functions and SQLite database analysis
During this module we explore browser characteristics and the artifacts left behind through user interaction with the Chromium based Edge browser.
- Review Chromium-based browsers
- Locate key folders of interest within the user profile
- Learn of the new data storage files and their interpretation
using SQLite Scripting techniques
Instructor Led Lab
- Review Chromium-based browsers
- Locate key folders of interest within the user profile
- Learn of the new data storage files and their interpretation