Data Storage Foundations
40 Hours
Intermediate Skill Level
This five-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence. Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals. This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media. Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data. All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination. These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.
Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.
Course Overview
This five-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence. Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals. This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media. Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data. All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination. These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.
Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.
Students will use a variety of open-source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.
Advanced Evidence Collections
- Review of Digital Evidence collection principles
- Advanced Imaging techniques using CAINE
- Learn of the importance of imaging RAM
- Introduction to RAM Analysis using RegEx and Powershell
Review of Partitioning and the FAT File System
- Define Physical devices vs. Logical storage areas
- Review of partitioning schemes
- Describe the differences between MBR and GPT partitioned disks
- Review the functionality of the FAT file system
- Describe saving, deleting and recovery of file data
NTFS File System Deep Dive
- List file system support for each NT operating system
- Identify NTFS Metadata Files
- List the function of each Metadata file
- Describe a File Record Entry
- List the components of an NTFS Attribute
- Examine the B+ Tree structure of directories
- Describe the effects of data when a file is deleted.
exFAT Introduction and Full Examination
-
- Describe the history of exFAT
- Identify the system areas of the volume
- Breakdown the Volume Boot Record
- File Allocation Table
- Describe the function of Bitmap
- Breakdown a directory entry
- Describe the effects of data when a file is deleted and review recovery techniques.
Core Operating System Functionality Analysis
- Examination of the Windows Search Database
- Explore Windows Backup options and analysis
- Extraction of data in Shadowcopy stores
Deep dive into the Windows® Registry
- Define the Windows Registry
- Review the forensic benefits of examining the Registry
- Introduction to the recovery of evidentially relevant data from deleted cells within a registry file
- Analysis of recorded user activity across multiple registry files
Analysis of Recent File Activity
- Review Windows Shortcuts
- Explore advanced Link File tracking processes
- Review of Windows Jump Lists
- Perform Jump List Analysis
- Introduction into Windows 10 Timeline functions and SQLite analysis
Introduction into Chromium Based Browser Examinations
- Review Chromium-based browsers
- Locate key folders of interest within the user profile
- Learn of the new data storage files and their interpretation using SQLite Scripting techniques
Course Information
- 40hrs of instruction
- Course Manual
- Practical Files
- Attendance Certificate
- Optional Practical Assessment
Prerequisites
- To get the most out of this class, you should:
- Be familiar with Windows Operating systems
- Attendance of the Forensic Foundations training course
Request the Syllabus
Contact Spyder Forensics for more details of the course.
Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.