Data Storage Foundations

40 Hours

Intermediate Skill Level

This five-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence.  Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals.  This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media.  Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data.  All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination. These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.

 

Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.

Course Overview

This five-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence.  Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals.  This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media.  Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data.  All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination. These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.

 

Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.

 

Students will use a variety of open-source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.

Advanced Evidence Collections

  • Review of Digital Evidence collection principles
  • Advanced Imaging formats
  • Learn of the importance of imaging RAM
  • Basic RAM Analysis

Review of Partitioning and the FAT File System

  • Define Physical devices vs. Logical storage areas
  • Review of partitioning schemes
  • Describe the differences between MBR and GPT partitioned disks
  • Review the functionality of the FAT file system
  • Describe saving, deleting and recovery of file data

NTFS File System Deep Dive

  • List file system support for each NT operating system
  • Identify NTFS Metadata Files
  • List the function of each Metadata file
  • Describe a File Record Entry
  • List the components of an NTFS Attribute
  • Examine the B+ Tree structure of directories
  • Describe the effects of data when a file is deleted.

exFAT Introduction and Full Examination

    • Describe the history of exFAT
    • Identify the system areas of the volume
    • Breakdown the Volume Boot Record
    • File Allocation Table
    • Describe the function of Bitmap
    • Breakdown a directory entry
    • Describe the effects of data when a file is deleted and review recovery techniques.

Operating Systems Overview

  • Learn to identify the core features of each New Technology Operating System
  • List the key artifacts contained on modern systems
  • Identify and review common folders on a Modern Operating System
  • Describe the function of the Windows recycle bin
  • Learn of the forensic importance of Windows Thumbcache files

Introduction to the Windows® Registry

  • Define the Windows Registry
  • Discuss Forensic benefits of examining the Registry
  • Introduction into the recovery of evidentially relevant data from deleted cells within a registry file
  • Analysis of recorded user activity across multiple registry files

Analysis of Recent File Activity

  • Introduction to Windows Shortcuts
  • Link File Anatomy
  • Examine registry data relating the recent file activity
  • Introduction to Windows Jump Lists
  • Perform Jump List Analysis
  • Introduction into Windows 10 Timeline functions and SQLite analysis

Introduction into Chromium Based Browser Examinations

  • Review Chromium-based browsers
  • Locate key folders of interest within the user profile
  • Learn of the new data storage files and their interpretation using SQLite Scripting techniques

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?

CONTACT US