Call : (+91) 968636 4243
Mail : info@EncartaLabs.com
EncartaLabs

OpenText EnCase - NTFS Examinations

( Duration: 4 Days )

The OpenText EnCase - NTFS Examinations training course provides technical information about the NT File System (NTFS), its role within the Microsoft Windows operating system, and other related topics, such as Windows device management and the Windows boot process. The class addresses the on-disk structure of NTFS, including an in-depth analysis of the Master File Table ($MFT), its records, and the MFT record attributes contained within those records. Detailed information is provided with regards to deleted NTFS file/folder recovery and a significant practical exercise demonstrates how sector-level recovery is made possible using advanced knowledge of NTFS. Additional information is provided with regards to the manipulation of alternate data streams as well as the way in which reparse points act as mount-points for volumes, folders, and external data. The value and structure of Update Sequence Number (USN) change-log data is discussed following which detailed information is provided with regards to the structure of NTFS indexes (folders) and how the index records relating to deleted files and folders may be located and parsed.

By attending OpenText EnCase - NTFS Examinations workshop, delegates will learn:

  • The Common Log File System (CLFS)
  • Windows device management, device drivers, system services, and device configuration
  • Use of the Windows Data Protection API (DPAPI) to store removable disk passwords in the user's Registry
  • The Windows BIOS/UEFI boot process and Boot Configuration Database (BCD)
  • The NTFS volume boot record and other metadata files
  • The structure of the Master File Table ($MFT), $MFT records, and $MFT record attributes
  • Sector-level recovery of a fragmented file from an overwritten NTFS volume
  • Alternate data streams
  • Reparse points
  • The Update Sequence Number (USN) change-log journal
  • NTFS directories (filename indexes), index entries and index buffers
  • Link files, object IDs, and the Link Tracking Service (LTS)
  • NTFS compression
  • Windows user accounts, security groups, and security descriptors

  • Attend a training on OpenText EnCase - Building an Investigation or equivalent practical experience
The OpenText EnCase - NTFS Examinations class is ideal for:
  • Law Enforcement Officers, Computer Forensic Examiners, Corporate & Private Investigators & Network Security Personnel.

COURSE AGENDA

1

Day 1

  • An introduction to the New Technology File System (NTFS), as well as the Common Log File System (CLFS) layered above NTFS in later versions of the Windows operating system.
  • Windows device and device-driver information stored in the Windows Registry, including the time of first and last connection and how certain removable disks store encryption passwords in the user's Registry using the Windows Data Protection application programming interface (DPAPI).
  • The Windows boot process on both BIOS and UEFI systems, including the purpose and structure of the Boot Configuration Database (BCD).
  • Master Boot Record (MBR), GUID Partition Table (GPT) and dynamic disk structures, including Windows Registry drive-letter mapping.
  • The purpose and structure of the NTFS Volume Boot Record, as well as the NTFS volume creation process.
2

Day 2

  • An overview of the NFTS metadata files, paying particular attention to $LogFile, $Attrdef and $, (the NTFS root directory).
  • The location, purpose and structure of the Master File Table (MFT) and MFT Zone.
  • The purpose and structure of MFT records, paying specific regard to the structure of the MFT record header, MFT record reuse, MFT record validation, base vs. extension MFT records, MFT record slack and the potential significance of the MFT record end marker when written by non-Microsoft NTFS implementations.
  • The purpose and structure of MFT record attributes and attribute headers, including the reason for the padding bytes contained therein, as well as the significance of the instance number associated with each one.
  • The purpose and structure of the NTFS Standard Information attribute, with a focus on the timestamps it contains and when they are updated, as well as the meaning and effect of NTFS tunneling.
  • The purpose and structure of the NTFS Filename attribute, including the nature/validity of data also to be found in the Standard Information or Data attributes and the significance of the Filename Attribute when recovering deleted NTFS files and folders and why some such files may be identified as lost.
  • The purpose and structure of the NTFS Volume Name and Volume Information MFT record attributes.
3

Day 3

  • The purpose and structure of the NTFS Data attribute and how it usually contains the data belonging to small files, as well as how it references the clusters used to store the data belonging to larger files.
  • What happens when a small file grows too large for its data to be stored in its MFT record and the effect of the NTFS Encrypting File System (EFS) on where file data is stored.
  • The difference between virtual cluster numbers (VCNs) and logical cluster numbers (LCNs).
  • Purpose and structure of the NTFS Attribute List attribute.
  • The purpose and structure of NTFS alternate data streams.
  • The purpose and structure of NTFS reparse points, including junctions and volume mount points.
4

Day 4

  • The purpose, location and structure of the NTFS USN change-journal and the records it contains.
  • Using an EnScript application to parse current change journal records, as well as those from unallocated clusters and $LogFile
  • The purpose and structure of the NTFS Index Root MFT record attribute associated with all NTFS folders, the Index Allocation MFT record attribute associated with large NTFS folders (including the index-buffers referenced thereby) and the structure of NTFS index entries.
  • The consequences of file creation/deletion, focusing on the recovery of index records relating to deleted files and folders.
  • Shortcut ink file creation and behavior, the purpose and structure of the NTFS Object-ID MFT record-attribute, the purpose and structure of the NTFS $ObjId file and the mode of operation of the Windows Link Tracking Service (LTS).
  • NTFS compression.
  • User accounts and security groups, as well as the purpose and content of the NTFS $Secure file and the security descriptors it contains.

Encarta Labs Advantage

  • One Stop Corporate Training Solution Providers for over 6,000 various courses on a variety of subjects
  • All courses are delivered by Industry Veterans
  • Get jumpstarted from newbie to production ready in a matter of few days
  • Trained more than 50,000 Corporate executives across the Globe
  • All our trainings are conducted in workshop mode with more focus on hands-on sessions

View our other course offerings by visiting https://www.encartalabs.com/course-catalogue-all.php

Contact us for delivering this course as a public/open-house workshop/online training for a group of 10+ candidates.

Top
Notice
X