Analyzes the NTFS file system in detail with an emphasis on forensic information from metadata, slack space, and unallocated space. Examination of various Windows® artifacts using appropriate software.
At the end of the course students will be able to:
1. Extract forensically useful information about a file (e.g. location, size, attributes, and dates and times) from an NTFS file system.
2. Recover a deleted file from an NTFS file system.
3. Find alternate data streams.
4. Determine the links to a file.
5. Identify and extract recycled files in a recycle bin.
6. Use an appropriate registry file to obtain evidence from a registry.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.