skip to main content

DF410 - NTFS Examinations with EnCase

Have questions about training?   Contact us

Duration: 4 Days

This hands-on course provides technical information about the NT File System (NTFS), its role within the Microsoft® Windows operating system, and other related topics, such as Windows device management and the Windows boot process. The class addresses the on-disk structure of NTFS, including an in-depth analysis of the Master File Table ($MFT), its records, and the MFT record attributes contained within those records. Detailed information is provided with regards to deleted NTFS file/folder recovery and a significant practical exercise demonstrates how sector-level recovery is made possible using advanced knowledge of NTFS. Additional information is provided with regards to the manipulation of alternate data streams as well as the way in which reparse points act as mount-points for volumes, folders, and external data. The value and structure of Update Sequence Number (USN) change-log data is discussed following which detailed information is provided with regards to the structure of NTFS indexes (folders) and how the index records relating to deleted files and folders may be located and parsed.

Delivery method: Group-Live. NASBA defined level: advanced

CPE Credits - 32

Audience

This course is intended for law enforcement officers, corporate and private investigators, computer forensic examiners, and network security personnel. A basic understanding of the concepts of computer forensics and is required. The class curriculum builds upon the instruction included in the DF210-Building an Investigation course, continuing with a focus on NTFS and advanced Windows examinations.

Prerequisites

DF210 - Building an Investigation with EnCase or EnCE Certification. Advance preparation for this course is not required.

Summary

The course provides in-depth coverage on artifacts, including:

  • The Common Log File System (CLFS)
  • Windows device management, device drivers, system services, and device configuration
  • Use of the Windows Data Protection API (DPAPI) to store removable disk passwords in the user’s Registry
  • The Windows BIOS/UEFI boot process and Boot Configuration Database (BCD)
  • The NTFS volume boot record and other metadata files
  • The structure of the Master File Table ($MFT), $MFT records, and $MFT record attributes
  • Sector-level recovery of a fragmented file from an overwritten NTFS volume
  • Alternate data streams
  • Reparse points
  • The Update Sequence Number (USN) change-log journal
  • NTFS directories (filename indexes), index entries and index buffers
  • Link files, object IDs, and the Link Tracking Service (LTS)
  • NTFS compression
  • Windows user accounts, security groups, and security descriptors

 Course Syllabus

Pricing

Format Currency Price
Per Student at OpenText Site €  2,457.82 
Per Student at OpenText Site GBP  2,130.39 
Per Student at OpenText Site USD  2,750.00 

Taxes: All prices exclude VAT or other taxes where applicable (all currencies).

Extra expenses: Customer site course prices do not include instructor travel expenses, which are billed separately.

Reservations: Please provide a minimum of 3 weeks advance notice when arranging courses at customer sites.

Course & Workshop Calendar

Below is a listing of all the currently available dates and locations for this course or workshop from OpenText.

To register, please select the course you want to attend by clicking the "Add to cart" button.

Date Course type Course name Language Location Price Add
Mar 24, 2020  On-site  DF410 - NTFS Examinations  English  Virtual Classroom - Europe GSI UK Time 2,130.39  Add to cart
Mar 24, 2020  On-site  DF410 - NTFS Examinations  English  GSI-Reading, UK 2,130.39  Add to cart
Mar 31, 2020  On-site  DF410 - NTFS Examinations  English  GSI-Pasadena, CA 2,750.00  Add to cart
Mar 31, 2020  On-site  DF410 - NTFS Examinations  English  Virtual Classroom - North America GSI Pacific Time 2,750.00  Add to cart