|  |  | File Systems Forensics | | This 3 day Advanced File Systems technical course will explore the workings of all the major file systems (FAT, NTFS, EXFAT, Ext2/3/4, HFS, HFS+). | | |
The 3 day File System Forensics Course consists of the following:1. File Systems Forensics & Data Structures - Introduction - What do we need to know? (Signed and Unsigned Integers, Bit assignment, Time representations (DOS32, Win64, Unix/C).
- Introduction to the concept of file system
- References to a data - General
- Metadata of the referenced data
- Introduction to the concept of a file - what constitutes a file - recognising the Reference, the metadata and the data of a file
- Management of data units (blocks or clusters) - Introduction to the concept of Linked - Introduction to the concept of Bitmap Structure
2. FAT 12/16/32 - History
- File System Structures: Boot Sector, FAT table, FSInfo
- Defining the Reference, the metadata and the data of a file (Directory Entries, Long File Names)
- File Creation
- File Deletion
- "Format" command Forensics
- Practicals - Case Scenarios
3. exFAT Forensics - History
- File System Structures
- Boot Sector
- Understanding the References - Directory entry SET
- Management of the data area
- File Creation
- File Deletion
- "Format" command Forensics
- Practicals - Case Scenarios
4. NTFS Forensics - History, theory, MBR, BPB, Extended BPB
- Latest Changes in NTFS (TRIM, garbage collection, etc)
- MFT
- File Record
- File Record Header
- File Record Attributes in Depth
- NTFS Time Stamps Discussion
- NTFS $ (system) files
- NTFS Compression
- NTFS EFS
- Tracing File Ownership
- Management of the data area
- File Creation
- File Deletion
- "Format" command Forensics
- Practical - Case Scenarios
5. Linux File Systems (ext2/3/4) - Superblock
- Group Descriptor
- Block Bitmap
- Inode Bitmap
- INODE
- Data block
- Direct, indirect, double indirect..
- File Creation
- File Deletion
- "Format" command Forensics
6. Structures - MAC Files System HFS/HFS
- Volume Headers
- Special Files
- Catalog Entry Structure
- Data Forks vs Resource Forks
- UNIX special file support
- iNode Files/Hard Links - File Creation - File Deletion - "Format" command Forensics - Practicals - Case Scenarios.
| | |
|
|
