CPE credits: 32 | Level: Expert | Prerequisites: EnCase Computer Forensics II or EnCE Certification. Advance preparation for this course is not required.

This hands-on course involves practical exercises and technical information about the NTFS file system. The class addresses the technical issues of the NTFS file system, including an in-depth analysis of the Master File Table (MFT) and its components. Students will locate and recover NTFS artifacts from the MFT and understand their evidentiary value. The course will delve into the NT Registry files for data identifying the computer user, installed applications and customized configurations. Students will recover encrypted passwords, identify alternate data streams, reparse points and mapped drives, identify security permissions for users, and determine if removable media was connected to a NTFS volume. In addition, students will examine partially wiped drives and recover files from partially wiped NTFS volumes.

Emphasis is placed on the meaning and relevance of the artifacts that administratively document the NTFS file system. The course provides in-depth coverage on artifacts involving:

Components of the NTFS Volume Boot Record and the Master File Table
Definitions and purpose of NTFS internal system files
Characteristics and storage of NTFS resident and non-resident attributes
Storage of alternate data streams and reparse points
Addressing NTFS user account information, encryption and file system security
Parsing and examining the NTFS registry
Linking media to an NTFS volume
Addressing technical issues associated with NTFS file systems
Advanced NTFS data recovery

This course is intended for law enforcement officers, computer forensic examiners, corporate and private investigators, and network security personnel. A basic understanding of the concepts of computer forensics and Internet-related access is required. The class curriculum builds upon the foundation of the EnCase Intermediate Analysis and Reporting courses, continuing with a focus on NTFS file system examinations.

BitSec is a Guidance Software licensed training partner and one of only a few training partners in the world that can offer all of their forensic courses. Mike Fowler, Senior Director at Guidance Software, Inc. said: “BitSec Forensics was a natural selection as a Guidance Software training partner. Their years of experience in the forensic training and digital investigations arenas offer students a training experience built upon practical application.”

For more information, contact a BitSec training professional toll free at (877) 272-1417 or by email at training(at)bitsecforensics(dot)com.