File Systems Revealed (4d)

Date:TBA

Price: $4000 per person

Location: Virtual Instructor Led

More Info

File Systems Revealed (4d)
Course Summary:
This 4-day course is a fast paced technical course designed for digital forensic practitioners. The in-depth knowledge gained from this course makes explaining the intricacies of file systems to lay people much easier.

Who should attend?
Digital Forensic Analysts and Investigators who would like to gain a deeper understanding of the intricacies of file systems.

The 4 day File Syetems Revealed consists of the following modules:
File Systems Forensics & Data Structures
» What do we need to know? (Signed and Unsigned Integers, Bit assignment, Time representations (DOS32, Win64, Unix/C).
» Introduction to the concept of file system
» References to data
» Metadata of the referenced data
» Introduction to the concept of a file (What constitutes a file?)
» Recognising the Reference, the metadata and the data of a file
» Management of data units (blocks or clusters)
» Introduction to Linked Lists
» Introduction to the Bitmap Structure
FAT 12/16/32
» History
» File System Structures (Boot Sector, FAT table, FSInfo)
» Defining the Reference, the metadata and the data of a file (Directory Entries, Long File Names)
» Management of the data area
» File Creation & File Deletion
» ‘Format’” command Forensics
» Practicals – Case Scenarios
ExFAT Forensics
» History
» File System Structures
» Boot Sector
» Understanding the References (Directory Entries, SET)
» Management of the data area
» File Creation & File Deletion
» ‘Format’” command Forensics
» Practicals – Case Scenarios

NTFS Forensics
» History, theory, MBR, BPB, Extended BPB
» Latest Changes in NTFS (TRIM, garbage collection, etc)
» MFT
» File Record
» File Record Header
» File Record Attributes in Depth
» NTFS Time Stamps Discussion
» NTFS $ (system) files
» NTFS Compression
» NTFS EFS
» Tracing File Ownership
» Management of the data area
» File Creation & File Deletion
» ‘Format’” command Forensics
» Practicals – Case Scenarios
Linux File Systems (ext2/3/4)
» Superblock
» Group Descriptor
» Block Bitmap
» Inode Bitmap
» INODE
» Data block
Direct, indirect, double indirect
» File Creation & File Deletion
» ‘Format’” command Forensics Mac Files System (APFS /HFS/HFS+)
» Volume Headers
» Special Files
» Catalog Entry Structure
» Data Forks vs Resource Forks
» UNIX special file support
» iNode Files/Hard Links
» File Creation & File Deletion
» Format” command Forensics
» Practicals – Case Scenario

/* Omit closing PHP tag at the end of PHP files to avoid "headers already sent" issues. */