X-Ways Forensics and File Systems Revealed: NTFS

The Austin Chapter will be hosting the X-Ways Forensics and File Systems Revealed: NTFS courses during the week of May 19-23. Registration for this training is open to everyone.

For more information on location, price and/or to register, please visit: http://www.x-ways.com/training/austin.html

X-Ways Forensics, 4 days

This course is focused on the systematic and efficient examination of computer media using our integrated computer forensics software “X-Ways Forensics”. After attending this course, you are qualified to start the X-PERT certification process.

Complete and systematic coverage of all computer forensics features in WinHex and X-Ways Forensics. Hands-on exercises, simulating most aspects of the complete computer forensics process. Attendees are encouraged to immediately try newly gained insights as provided by the instructor, with sample image files. Many topics are explained along with their theoretical background (slack: beyond the usual, how hash databases are internally structured, how deleted partitions are found automatically, with what methods X-Ways Forensics finds deleted files). Other topics are forensically sound disk imaging and cloning, data recovery, search functions, dynamic filtering, report creation, … Emphasis can be put on any aspect suggested by the participants. You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.

The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.

File Systems Revealed

Variable combination of file system courses, with extensive introduction to file system basics (binary data storage concepts, data types, date formats) and for example to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3/Ext4 (1/2 day). See below for file system courses that are available.

By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations.

Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. Explanation of the effects of file deletion and potentials for file recovery. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge).

For more information on these courses, please visit – http://www.x-ways.com/training/index.html

Leave a reply