National CAE Designated Institution
  • Classroom
  • Online, Instructor-Led

Analyzes the NTFS file system in detail with an emphasis on forensic information from metadata, slack space, and unallocated space. Examination of various Windows® artifacts using appropriate software.

Learning Objectives

At the end of the course students will be able to:

1. Extract forensically useful information about a file (e.g. location, size, attributes, and dates and times) from an NTFS file system.

2. Recover a deleted file from an NTFS file system.

3. Find alternate data streams.

4. Determine the links to a file.

5. Identify and extract recycled files in a recycle bin.

6. Use an appropriate registry file to obtain evidence from a registry.

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Cyber Investigation
  • Digital Forensics

Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.