• Classroom

We started small, in fact very small . . . bits and bytes small, in Part 1, explaining the origins of data and progressing onward, addressing concepts related to data storage, boot records and partitions and how each of these are interrelated and essential in the understanding of the process and methodology of a cyber-forensic investigation.

Part 2 of this series on the introduction to cyber forensics, continues on with our examination of the progression of data onto actual digital evidence by providing a comprehensive examination and discussion of the science of cyber forensic investigations, what is happening behind the scenes to data and why, what to look for and where to find it.

While still focusing on an understandable presentation of often technical concepts, Part 2 examines further advanced topics of a cyber-forensic investigation, including; volume versus partition, cylinder, head, sector, and Logical Block Addressing, File Systems, FAT 12/16 and NTFS and the File Allocation Table (FAT).

Learning Objectives

After completing this course, participants will be able to:

  • Communicate an understanding of volumes and partitions as they relate to investigating digital evidence.
  • Recognize the difference as well as the relationship between cylinder, head and sector, and role of Logical Block Addressing.
  • Differentiate between FAT 12/16 and NTFS file systems.
  • Explain how a cluster size is determined.
  • Validate the functionality, operation and relevance, to a cyber-forensic investigation, of the master file table.
  • Identify significant concepts related to alternative filing systems.

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.