Cyber Forensics: Analyzing Data Streams in NTFS
The course will help students to learn about the basics of Microsoft Windows File System (NTFS), the Master File Table (MFT) and how data is stored in data streams, both primary and alternate. Students will also get to differentiate between resident and non-resident data and learn how to hide data in the ADS. It would also enable students to analyze the data inside and outside of the MFT and to locate the specific cluster/sector on the hard disk where this data is actually stored. Moreover the students will be able to:
- Understand the basics of Alternate Data Streams (ADS), their usage and history
- Adding resident (less than 512 bytes) and non-resident (more than 512 bytes) data in both alternate and primary data streams
- Analyzing the resident data in any stream by locating it inside the MFT using a common Hex Editor
- Analyzing the non-resident data in any stream by locating its actual cluster and sector address on the disk
- Verifying the presence of non-resident data in any data stream with the help of another Hex Editor
- Practically experiment common Forensics tools and Hex Editors for analyzing data in the MFT and otherwise.
This course will turn out to be very useful for the students who want to understand the basics of computer forensics and file systems as it provides insight to analyzing data stored in the data streams.
Who this course is for:
- Cyber Security and forensics related students and professionals
- Fundamental knowledge about computers and Windows OS
Last Updated 9/2021