FOR220 - Windows Storage Architecture Overview

Understanding how files are stored (and may be hidden) on a disk or other storage media (solid-state disk, USB "key", SD card, etc.), is essential to performing a thorough forensic investigation. Learn the essentials of the on-disk formats of NTFS, EFS, FAT 12/16/32, exFAT, CDFS, and UDFS. This seminar also covers details of partitioning methods (MBR vs. GPT), the various types of Windows "volumes," basic vs. dynamic disks, and the new Storage Spaces. 

Level: Intermediate
Audience:

Cyber forensics investigators

Topics:
  • Review of storage devices
  • Cloning and examination methods
  • Partition structure

    • Master Boot Record (MBR) partitioning
    • GUID Partition Table (GPT) partitioning
    • Partitioning schemes vs. platform firmware
  • Disk volumes – 1

    • Concepts
    • Volumes on basic disks
  • Multi-disk storage schemes

    • Spanning
    • Striping
    • Mirroring
    • RAID
    • Proprietary schemes
  • Disk volumes – 2

    • Legacy Windows "fault-tolerant" volumes
    • Volumes on dynamic disks
    • Windows Storage Spaces
  • Hardware storage subsystems

    • Storage controllers
    • Network-attached storage (NAS)
    • Storage architecture network (SAN)
  • Windows file systems

    • Role of file systems
    • Relationship of file systems to volumes
    • Capabilities and features of Windows primary file systems (FATxx, EXFAT, NTFS)
    • Additional file systems (Encrypting File System, ReFS)
    • Recovering "deleted" files
    • Finding hidden files
Prerequisites:

FOR111: Data Storage and Recovery Methods, or equivalent Windows experience

Operating systems supported:

All Windows versions

Durations and formats: 1 day with labs