FOR420 - NTFS File System

This seminar presents the complete details of the NTFS file system on-disk structure. You will learn how files are stored in NTFS, how directory indexes work, and how to recover deleted files and partitions.

Level:	Intermediate
Audience:	Cyber forensics investigators
Topics:	NTFS paradigm Clusters Files Attributes and streams Security Names and collation Indexing Hard and soft links Link tracking and object IDs Quotas Fault tolerance Encryption Compression Sparse files Timestamps Transaction log Checkpoint records Undo Redo Important non-NTFS areas Master boot record Partition table BIOS parameter block NTFS boot block B+ Trees Free blocks Indexes File system metadata files $MFT: Master File Table $MFTMirr: MFT mirror $LogFile: Transaction log $Volume: Volume information $AttrDef: File attributes and names .: Root directory $Bitmap: Volume bitmap $Boot: Volume boot record $Bad: Bad clusters $Secure: Security descriptors $UpCase: Lowercase character conversion table $Extend: Directory of additional metadata files $Extend$Reparse: Reparse points $Extend$UsnJrnl: Update Sequence Number journal $Extend$Quota: Disk space quota $Extend$ObjId: Object IDs $Extend$RmMetadata: Resource manager directory File Record Segment Attributes Data runs Update sequence number Attributes Standard information Attribute list File name Object ID Security descriptor Volume name Volume information Data Index root Index allocation Bitmap Reparse point Extended attribute information Extended attributes Property set Logged utility stream "Undeleting" files Finding the FRS Finding the clusters Recovering a deleted partition Locating the start of the partition Editing the partition table Recovering a formatted disk Finding the original MFT Updating the MFT
Prerequisites:	FOR201: Windows Internals Overview, or FOR205: Windows Internals for Forensics, or equivalent Windows experience; and FOR220: Windows Storage Systems Overview
Operating systems supported:	All Windows versions
Durations and formats:	2 days with labs