Data Storage Foundations

4 Days – 32Hrs

Cost: $2,595

Participants will receive

4-Days of Instruction
Course Manual
Practical Files
Attendance Certificate

Rob Attoe

Lead Developer

Rob is the CEO and Founder of Spyder Forensics. He has over two decades of experience developing and presenting training on Digital Forensics, Cyber Security, Mobile Forensics, and eDiscovery education programs for the global digital investigations community.

As a lifetime member of the International Association of Computer Investigative Specialists (IACIS), Rob instructs regularly at the association’s annual conferences and is a lead instructor for several advanced courses as well as regularly presenting at the premier international digital forensics conferences. Rob has contributed to digital forensic publications and is a subject matter expert in various courses for the ATA program managed by the State Department in the USA.

Course Objectives
This four-day course is designed for the examiner tasked with the recovery and analysis of data collected from electronic evidence. Early modules examine techniques in the recovery of volatile data (RAM) including basic analysis techniques and a review of file system fundamentals.

This will be followed by an in-depth analysis of the architecture and functionality of the Microsoft New Technology File System (NTFS), and the exFAT file systems, including the detailed examination of related directory entry information for locating files on electronic media. Attendees will gain insights into the effects of the formatting process and how the system areas function as well as file data management and directory entry metadata pertaining to the stored data. All forensically relevant areas will be examined in detail as well as techniques for identifying potential evidence that may be pivotal to a successful advanced examination.

These topics will be followed by a more in-depth analysis of forensic artifacts within a modern Windows environment that includes advanced Windows Registry examination, introduction to SQLite databases, and recovery of deleted files for the examination of artifacts aligned to user activity.

Students will apply this new knowledge to artifacts located on Windows-based systems where there will be a direct correlation between the File System and Operating System \ Application functions such as Distributed Link Tracking services, Windows 10 Timeline function, and other Operating System-related artifacts.

Students will use a variety of open-source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.

Primary Learning Objectives

Data Storage Foundations - Day 1

Day 1 of the Spyder Forensics Data Storage Foundations course begins with an overview of the course along with an introduction to the Instructor.

We will then examine how data is collected and how it is best preserved and verified using industry recognized practices. We will then proceed to look at the Data Structures of NTFS so that we can understand how this will aid in locating and recovering evidence.

The most important stage in a digital forensic examination is the seizure and preservation of evidence. This module emphasizes that the primary goal of any forensic examiner is to collect as much relevant data as possible while employing the most forensically sound methods. Participants will explore industry-recognized practices for collecting digital evidence, ensuring that all actions taken do not compromise the integrity of the data. We will discuss the significance of preserving both volatile data, which can be lost when a device is powered down, and remote data, which may reside on cloud services or external servers.

Through case examples and practical exercises, attendees will learn how to effectively identify, collect, and document digital evidence, including steps to verify the integrity of the data collected. Emphasis will be placed on maintaining a clear chain of custody throughout the process to ensure that evidence can be reliably presented in a legal context. Participants will also review various tools and techniques used for evidence preservation, such as imaging drives, capturing memory dumps, and utilizing write blockers to prevent data alteration. By the end of this module, attendees will have a comprehensive understanding of the critical processes involved in the seizure and preservation of digital evidence, equipping them with the knowledge and skills necessary to conduct thorough forensic examinations.

Review of Digital Evidence collection principles
Advanced Imaging techniques using CAINE
Learn of the importance of imaging RAM
Introduction to RAM Analysis using RegEx and PowerShell.

Instructor Led Lab

This lab focuses on the collection of digital evidence, providing participants with foundational best practices. Attendees will explore advanced imaging techniques using the CAINE (Computer Aided INvestigative Environment) tool for efficient digital extractions. A key discussion will cover the significance of imaging Random Access Memory (RAM), which can yield vital information about active processes and system states during investigations. The lab also introduces RAM analysis using regular expressions (RegEx) and PowerShell, enabling effective interpretation of memory data. By engaging in both theoretical concepts and hands-on exercises, participants will enhance their competencies in digital forensics, equipping them to handle real-world scenarios effectively. This comprehensive lab aims to enrich the knowledge and practical skills of those aspiring to excel in digital forensic investigations.

Instructor Led Lab

In this lab, participants will explore various aspects of the NT operating system’s file system support. The session will start with an overview of the file system capabilities for each NT version, followed by insights into NTFS metadata files and their crucial roles in the file system architecture. Each metadata file’s function will be explained, emphasizing its importance for system integrity and performance. The lab will also cover file record entries, their structure, and significance, as well as NTFS attributes that store essential information about files and directories. Additionally, participants will analyze the B+ tree structure in NTFS directories to understand its role in enhancing file retrieval efficiency. Finally, the instructor will discuss the implications of file deletion on data retrieval and integrity, ensuring participants grasp its lasting effects. This lab aims to provide learners with a deep understanding of NTFS mechanics for practical applications in data management and recovery.

This module provides an in-depth exploration of the data structures utilized by the New Technology File System (NTFS) to store and retrieve data within a volume. Participants will gain a comprehensive understanding of how NTFS organizes files and directories, focusing on key components such as the Master File Table (MFT), file record segments, and various attributes associated with files and folders. By delving into these data structures, attendees will learn how NTFS manages disk space, tracks file metadata, and maintains data integrity.

The module will also address the significance of NTFS features such as journaling, which enhances data recovery and consistency, and how these elements can be leveraged during forensic investigations. Participants will examine how file fragmentation occurs and its impact on data retrieval, as well as the implications of NTFS permissions and access control lists (ACLs) for user access and data security.

List file system support for each NT operating system
Identify NTFS Metadata Files
List the function of each Metadata file
Describe a File Record Entry
List the components of an NTFS Attribute
Examine the B+ Tree structure of directories
Describe the effects of data when a file is deleted.

Data Storage Foundations - Day 2

During day 2 of the course we will begin to look at file permissions associated with NTFS and discuss why they are such an important weapon in any forensic investugation.

Alongside this we will explore EFS (Encrypting File System) which is built into the NTFS file system.

This module focuses on all aspects of file permissions associated with the New Technology File System (NTFS), highlighting their significance in forensic investigations. Participants will learn the fundamental concepts of NTFS permissions, including types such as Read, Write, Execute, and Delete, as well as how permissions are assigned and denied to users and groups. The module will explore Access Control Lists (ACLs), specifically Discretionary Access Control Lists (DACLs) and System Access Control Lists (SACLs), and their roles in determining access rights and tracking access attempts. Additionally, learners will examine permission inheritance, effective permissions, and the complexities of overlapping permissions. Practical exercises will provide real-world case studies and tools for analyzing NTFS permissions, equipping participants with the necessary skills to assess file access rights and secure sensitive information during forensic investigations.

Describe NT Rights and Permissions
Describe the structure of a Security Descriptor
Object ID’s
System Access Control List
Discretionary Access Control List
Access Control Entries
Identify Permissions for NT Objects

Instructor Demonstration

This lab focuses on NT Rights and Permissions, providing a comprehensive understanding of system security measures. Participants will explore Security Descriptors, which manage security settings on NT objects, and the significance of Object Identifiers (Object IDs) in uniquely identifying network resources. The lab will examine the System Access Control List (SACL) and Discretionary Access Control List (DACL), both critical for defining user and group access permissions. Emphasizing Access Control Entries (ACEs) that grant or deny access rights, the session will engage participants in identifying permissions associated with various NT objects.

Instructor Led Lab

In this instructor-led lab, students will investigate the processes associated with the Encrypting File System (EFS) and learn how to effectively examine artifacts located within the data-hosting clusters. Participants will gain insights into recognizing the keys and users authorized to decrypt the encrypted data, enhancing their understanding of EFS-related forensic analysis. Through hands-on exercises, learners will practice identifying and extracting relevant artifacts, equipping them with the skills needed to navigate EFS data effectively during investigations.

During this module, we will explore the Encrypting File System (EFS) integrated within NTFS, focusing on its architecture and functionalities for data security. Participants will learn how EFS encrypts sensitive files at the file system level using asymmetric encryption, involving user certificates and private keys. The module covers enabling EFS, managing encryption keys, and the role of recovery agents for accessing encrypted files when necessary. Practical scenarios will highlight the advantages of EFS in protecting data from unauthorized access, while also addressing challenges in forensic investigations.

Describe the EFS Encryption process
Identify encrypted files and users that can decrypt
Describe strategies for decrypting EFS encrypted files

Data Storage Foundations - Day 3

Day 3 of the course looks at the exFAT file system which will enable us to understand the rules of the an exFAT volume and why this in important to the forensic examiner when recovering evidence.

Alongside this we will also look at different core system functions and how we can utilize them to track user activity.

This module explores the organization of data within the exFAT file system, highlighting its structure and rules. By understanding how an exFAT volume is arranged, participants will be better equipped to locate and recover evidence that may be overlooked by the casual user. This knowledge is crucial for effective forensic analysis and data retrieval in investigations involving exFAT formatted devices.

Describe the history of exFAT
Identify the system areas of the volume
Breakdown the Volume Boot Record
File Allocation Table
Describe the function of Bitmap
Breakdown a directory entry
Describe the effects of data when a file is deleted and review recovery techniques.

Instructor Led Lab

In this lab, participants will explore the exFAT file system, starting with its historical context and evolution as a solution for flash storage compatibility across multiple operating systems. The session will cover the system areas of the exFAT volume, the components and significance of the Volume Boot Record, and the role of the File Allocation Table (FAT) in managing disk space. Participants will learn about the Bitmap’s functionality for representing free and allocated clusters, as well as the structure of directory entries for file access. Finally, the lab will address file deletion implications on data integrity and recovery techniques, providing attendees with practical knowledge for managing deleted files effectively.

Instructor Led Lab

In this lab, participants will examine the Windows Search Database, focusing on its structure and forensic artifacts from table data. The session will also cover Windows Backup options, reviewing various strategies for data recovery. Participants will learn to use forensic tools effectively to rxtract the data. Additionally, the lab will include extracting data from Shadowcopy stores which may contain historical versions of file data. Through hands-on exercises, attendees will gain practical experience in accessing hidden data structures. By the end of the module, participants will have a solid understanding of these Windows features, enhancing their data management and recovery skills within the operating environment.

During this module, we will review the history of the Microsoft NT family of Operating Systems, tracing its evolution from NT 3.1 to the latest versions. We’ll highlight significant enhancements, such as security improvements and user interface changes, while focusing on key forensic artifacts introduced with each iteration. Notable examples include the Event Log system in NT 4.0, the Windows Registry in NT 5.0 (Windows 2000), and NTFS features. Understanding these artifacts is crucial for forensic investigations, providing insights into user activities and system configurations, and will equip participants with the knowledge to analyze forensic artifacts in contemporary Microsoft operating systems.

Examination of the Windows Search Database
Explore Windows Backup options and analysis
Extraction of data in ShadowCopy store

Data Storage Foundations - Day 4

On day 4 of the course we will bring all of the learnt knowledge together and also look at the Windows Registry and understsnd the forensic benefits of examining the Registry.

We will also look at the artifacts left behind when a user interacts with the host system.

Finally we will look at the artifacts found on the system after usser interaction with the Chromium based Edge browser.

This module will introduce participants to the Windows Registry, providing a foundational understanding of key navigation terms used within it. Attendees will explore the SOFTWARE and SYSTEM registry files, which are crucial for reporting on operating system settings. By examining these components, participants will gain insights into how the registry stores configuration information, enabling them to effectively navigate and analyze the Windows Registry in the context of system management and forensic investigations. Students will gain a detailed look at how the Registry data is stored in block structure and how to recognize deleted cells of inforamtion.

Define the Windows Registry
Review the forensic benefits of examining the Registry
Introduction to the recovery of evidentially relevant data from deleted cells within a registry file
Analysis of recorded user activity across multiple registry files

Instructor Led Lab

This instructor-led lab focuses on the Windows Registry, a critical component of the operating system that stores configuration settings and options. Participants will begin by reviewing the Windows Registry block structure, gaining a foundational understanding of its cells and storage mechanisms. The session will then delve into the forensic benefits of examining the Registry, highlighting its role in digital investigations, such as uncovering user activity, system configurations, and potential evidence in legal cases.

Instructor Led Lab

In this lab, participants will explore key artifacts left behind through user interaction with files and folders, starting with essential shortcuts to boost productivity. The lab will cover advanced link file tracking, detailing how Windows records user interactions with files at the file system level. Participants will also analyze Windows Jump Lists for quick access to recent files and applications, alongside a practical Jump List analysis. Additionally, the lab will introduce Windows 10 Timeline functions for viewing historical user activities across devices and include an exploration of SQLite analysis for examining lightweight database data.

During any forensic investigation, an examiner’s role is to locate items of evidential value that support the incident, this cooperative information can be the actual item or supporting artifacts that indicate the suspect was aware of the data and interacted with it. Most actions a user account enacts on the host system will leave traces within the Registry, File System and copies of actual file data located across the volume. Examiners must be familiar with typical Windows functions to determine how the items are created and typical locations of system artifacts.

During this module students will explorer the function of Windows Link files, JumlLists and the Windows 10 TimeLine feature. We will review the many artifacts left behind through user interaction with the host system.

Review Windows Shortcuts
Explore advanced Link File tracking processes
Review of Windows Jump Lists
Perform Jump List Analysis
Introduction into Windows 10 Timeline functions and SQLite database analysis

In this module, participants will explore the characteristics of the Chromium-based Microsoft Edge browser and the artifacts generated from user interactions. The session will begin with an overview of the Chromium architecture, highlighting features such as user profiles, extensions, and settings that affect data storage. Attendees will examine various artifacts, including browsing history, cache files, cookies, and downloads, which provide insights into user behavior for forensic investigations.

The module will also cover Edge’s integration with Microsoft services and synchronization across devices, leading to data accumulation. Participants will learn to locate and analyze files within Edge’s storage, such as the “History” and “Web Data” databases, while discussing privacy considerations and data recovery methods. By the end of the module, attendees will be equipped to analyze artifacts from Edge effectively, enhancing their skills in conducting thorough forensic investigations.

Review Chromium-based browsers
Locate key folders of interest within the user profile
Learn of the new data storage files and their interpretation
using SQLite Scripting techniques

Instructor Led Lab

In this hands-on lab, participants will explore Chromium-based browsers, such as Google Chrome and Microsoft Edge, focusing on their architecture and data management. The labs will cover how to locate key folders within user profiles that are essential for forensic investigations, including browsing history, cache files, cookies, and saved passwords. Additionally, attendees will learn about new data storage files introduced in recent browser updates, emphasizing their significance and interpretation. Through practical exercises, participants will gain the skills to analyze these files and extract meaningful information from user interactions, ultimately enhancing their proficiency in chromium forensic anaoysis.