X-Ways Forensics & File System Revealed
Unfiled
Training
Provided by X-Ways Software Technology AG
1) X-Ways Forensics
This course is focused on the systematic and efficient examination of computer media using our software X-Ways Forensics . It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
Examples:
"What documents were deleted on the evening of January 12, 2005?"
"What pictures were hidden how, where and by who?"
"Who viewed which web pages on what day?"
Complete and systematic demonstration of all computer forensics features in WinHex/X-Ways Forensics und X-Ways Replica, including forensically sound disk imaging and cloning. Hands-on exercises with sample media, simulating most aspects of the complete computer forensics process. Covers forensically sound cloning under DOS and Windows, evidence acquisition, data recovery, and report creation. Emphasis can be put on any aspect suggested by the participants. You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.
The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.
2) File Systems Revealed
Extensive introduction to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3 (1/2 day). By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations.
Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge).
This course is focused on the systematic and efficient examination of computer media using our software X-Ways Forensics . It is the goal to be able to draw sustainable conclusions from the data and metadata stored on or seemingly deleted from media to answer to specific problems while documenting the proceedings in a manner acceptable in court.
Examples:
"What documents were deleted on the evening of January 12, 2005?"
"What pictures were hidden how, where and by who?"
"Who viewed which web pages on what day?"
Complete and systematic demonstration of all computer forensics features in WinHex/X-Ways Forensics und X-Ways Replica, including forensically sound disk imaging and cloning. Hands-on exercises with sample media, simulating most aspects of the complete computer forensics process. Covers forensically sound cloning under DOS and Windows, evidence acquisition, data recovery, and report creation. Emphasis can be put on any aspect suggested by the participants. You will receive complete printed training material for later repetition. Prerequisite: basic knowledge of computer forensics.
The students will learn e.g. how to get the most thorough overview conceivable of existing and deleted files on computer media, how to scan for child pornography in the most efficient way, or how to manually recover deleted files compressed by NTFS which would not even be found by conventional file carving techniques.
2) File Systems Revealed
Extensive introduction to the file systems FAT12, FAT16, FAT32 (1/2 day), NTFS (1 day), and Ext2/Ext3 (1/2 day). By fully understanding the on-disk structures of the file system, you are able to recover data manually in many severe data loss scenarios, where automated recovery software fails, and to verify the correct function of computer forensics software and to collect meta information beyond what is reported automatically, which might yield clues for the given case. In general, this also leads to a better understanding of the data presented by forensic software, of how computer forensics software works and of its limitations.
Immediate application of newly gained knowledge by examining data structures on a practical example with WinHex. These exercises will ensure you will remember what you have learned. By the end you will be able to navigate almost intuitively on a hard disk and to identify various sources of information with relevance to forensics. You will be enabled to recover data manually in several cases even where automated software fails and to verify the results computer forensics software reports automatically. You will receive a complete documentation of all the filesystems discussed in this course, with all the training material for later repetition. Prerequisite: general computer science knowledge recommended (not just computer knowledge).
|
|
||||||||||||||
X-Ways Forensics & File System Revealed
1) X-Ways Forensics
Understanding all options of X-Ways Replica
Basic setup of the software
Learning the user interface components
Understanding the data interpreter
Preparing media for cloning
Cloning media/Image creation
Creating a case/adding evidence objects
Hash calculation and checking
Using the gallery view and skin color detection efficiently
Calendar view usage (timeline)
Previewing file contents
Creating drive contents tables systematically
Creating hash sets and matching against existing hash sets
Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
Adding annotations/bookmarks
Working with the directory browser
Synchronizing directory browser and directory tree for optimized work
Working with the Access button menu
Various methods of file recovery
Recovering deleted NTFS-compressed files manually
Customizing file signatures
Extraction and analysis of free space, slack space, etc.
Finding and analyzing deleted partitions
Using search functions effectively
Efficient navigation of the file systems' data structures
Data profiles
Decoding Base64, Uuencode, etc.
Viewing RAM
Report generation
Optionally other topics like template and script programming
2) File Systems Revealed
Basics:
Binary data storage concepts
Data types
Date formats
FAT:
Structure of FAT file systems
Boot record
File Allocation Table (FAT)
Directory entries
NTFS:
Boot sector
Master File Table (MFT)
FILE records structure
FILE record attributes
Attribute lists
Directory organisation in NTFS
INDX record structure
NTFS system files
Consistency in NTFS
Alternate data streams
Encrypting File System: NTFS encryption
...
Ext2/3:
Structure of Ext file systems
Superblocks, group descriptors, block groups, bitmap blocks
Inodes
Concept of block addressing
Concept of directory structure
Effects of file deletion
...
Understanding all options of X-Ways Replica
Basic setup of the software
Learning the user interface components
Understanding the data interpreter
Preparing media for cloning
Cloning media/Image creation
Creating a case/adding evidence objects
Hash calculation and checking
Using the gallery view and skin color detection efficiently
Calendar view usage (timeline)
Previewing file contents
Creating drive contents tables systematically
Creating hash sets and matching against existing hash sets
Detecting data hiding methods like alternate data streams, host-protected areas (HPA), misnamed files
Adding annotations/bookmarks
Working with the directory browser
Synchronizing directory browser and directory tree for optimized work
Working with the Access button menu
Various methods of file recovery
Recovering deleted NTFS-compressed files manually
Customizing file signatures
Extraction and analysis of free space, slack space, etc.
Finding and analyzing deleted partitions
Using search functions effectively
Efficient navigation of the file systems' data structures
Data profiles
Decoding Base64, Uuencode, etc.
Viewing RAM
Report generation
Optionally other topics like template and script programming
2) File Systems Revealed
Basics:
Binary data storage concepts
Data types
Date formats
FAT:
Structure of FAT file systems
Boot record
File Allocation Table (FAT)
Directory entries
NTFS:
Boot sector
Master File Table (MFT)
FILE records structure
FILE record attributes
Attribute lists
Directory organisation in NTFS
INDX record structure
NTFS system files
Consistency in NTFS
Alternate data streams
Encrypting File System: NTFS encryption
...
Ext2/3:
Structure of Ext file systems
Superblocks, group descriptors, block groups, bitmap blocks
Inodes
Concept of block addressing
Concept of directory structure
Effects of file deletion
...
About The Training Provider: X-Ways Software Technology AG
X-Ways Software Technology AG - X-Ways specializes in developing and marketing software technology for computer forensics, electronic discovery, data recovery, and IT security. We offer general and product-related computer forensics training in the USA and Germany. We have more than 16,500 clients worldwide, including professionals in all kinds of businesses, public administration, education, in law enforcement, government...
