Do you like the idea of being able to find what others cannot? In this course, Digital Forensics: Getting Started with File Systems, you'll dive into learning about digital forensics, file systems, and how digital forensic investigators use them to prove what did or did not happen on a system. You'll begin by covering topics, such as tracks, sectors, clusters, blocks, and slack space. Next, you'll explore deeper into permissions and metadata. Finally, you'll take a look into time stamps, and journaling all while making use of Autopsy as your tool. By the end this course, you’ll know how to navigate Autopsy and the native Windows, Linux, and Mac OS X operating systems to find file system level forensic evidence.
Evan is an engineer by nature and a security professional by trade with over a decade of experience in technology and security. He enjoys learning new technologies and how to get more out of existing technologies through integration, enrichment, and innovation of new use cases.
Section Introduction Transcripts
Section Introduction Transcripts
Course Overview Hi everyone. My name is Evan Morgan, and welcome to my course, Digital Forensics - Getting Started with File Systems. I'm a security professional at a Fortune 100 financial services firm and have over a decade of experience in the security field. Do you like the idea of being able to find what others cannot? Does being in the know about what's happening on a system when the average user is completely oblivious to the hidden data right in front of them pique your interest? If so, then you'll most likely enjoy learning more about digital forensics. Some of the major topics that we'll cover include tracks, sectors, clusters, blocks, and slack space, permissions, metadata, timestamps, and journaling. By the end of this course you'll know how to navigate Autopsy and the native Windows, Linux, and Mac OS X operating systems to find all of this file system-level forensics evidence. I hope you'll join me on this journey to learn more about digital forensics with the Digital Forensics - Getting Started with File Systems course, at Pluralsight.
Getting Started with New Technology File System (NTFS) Hi everyone. My name is Evan Morgan. And in this course, we'll be going through digital forensics, specifically getting started with the file systems. This module is going to start off with getting started with New Technology File System, or NTFS for short, which is very common in the Windows Operating System. Before we jump into the details, though, I want to start talking about how do you prepare your forensics environment so that you can even do forensics analysis on NTFS, or any other file system types. Then we'll go ahead and start digging into the basics of hard disks, what they are, how data is stored on them, things like that. And then we'll dig a little deeper and provide an overview of the concept of tracks, sectors, clusters, and slack space. And then we'll dig into timestamps. Timestamps from a forensics standpoint are extremely important. They allow you to build a timeline and understand the events that happened, when they happened, what led up to an event that was of forensics importance, versus what happened afterwards. And then we're going to discuss metadata, followed by journaling, giving you a better understanding of what journaling is and why it's important from a forensics perspective. We'll also highlight the permission types in NTFS and what are unique about NTFS versus some other operating system types, or file system types. Specific to NTFS, we'll also go through the Master File Table and the Change Journal and how it's different than regular journaling. And finally, we'll dig into some methods on how to hide your tracks from a forensics investigator. So you can essentially think of yourself as the bad actor in this instance. And if you think like a bad actor, then you can actually leverage those same methods on how to try to become a better forensics investigator, because you'll understand how people are trying to hide themselves from forensics investigators.
Working with Extended File System (EXT) Hi everyone. In this module, we're going to go through the extended file system, or EXT for short. Specifically, what we're going to cover is the differences for EXT when it comes to tracks, sectors, clusters, and slack space, if there are any. We're going to go over timestamps and how important they are, we're going to discuss metadata, and we're going to highlight permission types specific to EXT.
Analyzing with Hierarchical File System Plus (HFS+) Hi everyone. In this module, we're going to go over the Hierarchical File System Plus, or HFS+, for short. We're going to talk about the differences between HFS+ and EXT and NTFS we've previously gone over. Specifically in this module, we're going to talk about the differences with tracks, sectors, clusters, and slack space, if there are any. We're going to talk about timestamps, we're going to talk about metadata, and then lastly, we're going to highlight permissions.