Digital Forensic - Training Materials

Introduction

CIRCL DFIR

An introduction to file-system post-mortem forensic analysis. This page links to the materials used during forensic trainings including slides and links to the disk images.

Training Materials: Edition May 2020

Forensics Challenge ZIP

Use low level tools like ‘xxd’ and ‘dd’ to recover data out of broken ZIP archives.

cyberday.lu 2019

Download and dump the image of the USB device over your own USB stick to replay the exercises. Please take care to not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

cyberday.lu 2020

To replay an exercise, download and flash the related USB disk image over your own USB stick. Please take care: Do not accidentally overwrite your internal drive. We advice to use tools like ‘dd’ with root rights only on virtual machines or test PC’s but not on production machines. We are not responsible if you destroy your computers disk.

cyberday.lu 2022

With the image of the wiped disk, you should be able to replay the exercise.

cyberday.lu 2023

The Master File Table - MFT is one of the most important meta data structures on a NTFS file system. It keeps track of all files and directories stored on the file system

Each file meta data is stored in at least one 1024 byte table-entry inside this table. While most common file require only ca. 450 bytes off meta data, there is some unused space left.

One feature of NTFS is, to store data from small files inside this free space inside the MFT entry, if it fits in. This is called resident data. And when the file grow over time and the plain data require more space than available there, the data are ‘outsourced’ into dedicated clusters.

For forensics it could be interesting to analyze what happens with the older version of the data from such kind of files. Is there still content of the old version of this data kept inside the MFT? If yes, it is possible to recover old data from the original version of the file, when it was still small.

This slides contain in a first part all the summary of the test. The second part you will find all the commands to reproduce the exercise, for self study.

The training materials contains an empty disk image and the text files to repruduce exercise.

  • Training materials: 7z file SHA1:1461c8c77e5f092581a083df6a12ad019cd6405d

If you find any error or possible improvement, please notify.

Updates

  • 15th June 2018 - New training in Luxembourg
  • 16th April 2018 - Initial release of slides version 1.0
  • 29th August 2018 - Slides updated: Digital Forensics 1.0.1 and 1.0.2
  • 20th December 2018 - Slides updated: Digital Forensics 1.0.1: Winter 2018/2019 edition
  • 20th March 2019 - Slides updated: Digital Forensics 1.0.1: Edition May 2019
  • 21st March 2019 - Disk Image updated
  • 22nd May 2019 - Slides updated, Command Line Cheat Sheet v0.1 added
  • October 2019 - cyberday.lu 2019 slides added
  • November 2019 - 1.0.1 slides updates, Forensics Challenge ZIP added
  • May 2020 - Complete revamp of the training materials increase from 185 too 298 slides
  • October 2020 - cyberday.lu 2020 materials added
  • October 2022 - cyberday.lu 2022 materials added
  • November 2023 - cyberday.lu 2023 materials added