# Day 1
1일차에는 NTFS data의 구조에 대한 설명으로 시작된다. 수강생들은 컴퓨터 시스템에 있어서 정보가 이진데이터로 저장되는 원리 및
방법, 이진 데이터 구조, 16진수 변환원리 등에 대해서도 배우게 된다. 이어서, NTFS Volume Boot
Record, internal system/metadata files의 기능, Master File Table (MFT)의 구조와 레코드 생성원리에 대한 강의가 있고, 실제 특정 파일의
MFT레코드 분석실습이 진행된다. 아울러 주요 강의 주제는 다음과 같다.
• NTFS overview
– Understanding the history and key features of NTFS
– Understanding the advantages of NTFS over FAT-based operating systems
• Integer interpretation
– Understanding how computers store and interpret data
• NTFS disk structures
– Understand how disks are split into sectors and file systems’ group sectors into clusters
– The limitations of FAT and NTFS file systems
– Understanding the contents and structure of the Master Boot Record (MBR) and the Master Partition Table
– Identifying mounted volumes
• NTFS Volume Boot Record
– Understanding how an active NTFS partition is involved in the boot process
– Understanding the structure of an NTFS partition and the data that it contains
– Decoding the master partition table, disk signature and volume boot record from a target disk
– Identifying a volume’s correct logical drive letter from the Registry
• NTFS volume creation
– Initialization, partitioning and formatting processes associated with disk drives on an NTFS system
– Identifying the internal file-system files that are written to the disk during processes
– Understanding the associated artifacts folders that are created/maintained by the different NT-based operating systems
• NFTS metadata files
– Identifying the internal metadata files used by NTFS
– Understanding the purpose of each file especially $MFT
– Configuring relevant text styles to better analyze the data contained in each file
– Overview of the internal files: $MFT, $LogFile, $Secure, $Quota, $Bitmap, $AttrDef, and $UsnJrnl
• The Master File Table
– Understanding the purpose and content of the MFT
– Locating the MFT within a volume and describing, locating and identifying the MFT Zone
– Identifying and describing every item on an NTFS volume by the item’s MFT record
• NFTS $LogFile
– Students are introduced to $LogFile, the file used for NTFS transaction logging and recoverability
– Identifying $LogFile and using relevant keywords to search for relevant data
– Identifying NTFS artifacts within $LogFile
– Understanding the purpose and forensic value of artifacts found within
# Day 2
2일차 강의에서는 MFT레코드 헤더, standard, filename, volume and data attributes 등 주요 속성헤더의 구조와 레지던트 파일, Non레지던트 파일 식별
삭제파일의 레코드 분석을 통해 파일 Carving 및 복구기법에 대한 강의와 실습이 진행된다.
주요 강의내용은 다음과 같다.
• Understanding the $MFT record anatomy
• $MFT record headers
– Identifying and decoding the information contained within an MFT record header
– Identifying NT/2000 MFT records and XP/2003/Vista/Server 2008 records
– Recovering deleted files
– Identifying slack area of an MFT record
• Attribute headers
– Discerning between MFT attributes with resident and nonresident data
• Standard Information Attribute
– Identifying the SIA attribute, decoding its length and identifying and decoding the SIA data stream
• Filename Attribute
– Identifying the Filename Attribute, decoding its length and identifying and decoding the FNA data stream
• Volume Attribute
– Locating and decoding Volume Attributes, recovering information such as the volume name, NTFS version and the manner in which the volume was
unmounted
• Data Attribute
– Identifying the Data Attribute by its header and parsing it to identify if the attribute stream (the files data) is resident or nonresident
# Day 3
3일째 강의에서는 실제 포맷된 드라이브를 대상으로 키워드 서칭 및 Evidence Processor 모듈을 이용하여 비할당영역에 잠재적으로 존재하는
MFT레코드 헤더를 검색, 분석하여 특정 데이터 파일을 복원하는 기법에 대한 강의와 실습이 진행되었으며, 주요 강의내용은 다음과 같다.
• Identifying Alternate Data Streams and explaining how they are linked to a file by multiple MFT data attributes and examining that data using EnCase
• Applying the skills and knowledge learned so far to recover deleted data from a device
• Understanding how NTFS handles data compression and sparse files
• Encrypted File System (EFS)
– Understanding the encrypting file system and the differences under Windows 2000 and Windows XP/2003/Vista/2008
– Identifying EFS data and recovering plain-text temporary versions of encrypted files
– Cracking EFS encrypted data
– Using EnCase Decryption Suite to decrypt data
• Identifying reparse/mount points and where they link to a disk volume
# Day 4
4일째 강의에서는 EnScript® module 기능을 이용하여 NTFS 디렉토리 구조와 Security Identifiers를 식별, 포렌식 관점에서 분석하는 기법에 대해 논의하게 되며, 링크파일의 Object IDs, including details about their creation and modification 를 식별, 분석하는 기법과 실습이 진행된다. 아울러 4일째 주요강의 주제는 다음과 같다.
• NTFS directories
– Understanding the indexing structure within an NTFS volume
– Identifying and decoding various data structures involved
– Examining MFT records associated with NTFS folders
– Identifying MFT record entries relating to folders with both resident and nonresident index streams and locating the relevant Index Buffers
• Understanding the details of activity when an NTFS file is created and deleted
• NTFS security
–Understanding how permissions are applied on NTFS
• NT security
– Understanding the consequences of non-unique SIDs on a LAN
• NT local user accounts
– Understanding where local account information and Windows domain account information are stored
– Understanding the significance of the SAM Registry hive file
– Mounting the SAM Registry hive file and manually parsing user and group information that it contains
• Link files and object ID
– Understanding the purpose of shortcut link files and how and where they are created
☞ 세부내용: 구글 마이 사이트