Master storage media analysis, forensic imaging techniques, file system examination, and data recovery. Learn to create forensically sound disk images, analyze NTFS structures, recover deleted files, and perform advanced data carving operations.
By completing this module, you will achieve the following competencies
Understand HDD and SSD architecture, storage technologies, and their forensic implications
Create forensically sound disk images using write blockers and industry-standard tools
Analyze NTFS file system structures including MFT, journals, and metadata
Recover deleted files and analyze slack space for hidden evidence
Perform data carving to recover files from unallocated space and damaged media
Verify evidence integrity using cryptographic hash functions (MD5, SHA-256)
Complete all 5 parts before attempting the module quiz
Deep dive into HDD architecture including platters, heads, and sectors. Understand SSD technology with NAND flash, wear leveling, and TRIM. Learn about RAID configurations and common storage interfaces.
Master forensic imaging standards and best practices. Learn to use write blockers, create bit-stream images with dd and FTK Imager, and verify integrity with cryptographic hashes.
Comprehensive NTFS analysis covering Master File Table (MFT), file attributes, timestamps, and journaling. Learn file recovery techniques and slack space analysis for hidden evidence.
Learn data carving principles and techniques for recovering files without file system metadata. Understand header/footer signatures, handle fragmented files, and use specialized carving tools.
Hands-on exercises creating forensic images, verifying hashes, and recovering data. Practice with TestDisk for partition recovery and PhotoRec for file carving on sample disk images.
Complete all 5 parts to unlock the module quiz. Test your understanding of storage media, disk imaging, file system analysis, and data carving techniques.
Take Quiz