NTFS file system explained: understanding resident and non-resident files – Computer forensics




About this tutorial:

Video duration: 44:30
This is the first tutorial of the Computer forensics course at Duckademy. To do computer forensics, understanding the NTFS file system and the inner workings of resident and non-resident files is a must. To DOWNLOAD the evidence files and the commands used in the tutorial go to

The goal of the Computer forensics course is to teach you how to collect evidence in case of an incident and to investigate how the intruders came in, what data they have stolen, if they have harmed your system.
In addition we will give you advice on what you can do to block the next…

Post Author: OfficeTutes.com

Apple lover, ICT and LEAN consultant, MS Office lecturer My other website with video tutorials - Tutorials, guides and news for iPhones and iPads

14 thoughts on “NTFS file system explained: understanding resident and non-resident files – Computer forensics

    sam

    (February 11, 2019 - 8:39 am)

    your website is unreachable?

    DrJams

    (February 11, 2019 - 8:39 am)

    An explanation right down to the byte level.
    Pretty much nothing more to learn once one understands it at this level.

    Vimal Raghwani

    (February 11, 2019 - 8:39 am)

    Nice info
    Keep it up good work.

    rizwan ahmed

    (February 11, 2019 - 8:39 am)

    Hello, im interested in Computer forensics course.
    Where can I get complete course?

    Gabriele Chirra

    (February 11, 2019 - 8:39 am)

    frocio

    Abhijit Singh

    (February 11, 2019 - 8:39 am)

    very informative video… (thumbsup) for the hard-work.
    If any handouts are available, will definitely help

    What The Heck TV

    (February 11, 2019 - 8:39 am)

    I have the ntfs-file-sys and only have access to the bios, any help

    Jakub Osowicki

    (February 11, 2019 - 8:39 am)

    Thank You very much for your video. Would you be so kind to explain how to parse information about directory content? For example: how to list it?

    Przemysław Górzyński

    (February 11, 2019 - 8:39 am)

    I am wondering, where did value 0x23 came from? I have checked on my NTFS partition and it is indeed true thah you have to add (0x23 * 0x400) to MFT starting offset to get first user files entries. But why is it 0x23 and also why other sources claim its 16?

    Arenzoj

    (February 11, 2019 - 8:39 am)

    Hello again. If a partition table was zeroed out is there any tool that I could use to recover it. What I mean by this is not just the files but a tool which will rebuild the partition table and link the clusters?

    Arenzoj

    (February 11, 2019 - 8:39 am)

    If the disk was partitioned would every partition contain its own Boot Sector and $MFT record regardless of whether the partition was actually bootable or not i.e. (just used for storage)?

    Arenzoj

    (February 11, 2019 - 8:39 am)

    How would you do a run list if the data was fragmented? How would it be different?

    Arenzoj

    (February 11, 2019 - 8:39 am)

    Is it really necessary to understand Unix and Command Prompt for computer forensics. Would a tool like Encase or FTK work just as good?

    Dan Hudson

    (February 11, 2019 - 8:39 am)

    Very clear. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *