Courses / Disk Forensics
Disk Forensics Walkthrough
Partition tables, file-system timelines, and deleted-file recovery paths explained with calm pacing.
Schedule a workshop callOverview
You learn how analysts move from a mounted image to a story about user activity. Labs use NTFS-heavy samples with a short ext4 contrast module so you understand divergent metadata habits. The emphasis is on interpreting MFT entries and journal behavior, not on memorizing every structure name.
What is included
- Side-by-side viewer setup guide for your workstation
- Three staged images: benign, noisy, and intentionally messy
- Office hours for timeline interpretation feedback
- Short quiz gates before each heavier lab unlocks
- Optional weekend deep dive on journal truncation
- Reading list kept under five links per week
Outcomes
- Build a week-long activity narrative from MFT-derived events
- Spot two common false trails introduced by lazy sorting
- Document assumptions you still owe the next reviewer
FAQ
Which host OS is supported?
Windows 11 or current macOS with sufficient disk space for two 25 GB images. Linux hosts work if you already manage KVM/USB passthrough yourself.
Are tools included?
We standardize on widely available viewers you can install locally. No paid bundles are required for the baseline path.
Limitation note
Apple File System deep recovery is mentioned but not exercised in depth; that is reserved for the advanced disk elective we publish separately.
Learner notes
-
“The messy image week felt like the first time training matched my actual inbox noise.”