Cyber Forensics: Analyzing Data Streams in NTFS

Deal Score+1
Deal Score+1


The course will help students to learn about the basics of Microsoft Windows File System (NTFS), the Master File Table (MFT) and how data is stored in data streams, both primary and alternate. Students will also get to differentiate between resident and non-resident data and learn how to hide data in the ADS. It would also enable students to analyze the data inside and outside of the MFT and to locate the specific cluster/sector on the hard disk where this data is actually stored. Moreover, the students will be able to:

  • Understand the basics of Alternate Data Streams (ADS), their usage and history
  • Adding resident (less than 512 bytes) and non-resident (more than 512 bytes) data in both alternate and primary data streams
  • Analyzing the resident data in any stream by locating it inside the MFT using a common Hex Editor
  • Analyzing the non-resident data in any stream by locating its actual cluster and sector address on the disk
  • Verifying the presence of non-resident data in any data stream with the help of another Hex Editor
  • Practically experiment common Forensics tools and Hex Editors for analyzing data in the MFT and otherwise.

This course will turn out to be very useful for the students who want to understand the basics of computer forensics and file systems as it provides insight to analyzing data stored in the data streams.

What you’ll learn

  • Basic understanding and importance of Data Streams
  • Adding Resident and Non-Resident Data in the Data Streams
  • Analyzing Short and Long Filenames using WinHex
  • Analyzing Resident and Non-Resident Data using WinHex
  • Verifying existence of Non-Resident Data using HxD


  • Fundamental knowledge about computers and Windows OS

Who this course is for:

  • Cyber Security and forensics related students and professionals

Report Post