A look at the master boot record and the GUID partition table. This module demonstrates the difference between the master boot record and the GUID partition table. This information gives the student an understanding of where to locate both partitions and data on the drive. The forensic student learns how to interpret the master boot record and locate the volume boot record for each volume on the drive.

This module explores the structure of the FAT file system. This module covers the structure and layout of the FAT file system. The student develops an understanding of how the FAT file system writes a file to a drive and deletes a file from a drive. With this knowledge, the examiner can recover deleted data or recover data from a reformatted drive.

In this module, you'll explore the details of the NTSF file system. NTSF is a crucial component of forensic examinations. This module explains how the file system organizes information and where data is located on the drive. It also covers where the metadata for the file is stored and the changes that occur at a file system level when someone deletes or creates a file.

Take a closer look at the details of the ex-FAT file system. In this module, the student learns the structure and layout of the ex-FAT file system, how the file system tracks files, where it stores the file metadata and how to recover deleted data.

Explore the complexities and challenges of Windows Registry forensics. This module covers the history and function of the Registry. It includes how to examine the live Registry, the location of the Registry files on the forensic image and how to extract files. After examining the files with forensic tools, the student can locate relevant artifacts such as USB device connection times, recently used documents, program last run times and programs set to run at startup.