NTFS is a journaling file system first released with Windows NT 3.1 and remains the default file system in Windows 10. NTFS file systems are normally found on Windows computers and external hard drives, but can also be found on other types of storage devices. NTFS stores an enormous amount of information in “metafiles,” which are largely ignored by digital forensics tools. In this workshop students will learn about valuable information contained in NTFS metafiles ($MFT, $LogFile, $UsnJrnl/$J, $Secure/$SDS/$SDH/$SII, etc.) and how to leverage that information in extremely powerful ways.