Advanced NTFS Forensics


NTFS is a journaling file system first released with Windows NT 3.1 and remains the default file system in Windows 10. NTFS file systems are normally found on Windows computers and external hard drives, but can also be found on other types of storage devices. NTFS stores an enormous amount of information in “metafiles,” which are largely ignored by digital forensics tools. In this one-day hands-on workshop, students will learn about valuable information contained in NTFS metafiles ($MFT, $LogFile, $UsnJrnl/$J, $Secure/$SDS/$SDH/$SII, etc.) and how to leverage that information in extremely powerful ways.

What’s Covered:

Students will use open source tools developed by Joakim Schicht (and others) to extract and analyze information from NTFS metafiles, answering compelling questions that digital forensics practitioners often have, such as:


  • When were files and folders created, modified, and deleted?
  • Which Windows computers were external hard drives connected to?
  • Has date and time tampering occurred?

Arsenal instructors will emphasize how the answers to these questions impact both civil and criminal cases.


Students will learn about the Anchors in Relative Time analysis technique described in Arsenal President Mark Spencer’s article “Beyond Timelines – Anchors in Relative Time” (Digital Forensics Magazine Issue 18). This analysis technique allows Arsenal to uncover evidence tampering which other digital forensics vendors completely miss.

Registry Forensics Unleashed


The Microsoft Windows Registry is a complex ecosystem, in database form, containing valuable evidence related to hardware, software, and users on Windows computer systems. For far too long, digital forensics practitioners have merely scratched the Registry’s surface by relying on outdated tools and techniques. As a student in Registry Forensics Unleashed, a one-day hands-on workshop, our students will learn how to dig deeper using a variety of powerful tools which include Registry Recon.

What’s Covered:

Students will use tools that include Registry Recon, Registry Explorer, and RegRipper to dig into documents, network, application, and storage device activity, answering compelling questions that digital forensics practitioners often have, such as:


  • What removable storage devices were attached over time?
  • When was malware “dropped?”
  • Which documents were accessed by each user?

Arsenal instructors will emphasize how analysis of these activities impacts both civil and criminal cases.

Both Classes


We have been students in many classes ourselves, and find that using our own evidence proves more engaging (and more relevant!) than sample evidence provided by instructors. Our students may use their evidence (ask us for instructions on how to perform preprocessing), evidence provided by the instructors, or both during hands-on exercises.


Our classes have been developed for all levels of technical personnel involved in digital forensics, incident response, and information security.


Please contact Arsenal’s sales team regarding our current training schedule. Advanced NTFS Forensics and Registry Forensics Unleashed can also be held at properly equipped customer locations.

Cost per Person:

$750 (Full day training with a one-year subscription to all Arsenal tools)

Chelsea, Massachusetts


or (617) 277-3625

Site Map



















Privacy Policy


Terms & Conditions


Cookie Policy

Follow Us