Today I began a four day intensive training course to learn advanced techniques for Guidance Software’s EnCase Forensics software. Most of the day was spent on the NTFS files system with particular focus on the Master File Table. In short, it was a 32 hour course on NTFS compressed into 8 hours where we learned how to interpret the MTF by parsing various attribute values. The goal was to learn the fundamental methodologies and mathematics that the EnCase forensics uses to identify physical and logical structures on a hard drive. The time was well spent but my mind is now taxed from translating binary / hex and looking up NTFS MFT attribute tables.

This exercise has provided me with an appreciation for the power of forensic scripting possible with this software. I’m beginning to see how we might develop our own scripts to automate the process of weeding through digital manuscripts for data that needs to be evaluated by a digital archivist. It now looks possible for us to create scripts to locate student records, credit card data and social security numbers across large data sets using GREP search strings.

More tomorrow……