The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.
Assume that you have located a deleted...
The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.
Assume that you have located a deleted...
Assume you use a forensic software that has recovered file system metadata of a deleted jpeg file from a FAT32 formatted volume with a cluster size of 2.048 bytes. The forensic software displays that the recovered file has starting cluster...
Below you will find questions that test your knowledge on this subject. I wrote them while I read material mainly from books in file systems and Windows Forensics.
The questions are not meant to be exhaustive and they might even...
Since March 2012, I have worked as a Digital Forensics Examiner, handling a wide range of investigations, including:
© 2012 - 2026 Armen Arsakian updated atSunday 15 March 2026Contact: contact at arsakian.com