// Analysis

Explore Digital Forensics

Every deletion leaves a ghost. Learn to read it.

Digital forensics is the discipline of recovering what happened from what remains — and what remains is almost always more than the attacker intended. You'll work through the logic that connects an NTFS MFT entry to a USN Journal rename sequence to a Prefetch execution record, building the correlation habit that defeats timestomping, log clearing, and secure deletion not by magic, but by method.

The field has a hard-won mantra: if you didn't write it down, it didn't happen. Nugget holds you to that standard. Sessions press you to articulate *why* you reach for a hardware write-blocker in a criminal case versus software write-blocking in a corporate investigation, why you capture RAM before imaging a BitLocker-encrypted drive, and why a single NTFS timestamp is never enough to anchor a timeline. The reasoning you build here is exactly what survives cross-examination.

You steer the pace. Bring a concept you half-understand — Order of Volatility, the dual $STANDARD_INFORMATION vs. $FILE_NAME timestamp gap, what Event ID 1102 actually records — and Nugget will push back with the question that exposes the gap, then sit with you until the answer is yours, not memorized.

// What a session feels like

You bring the questions. Nugget asks the next one.

  • You ask why the forensics community is split on hardware versus software write-blockers. Nugget doesn't answer — it draws the acquisition workflow on the shared whiteboard, marks the point where opposing counsel can challenge each method, and asks you to decide which tool you'd choose for a criminal case and defend it out loud.
  • You pull up the Docker Linux lab and run log2timeline against a sample disk image. The Plaso output lands in Timeline Explorer; Nugget asks you to filter around a suspicious 3 AM window, then challenges you to check whether the MFT modification timestamp, the USN Journal entry, and the Prefetch execution record all agree — and to say exactly what it means when they don't.
  • You tell Nugget a deleted file is gone because Windows Explorer shows nothing. Nugget opens the terminal, walks you through querying the MFT for orphaned entries and unallocated clusters, and then asks: if SDelete.exe wiped the file but Prefetch still logged the execution, what have you actually proven?

Start exploring Digital Forensics tonight — three topics free, no card.

Start a 30-day free trial