Every deletion leaves a ghost. Learn to read it.
Digital forensics is the discipline of recovering what happened from what remains — and what remains is almost always more than the attacker intended. You'll work through the logic that connects an NTFS MFT entry to a USN Journal rename sequence to a Prefetch execution record, building the correlation habit that defeats timestomping, log clearing, and secure deletion not by magic, but by method.
The field has a hard-won mantra: if you didn't write it down, it didn't happen. Nugget holds you to that standard. Sessions press you to articulate *why* you reach for a hardware write-blocker in a criminal case versus software write-blocking in a corporate investigation, why you capture RAM before imaging a BitLocker-encrypted drive, and why a single NTFS timestamp is never enough to anchor a timeline. The reasoning you build here is exactly what survives cross-examination.
You steer the pace. Bring a concept you half-understand — Order of Volatility, the dual $STANDARD_INFORMATION vs. $FILE_NAME timestamp gap, what Event ID 1102 actually records — and Nugget will push back with the question that exposes the gap, then sit with you until the answer is yours, not memorized.
Start exploring Digital Forensics tonight — three topics free, no card.
Start a 30-day free trial