While investigating a computer-based crime, it is most important to understand hard disks and filesystems, as these are the major sources of data storage. People usually delete their tracks after committing a crime with a computer in order to avoid being traced. That is why recovering the deleted files of hard disks and analyzing filesystems is essential when investigating a computer-based crime.


The objective of this lab is to help the students understand how to:
Learn about Network Enumeration
  • Recover files deleted from a hard disk
  • Analyze the file systems


Sam, a security professional, discovered that one of his company'™s employees was gathering crucial, confidential information about the company and saving it on his/her computer so that he/she could use it for an illicit purpose. Sam immediately started checking each of his employee'™s computers in order to identify the dishonest employee. In order to avoid detection, the employee permanently deleted the gathered information.


Sam called a forensics investigator to launch an investigation and explained the situation to the investigator. After listening to the story, the investigator decided to analyze the filesystems in an attempt to recover the deleted files to catch the dishonest employee.

Understanding Hard Disks and File Systems

Incident Handling Exercises / Understanding Hard Disks and File Systems contains the following Exercises:

  • Recovering Deleted Files from Hard Disks Using WinHex
  • Analyzing File System Types Using The Sleuth Kit (TSK)

The Virtual Private Cloud for this Lab set utilizes:

Incident Handling Exercises are available as part of the following subscription:

Each subscription provides 6 months access to over 75 Different Exercises. Each exercise contains a Scenario, Objectives, and individual step by step tasks to guide the user through all steps necessary to complete the exercise.

Lab exercises are included for:

  • Trojans and Backdoors
  • Computer Forensics Investigation Process
  • Understanding Hard Disks and File Systems
  • Forensics Investigation Using AccessData FTK
  • Forensics Investigation Using EnCase
  • Log Capturing and Event Correlation