Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

DFIR Summit 2014

Austin, TX | Tue, Jun 3 - Tue, Jun 10, 2014
This event is over,
but there are more training opportunities.

Filesystem Journal Forensics

  • New Perspectives From Another Year of Research
  • David Cowen, Partner, G-C Partners
  • Thursday, June 5th, 6:45pm - 7:45pm

Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will discuss NTFS and new analysis techniques:

´žRecover data hidden or destroyed by anti forensics

´žDetermine exact deletion times

´žDetermine what was being accessed and how often

David Cowen has more than sixteen years of experience in the areas of integration, architecture, assessment, programming, forensic analysis and investigation. He currently holds the Certified Information Systems Security Professional certification from (ISC)^2. He has have been trained in proper forensics practices by the High Tech Crime Investigators Association, ASR Data and Guidance Software and SANS amongst others. He is an active contributor within the computer forensics community where he frequently present and train on various forensic topics. He has managed, created, and worked with multiple forensics/litigation support teams and associated procedures. His experience spans a variety of environments ranging from high security military installations to large/small private sector companies.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Vendor: Events hosted by external vendor exhibitors.
  • Lunch & Learn: Short presentations given during the lunch break.
Tuesday, June 3
Session Speaker Time Type
Logs, Logs, Every Where / Nor Any Byte to Grok Phil Hagen, Instructor, SANS Institute Tuesday, June 3rd, 6:30pm - 7:30pm SANS@Night
Wednesday, June 4
Session Speaker Time Type
Extracting User Credentials using Memory Forensics Alissa Torres, Certified Instructor, SANS Institute Wednesday, June 4th, 5:45pm - 6:45pm SANS@Night
Sushi-grade Smartphone Forensics on a Ramen Noodle Budget Heather Mahalik, Certified Instructor, SANS Institute Wednesday, June 4th, 6:45pm - 7:45pm SANS@Night
Thursday, June 5
Session Speaker Time Type
The Great Browser Schism: How to Analyze IE10 & IE11 Chad Tilbury, Certified Instructor, SANS Institute & Technical Director, CrowdStrike Thursday, June 5th, 5:45pm - 6:45pm SANS@Night
Filesystem Journal Forensics David Cowen, Partner, G-C Partners Thursday, June 5th, 6:45pm - 7:45pm SANS@Night
Monday, June 9
Session Speaker Time Type
Vendor Showcase Monday, June 9th, 9:50am - 10:05am Vendor Event
Dealing With Persistent Smartphone Forensic Challenges Ronen Engler, Senior Manager, Technology & Innovation Monday, June 9th, 12:00pm - 1:00pm Lunch and Learn
Vendor Showcase Monday, June 9th, 3:45pm - 4:05pm Vendor Event
Tuesday, June 10
Session Speaker Time Type
Vendor Showcase Tuesday, June 10th, 10:30am - 11:00am Vendor Event
Facing The New Frontier: A Real Case Study In Performing Computer Forensics Without The Evidence Keith Jones, Lead Cybersecurity Engineer Tuesday, June 10th, 11:30am - 12:30pm Lunch and Learn
Vendor Showcase Tuesday, June 10th, 3:00pm - 3:20pm Vendor Event