Filesystem Journal Forensics
- New Perspectives From Another Year of Research
- David Cowen, Partner, G-C Partners
- Thursday, June 5th, 6:45pm - 7:45pm
Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will discuss NTFS and new analysis techniques:
ï§Recover data hidden or destroyed by anti forensics
ï§Determine exact deletion times
ï§Determine what was being accessed and how often
David Cowen has more than sixteen years of experience in the areas of integration, architecture, assessment, programming, forensic analysis and investigation. He currently holds the Certified Information Systems Security Professional certification from (ISC)^2. He has have been trained in proper forensics practices by the High Tech Crime Investigators Association, ASR Data and Guidance Software and SANS amongst others. He is an active contributor within the computer forensics community where he frequently present and train on various forensic topics. He has managed, created, and worked with multiple forensics/litigation support teams and associated procedures. His experience spans a variety of environments ranging from high security military installations to large/small private sector companies.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.
| Session | Speaker | Time | Type |
|---|---|---|---|
| Logs, Logs, Every Where / Nor Any Byte to Grok | Phil Hagen, Instructor, SANS Institute | Tuesday, June 3rd, 6:30pm - 7:30pm | SANS@Night |
| Session | Speaker | Time | Type |
|---|---|---|---|
| Extracting User Credentials using Memory Forensics | Alissa Torres, Certified Instructor, SANS Institute | Wednesday, June 4th, 5:45pm - 6:45pm | SANS@Night |
| Sushi-grade Smartphone Forensics on a Ramen Noodle Budget | Heather Mahalik, Certified Instructor, SANS Institute | Wednesday, June 4th, 6:45pm - 7:45pm | SANS@Night |
| Session | Speaker | Time | Type |
|---|---|---|---|
| The Great Browser Schism: How to Analyze IE10 & IE11 | Chad Tilbury, Certified Instructor, SANS Institute & Technical Director, CrowdStrike | Thursday, June 5th, 5:45pm - 6:45pm | SANS@Night |
| Filesystem Journal Forensics | David Cowen, Partner, G-C Partners | Thursday, June 5th, 6:45pm - 7:45pm | SANS@Night |
| Session | Speaker | Time | Type |
|---|---|---|---|
| Vendor Showcase | — | Monday, June 9th, 9:50am - 10:05am | Vendor Event |
| Dealing With Persistent Smartphone Forensic Challenges | Ronen Engler, Senior Manager, Technology & Innovation | Monday, June 9th, 12:00pm - 1:00pm | Lunch and Learn |
| Vendor Showcase | — | Monday, June 9th, 3:45pm - 4:05pm | Vendor Event |
| Session | Speaker | Time | Type |
|---|---|---|---|
| Vendor Showcase | — | Tuesday, June 10th, 10:30am - 11:00am | Vendor Event |
| Facing The New Frontier: A Real Case Study In Performing Computer Forensics Without The Evidence | Keith Jones, Lead Cybersecurity Engineer | Tuesday, June 10th, 11:30am - 12:30pm | Lunch and Learn |
| Vendor Showcase | — | Tuesday, June 10th, 3:00pm - 3:20pm | Vendor Event |
