David Cowen

David started his career as a penetration tester in 1996, doing information security consulting. While he enjoyed the technical challenges of the work, he quickly found that his clients were focused on satisfying a requirement rather than fixing the problems he uncovered. In 1999 David got the chance to do his first DFIR investigation and found the challenge and career fulfillment he was looking for.

“Not only did I find huge technical challenges to tackle and master I also found clients who deeply cared about the work I was doing and directly benefitted from its results,” he says. “The job satisfaction I get from DFIR, along with the endless new tools and artifacts to be found, means I’ve never grown bored or jaded with the work.”

Today, he is the Vice President at Charles River Associates, where he and his team provide expert witness services in the areas of digital forensics as well incident response services globally. He’s also a certified SANS instructor—teaching FOR500: Windows Forensic Analysis—and he is the course author for the FOR509: Enterprise Cloud Forensics and Incident Response course. David keeps up his information security knowledge by acting as the Red Team Captain for the National Collegiate Cyber Defense Competition, a role he’s held for the last nine years.

More About David


Throughout his career, David has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.

In one case, David found the evidence of industrial espionage between a company and its former executives that was responsible for 140 million dollars of lost revenue. “I helped them to find the evidence, understand what it meant, write new tools to decipher it, publish new research to support it and deliver testimony that led to a 10 million dollar settlement, a public letter of apology and criminal sentencing of those responsible,” says David.

David’s enthusiasm for experimentation comes through both in his work and his teaching. His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions. “I’m deeply committed to finding, understanding, and pushing into the public new possibilities in DFIR,” he says. “While the bulk of my recent research has been seen in file system journaling forensics I’m also researching network, mobile, memory and operating system forensics. I use my research to push my case work forward and to help the community at large to solve new problems.”

Shortly after he released his file system journaling forensics research, David worked on a case involving two cancer surgery machine companies giving him a first opportunity to use his tool. “Not only was I able to prove the existence and usage of the stolen data through file system journaling forensics I was able to have the expert on the opposing side test and validate my work, resulting in a last-minute settlement that provided a framework for production of forensic artifacts that I now use in my other litigation cases,” says David.

In the classroom, David believes in helping each student understand the larger picture of how the operating system works and why the artifacts we rely on exist and are reliable rather than just teach them to run a series of tools and understand the meaning. “The most important thing I want my students to learn is the different paths of executions that exist between the user and the operating system,” he says, “and how they can use the information to strengthen their conclusions, prove their findings and rule out other possibilities.”

And his teaching style? “What probably makes me unique as an instructor is my enthusiasm for in-class experimentation,” says David. “I love it when students ask a question that covers a topic I haven’t thought to test or recreate. I’ve had students ask questions whose answers I’ve taken for granted and the process of showing them how to prove that answer has led to finding new discoveries and understanding for me!”

David has authored three books on digital forensics: Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). He’s also the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award-winning Hacking Exposed Computer Forensics Blog, which contains more than 450 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year.

David is a Certified Information Systems Security Professional (CISSP), a GIAC Certified Forensic Examiner, (GCFE) and a GIAC Cloud Forensic Responder (GCFR). He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States, and he has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.

Even in his free time, David’s main interests revolve around DFIR research. A father of two and devotee of Texas barbeque, his ideal day involves spending time with his kids, smoking some meat and testing a new DFIR method.



Weaponizing N-Day- A Crash Course on Exploit Development, May 2020

Shell items, More than Meets the Eye, May 2016