homepage
Open menu

Hal Pomeranz

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations. He says, "Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field."

More About Hal
Specialties
Photo

Profile

While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.

Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!

Hal is a SANS faculty fellow and he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.

Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.

Get to Know Hal

  • Over 25 years of industry experience
  • Founder and Principal Consultant for Deer Run Associates
  • GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
  • SANS Faculty Fellow and SANS' longest tenured instructor
  • Hal is a contributor to the SANS Digital Forensics and Incident Response blog

Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.

View this SANS DFIR Summit presentation by Hal:   

Hal's Contributions

Blog
Recovering Open But Unlinked File Data
If you've ever been a Unix system administrator, you may have encountered "open but unlinked" files in the course of your normal duties. The typical scenario is a user who's launched a process that creates an unexpectedly large output file which consumes all of the free space in the partition. In a...
Hal Pomeranz
Fellow
read more
Blog
Understanding EXT4 (Part 6): Directories
Hal Pomeranz, Deer Run Associates Many years ago, I started this series of blog posts documenting the internals of the EXT4 file system. One item I never got around to was documenting how directories were structured in EXT. Some recent research has caused me to dive back into this topic, and given...
Hal Pomeranz
Fellow
read more
Blog
Resident $DATA Residue in NTFS MFT Entries
I came across a small but interesting artifact in the course of a recent investigation. Quick Google searching failed to find any documentation elsewhere, so here's a brief summary of my findings. The bottom line is that residue of old resident $DATA entries may exist in NTFS MFT records after the...
Hal Pomeranz
Fellow
read more
Blog
Thoughts on Malware, Digital Forensics and Data Breaches by Hal Pomeranz
If you don't know Hal Pomeranz through his teaching at SANS Institute, contributions to the Command Line Kung Fu blog or postings to this Computer Forensics blog, you've been missing out. Hal's expertise spans several areas of information security, and most recently has focused on forensics. I have...
Hal Pomeranz
Fellow
read more
Blog
Understanding EXT4 (Part 5): Large Extents
Hal Pomeranz, Deer Run Associates I've received a lot of positive feedback from the forensics community about this series of articles, but what's really rewarding is when other forensics researchers teach me something I didn't know. I recently received an email from a colleague in Europe who was...
Hal Pomeranz
Fellow
read more
Blog
How to Mount Dirty EXT4 File Systems
As some of you may remember, I've previously written about a technique for mounting EXT3 file system images with the read-only option, even when power was abruptly removed from the system- as is typical during forensic seizure- and the file system is still "dirty". In these cases, my technique...
Hal Pomeranz
Fellow
read more