SANS Cyber Defense Initiative® 2020 Live Online: 30+ Interactive Courses | Virtual NetWars Tournaments. Save $300 thru 11/18


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Hands on USN Journal Analysis

  • Tuesday, December 16, 2014 at 1:00 PM EST (2014-12-16 18:00:00 UTC)
  • David Cowen

You can now attend the webcast using your mobile device!



Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:

  • Recover data hidden or destroyed by anti forensics
  • Recover previously unrecoverable artifacts
  • Trace all file system movements and actions of malware
  • The possibility of entirely new analysis techniques
  • The ability to detect and identify specific anti-forensic tools automatically

Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS

Speaker Bio

David Cowen

Started his career as a penetration tester in 1996, doing information security consulting. While he enjoyed the technical challenges of the work, he quickly found that his clients were focused on satisfying a requirement rather than fixing the problems he uncovered. In 1999 David got the chance to do his first DFIR investigation and found the challenge and career fulfillment he was looking for.

“Not only did I find huge technical challenges to tackle and master I also found clients who deeply cared about the work I was doing and directly benefitted from its results,” he says. “The job satisfaction I get from DFIR, along with the endless new tools and artifacts to be found, means I’ve never grown bored or jaded with the work.”

Today, he is the Managing Director at KPMG LLP, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He’s also a certified SANS instructor—teaching FOR500: Windows Forensic Analysis—and he keeps up his information security knowledge by acting as the Red Team Captain for the National Collegiate Cyber Defense Competition, a role he’s held for the last nine years.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.