40+ Cyber Security Courses at SANSFIRE 2018 in Washington DC! Save up to $400 thru 5/23.


To attend this webcast, login to your SANS Account or create your Account.

Hands on USN Journal Analysis

  • Tuesday, December 16th, 2014 at 1:00 PM EST (18:00:00 UTC)
  • David Cowen
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:

  • Recover data hidden or destroyed by anti forensics
  • Recover previously unrecoverable artifacts
  • Trace all file system movements and actions of malware
  • The possibility of entirely new analysis techniques
  • The ability to detect and identify specific anti-forensic tools automatically

Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS

Speaker Bio

David Cowen

David Cowen, CISSP, is a partner at G-C Partners, LLC based in Dallas, Texas. Mr. Cowen is one of the authors of Hacking Exposed: Computer Forensics first and second editions and the third edition of the Anti-Hacker Toolkit and the upcoming 'Computer Forensics, A Beginner's Guide' all from McGraw Hill. Mr. Cowen is also the author of the popular Hacking Exposed Computer Forensics Blog and a graduate of the University of Texas at Dallas with a B.S. in Computer Science. Mr. Cowen is the captain of the National Collegiate Cyber Defense Competition's Red Team. Mr. Cowen has been working doing computer forensics since 1999 and information security since 1996 acting as an expert witness in civil cases around the nation. Working as a computer forensic expert Mr. Cowen has assisted Human Resources departments in companies across the United States in dealing with employee issues and employee litigation involving computer usage.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.