Hands on USN Journal Analysis
- Tuesday, December 16th, 2014 at 1:00 PM EST (18:00:00 UTC)
- David Cowen
You can now attend the webcast using your mobile device!
Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:
- Recover data hidden or destroyed by anti forensics
- Recover previously unrecoverable artifacts
- Trace all file system movements and actions of malware
- The possibility of entirely new analysis techniques
- The ability to detect and identify specific anti-forensic tools automatically
Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS
David Cowen, CISSP, is a partner at G-C Partners, LLC based in Dallas, Texas. Mr. Cowen is one of the authors of Hacking Exposed: Computer Forensics first and second editions and the third edition of the Anti-Hacker Toolkit and the upcoming 'Computer Forensics, A Beginner's Guide' all from McGraw Hill. Mr. Cowen is also the author of the popular Hacking Exposed Computer Forensics Blog and a graduate of the University of Texas at Dallas with a B.S. in Computer Science. Mr. Cowen is the captain of the National Collegiate Cyber Defense Competition's Red Team. Mr. Cowen has been working doing computer forensics since 1999 and information security since 1996 acting as an expert witness in civil cases around the nation. Working as a computer forensic expert Mr. Cowen has assisted Human Resources departments in companies across the United States in dealing with employee issues and employee litigation involving computer usage.