Hands on USN Journal Analysis

  • Tuesday, 16 Dec 2014 1:00PM EST (16 Dec 2014 18:00 UTC)
  • Speaker: David Cowen

Journaled file systems have been a part of modern file systems for years butthe science of computer forensics has only been approaching them mainly as amethod of recovering deleted files. In this talk we will outline the threemajor file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+)and explain what is stored and its impact on your investigations. We willdemonstrate tools for NTFS and EXT3/4 that allow us to:

  • Recover data hidden or destroyed by anti forensics
  • Recover previously unrecoverable artifacts
  • Trace all file system movements and actions of malware
  • The possibility of entirely new analysis techniques
  • The ability to detect and identify specific anti-forensic toolsautomatically

Ending with a review of HFS+ and the future of file system forensics inrelations to journals and new file systems such as ReFS