SANSFIRE is right around the corner June 13-20 - Live Online, Register today!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right.Once you register, you can download the presentaion slides below.

The Magic of Raw Data Carving

  • Thursday, April 12, 2018 at 10:30 AM EDT (2018-04-12 14:30:00 UTC)
  • Kevin Ripa

You can now attend the webcast using your mobile device!



You have used all of the utilities in your expensive forensic suite, and other programs to carve files from unallocated file space. Do you think you have found everything? If you answered yes, guess again. The typical way that carving utilities are able to recover deleted data automatically is through file header and footer identification, and this recovers an intact file. In other words, a file has been deleted, but not yet overwritten by new data. What happens if part of the deleted file is now overwritten, but some of the old data still exists? What about file fragments from slack space? This informative and easy to follow lecture will show the attendees how they can manually carve data from unallocated file space, and also what to do with it so that it is useful. We will also be discussing data recognition. This means being able to not only see the search hit, but identify the context in which it is being seen. Drawing on case studies and real world examples from our lab, you can immediately apply these techniques once you return to yours.

Speaker Bio

Kevin Ripa

An investigator at heart, Kevin Ripa bought his first computer as a tool for writing reports for his private investigation agency. As he worked through typical user issues, the "why" of what was going wrong in his machine kept him up at night. So Kevin turned his investigative skills toward his computer and quickly became fascinated by the world inside of it. Now a 25-year veteran of the digital investigations field, Kevin's enthusiasm has not waned: "IT security and digital forensics still inspire me every day, and I can't wait to wake up in the morning and get to work!"

Kevin currently serves as president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. He provides investigative services to various levels of law enforcement, Fortune 500 companies, and the legal community. He is past president of the Alberta Association of Private Investigators and a former member of the Canadian Department of National Defence, where he served in both foreign and domestic postings.

Kevin has assisted in many complex cyber-forensics and hacking response investigations around the world. He's a sought-after resource for his expertise in information technology investigations and frequently serves as an expert witness.

Kevin has designed, produced, hosted, and taught numerous industry-related courses, and has had over 100 speaking and training engagements with industry and law enforcement around the world. He has also authored dozens of articles, as well as chapters in a number of manuals, books, and training texts on the subjects of computer security and forensics. Kevin holds a number of industry certifications, including four GIAC certifications (GCFE, GCFA, GSEC, GISF), EnCase Certified Examiner, Certified Data Recovery Professional, and Licensed Private Investigator, and he previously held the Certified Penetration Tester and Certified Ethical Hacker certifications.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.