Presentation title: File System Journaling Forensics presented at BsidesDFW2013 2013

by David Cowen,

Summary : Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:
• Recover data hidden or destroyed by anti-forensics
• Recover previously unrecoverable artifacts
• Trace all file system movements and actions of malware
• The possibility of entirely new analysis techniques
Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS