Advances in Data Recovery and Carving presented at AUScert 2007

by Brian Carrier,

Summary : The obvious way to hide an attack is to delete the evidence of it. While almost everyone knows that deleted data can be recovered, the difficulty of the recovery is heavily dependent on the operating system involved and the amount of system activity. For example, it is typically very difficult to recover files from Unix systems. Until recently, most file recovery methods were not widely published and many forensic tools had a high false positive rate. Recent work has changed this though and this talk will address some of the new and future techniques that can be used to more reliably recover evidence.