Tuesday, July 9, 2013

DFIR Summit 2013 Post

    Two blogs in one day! Woh! I should have saved this one to fill it in later but I really wanted to make sure those of you sat through our hour of brain dumping had the slides I referenced so you can go over them again.

You can get the slides from today's presentation here:
https://docs.google.com/file/d/0B_mjsPB8uKOAdkxHcHNGRTV0eU0/edit?usp=sharing

If you haven't signed up for the public beta yet, you can do so here and download the latest version of the TriForce:
https://docs.google.com/forms/d/1GzOMe-QHtB12ZnI4ZTjLA06DJP6ZScXngO42ZDGIpR0/viewform

You can download the labs to test on your own here:
http://hackingexposedcomputerforensicsblog.blogspot.com/2013/05/ceic-2013-and-public-beta-of-ntfs.html

You can grab the whitepaper that solves the CD Burning lab here:
http://hackingexposedcomputerforensicsblog.blogspot.com/2013/07/daily-blog-13-7613-saturday-reading.html

    To sum up whats different between this talk and the CEIC talk, the CEIC talk was more about the tool and its use. The SANS DFIR Summit talk was more about file system journaling forensics as a practice and the theory for the analysis framework. We extended this from NTFS to EXT3 and HFS+ so we are nowhere close to done.

    My next planned presentation of our research is at PFIC, so if you missed me so far and want to get an in-person explanation this is my next stop until 2014.

http://www.pfic-conference.com/

    Having said that, if you are running a forensic conference and are looking to expand your topics to include our research please email me at dcowen@g-cpartners.com and I'll see if I can fit you into my travel calendar.