The Magic of Raw Data Carving

Описание: You have used all of the utilities in your expensive forensic suite, and other programs to carve files from unallocated file space. Do you think you have found everything? If you answered yes, guess again. The typical way that carving utilities are able to recover deleted data automatically is through file header and footer identification, and this recovers an intact file. In other words, a file has been deleted, but not yet overwritten by new data. What happens if part of the deleted file is now overwritten, but some of the old data still exists? What about file fragments from slack space? This informative and easy to follow lecture show attendees how they can manually carve data from unallocated file space, and also what to do with it so that it is useful. We also discuss data recognition. This means being able to not only see the search hit but identify the context in which it is being seen. Drawing on case studies and real-world examples from our lab, you can immediately apply these techniques once you return to yours.

Speaker Bio
Kevin Ripa

An investigator at heart, Kevin Ripa bought his first computer as a tool for writing reports for his private investigation agency. As he worked through typical user issues, the "why" of what was going wrong in his machine kept him up at night. So Kevin turned his investigative skills toward his computer and quickly became fascinated by the world inside of it. Now a 25-year veteran of the digital investigations field, Kevin's enthusiasm has not waned: "IT security and digital forensics still inspire me every day, and I can't wait to wake up in the morning and get to work!"

Kevin currently serves as president of The Grayson Group of Companies, which consists of Computer Evidence Recovery, Pro Data Recovery Inc., and J.S. Kramer & Associates, Inc. He is also a SANS FOR500: Windows Forensics Analysis course ( http://www.sans.org/FOR500) instructor He provides investigative services to various levels of law enforcement, Fortune 500 companies, and the legal community. He is past president of the Alberta Association of Private Investigators and a former member of the Canadian Department of National Defence, where he served in both foreign and domestic postings.

Kevin has assisted in many complex cyber-forensics and hacking response investigations around the world. He's a sought-after resource for his expertise in information technology investigations and frequently serves as an expert witness.

Kevin has designed, produced, hosted, and taught numerous industry-related courses, and has had over 100 speaking and training engagements with industry and law enforcement around the world. He has also authored dozens of articles, as well as chapters in a number of manuals, books, and training texts on the subjects of computer security and forensics. Kevin holds a number of industry certifications, including four GIAC certifications (GCFE, GCFA, GSEC, GISF), EnCase Certified Examiner, Certified Data Recovery Professional, and Licensed Private Investigator, and he previously held the Certified Penetration Tester and Certified Ethical Hacker certifications.