Tutorial on Filesystem Analysis

I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to parse a file system.

The whole course is themed around a multi-function device that could be found in an arbitrary office environment. The disk image will be made available to attendees.

Among the topics of the tutorial are:

  • know different partitioning schemes
  • locate partitions
  • core functionality of a file system
  • learn how to subdivide a partition into functional units
  • locate directories
  • interpret directory entries
  • reconstruct a file

I will demonstrate how you can improvise your own disk analysis tools using Python, SQlite and Gnuplot. And, of course, I will utilize 010 Editor to explore the various structures of the file system.

The tutorial will be held the last day of the FIRST Conference, which runs from Sunday June 13 to Friday June 18, 2010. More information is available from the official conference website. Registration is already open and early registration rates are available until March 31, 2010. See you in Miami!

FIRST 2010 Speaker

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.