I recently delivered a talk on file system forensics at ’s February meetup. I’ve been highly interested in DFIR and this seemed to be a great topic to start a series of talks that I could deliver at null meetups or otherwise.

I covered -

  • Introduction to DFIR and the DFIR Process
  • Forensic Data Acquisition & Imaging
  • Analysis of Forensic Images
  • File Carving

For a practical demonstration of the concepts above, I used open source tools: Imaging tools {dd, dc3dd, dcfldd}, File System Analysis tools {The Sleuth Kit, Autopsy} and File Carving tools {foremost, scalpel, bulk_extractor, Autopsy}. The images I ran the tools on were sourced from Digital Forensics Tool Testing Images & Digital Corpora.

You can find the slides here.

That’s all folks!