Bsides DFW 2013 David Cowan

foreign in the world is being able to determine the past actions of a process a malware or a user and what we're solving is the ability to roll back transactions within file system to determine actions that occurred in the past it's a time machine for file systems so traditionally we look at artifacts of past execution but they're Limited in their view they're only capturing certain actions to take place as defined by the system what the file system journaling which has existed since the year 2000 for Windows has enabled us to do and as far as other operating systems you see a more granular perspective of all the changes that are occurring if it touches the

disk so it provides us a much better window of understanding activity best case scenario we could have about a month or two months worth of data of every file in use if you're trying to prove what someone's up to what a piece of malware is accessing if you're trying to figure out a data infiltration occur if you're trying to figure out the infiltration this is your best friend because you can go through and see what files are being opened and accessed during the time of the incident the biggest thing they need to do is understand that the data exists so they have the ability and the opportunity to be able to look at it and then there's

tools like ours and others out there out who can they can use the majority of the tools that I know of right now are free or at least free beta and they can start getting a better idea of the types of transactions and changes to be able to understand kind of in a greater detail the actions are taking place that can lead to a whole lot more data to help them understand and explain things to those that are asking them we have to we've I've been spending most of this year going out there and speaking to get people aware of the fact that you can do it it's been such a kind of an enigma in

the file system for a long time where people knew it's important they knew there's something in there but being able to understand it in parse it has been a much greater difficulty it's interesting because this is a security audience mainly and I'm I'm a forensics guy who from a security background so I wanted them to understand what was possible and that if they wanted to kind of get out of security bubble that there are some really interesting things that they should be aware of especially when they get involved in some types of response scenarios where they're dealing with an active nation-state a bad guy or malware