Instructor: Andreas Schuster
In order to analyze file systems, incident responders and computer forensic examiners commonly rely on a couple of well-known tools, like EnCase, X-Ways Forensic, and FTK. But what do you do if your tools fail to parse a file system correctly? This course will instruct attendees how to get an examination started even under those circumstances and how to improvise their own tools. Sample disk images for this course were obtained from live systems that could be found in an arbitrary office environment.