SANS Digital Forensics and Incident Response Blog

DFIR Hero — David Cowen Interview


David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015. Sign up now to take this course with David. We interviewed David so you can get to know him a bit better — he is one of the best in the industry. A leader. An astonishing analyst and visionary. He is our current DFIR Hero.

1. Who are you? What is your homepage?

I'm David Cowen. I think most people know me from but I also maintain for our software, for the books and my company site

2. Twitter handle etc?

Twitter: @hecfblog


3. Tell us how you became interested in IR or Forensics.

I was a pen tester in the 90s and I thought that was probably the coolest job I would ever have. Then in 1999 I got a call from a physical company I had a relationship with about a rogue ex-CTO who they suspected was keylogging the other executives. I took on the job, got my first copy of Encase and thanks to our suspects own bad decisions solved the case. After that I was hooked and found something even better than pen testing where people really cared about the results of my work and I made a difference.

4. What gives you the most satisfaction while working on a case?

When I get to see that moment of comprehension in my clients face when they finally understand what we were able to prove happened. Every case is different because the people who perform the actions we investigate are different so finding out what makes them special and helping someone else understand that so they can use it keeps me going. Well that and finding new artifacts!

5. What forensic techniques do you find the most useful?

All of them I think is the right answer. If I was to promote one thing that people are not doing, it's testing. Testing their assumptions, tools and theories to make sure that the artifacts they are relying on are repeatable and re-creatable.

6. What is your forensic tool of choice and why?

You know I have to say Triforce ANJP. File System Journal forensic analysis is something I do in every case now to understand at a lower level exactly what happened in the past on a system.

7. What area of forensics or incident response needs to be understood by every new investigator?

File system journaling forensics I think is something everyone needs to start looking at. Otherwise validating assumptions and findings before presenting them.

8. What area of digital foreniscs or incident response is the most exciting development over the past few years?

I have to say File system journaling forensics as its been my main area of research over the last 3 years. Otherwise artifacts like shellbags, shimcache and the rise of memory forensics has been a huge boone for everyone.

9. Why is teaching computer forensics to new students important? Why do you like doing it?

You will never fully understand and master a topic until you have to teach it to someone else. Everytime I teach for SANS and talk to the students I walk away with new questions, ideas and theories to test that makes me a better examiner.

Beyond that I love watching students grow in their knowledge and ability through each day of the class. They come out much more confident and prepared for the world when they leave us.

10. How long have you been instructing or teaching individuals in computer forensics?

I've been teaching computer forensic classes since 2001 with the local HTCIA, classes at conventions, private classes for industry as well as teaching a graduate course in forensics once. Teaching is something I enjoy doing and SANS makes it fun.

11. What is your favorite part of the SANS FOR408: Windows Forensics class?

I think for me it's the day 6 challenge. After being bombarded with information and artifacts for 5 days you really get a feeling for how well you did as an instructor when the students begin getting excited by using what they learned the last 5 days.

12. How did you get involved in SANS? What makes SANS unique?

I reached out to SANS about developing training around my file system journaling forensics research. Given the opportunity to not only help develop new content for SANS but to also teach was too good of an oppertunity to say no to.

The thing that makes SANS different from all of the other courses I've taught is the level quality and effort demanded from everything you do. The slides, notes, labs, instruction, everything has to be the best and I enjoy meeting the challenge.

13. What do you do in your free time when not working on computer forensics?

I like to be a Dad to my kids and of course master the art of Texas BBQ.

David's Full Bio:

David Cowen is a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.

David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.

David speaks about digital forensics and file system journaling forensics at DFI and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.

David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.

David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog ( contains some 448 articles on digital forensics. David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.

When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.

Listen to David Cowen's industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect's activity on a Windows system.

David Cowen is teaching our Windows Forensics Course in SANS Minneapolis in July 2015— REGISTER NOW!