The SANS forensics summit is comming in July to Washing DC. Called the “The 2010 Digital Forensics and Incident Response Summit” the agenda can be found at: http://www.sans.org/forensics-incident-response-summit-2010/agenda.php
Jeff Hamm and myself will be co-presenting the exFAT file system on Thursday July 8th, 2010. The abstract is:
10:50am – 11:50pm
Expert Briefing: exFAT (Extended FAT) Filesystem: Revealed and Dissected
In January 2008 the SD Card Association, makers of the removable SD memory cards used in cameras, cell phones, and many other consumer electronics, announced a new SDXC specification for SD cards starting at 32GB and reaching a maximum capacity of 2TB. These memory cards will exclusively use a new Microsoft file system called exFAT which is the extended FAT file system, and has been nicknamed by some as FAT64. Because this file system is patent pending, and propriety to Microsoft, implementation of the specification requires a license from Microsoft. Although this file system has been available on desktop systems since 2008 with Vista SP1 and Windows XP since 2009, there is very little open source support available today and some tools that can process this file system are beginning to surface. As of the end of 2009 major commercial forensics tools do not support this file system. However, in early 2010 when the consumer devices that use this new technology come to market, there will be a wealth of potential digital evidence stored on removable media formatted with exFAT. This is not limited to SD cards, as USB flash drives and other removable media may be formatted using exFAT. There is not much available about the internals of exFAT and the purpose of this session is to show the forensics examiner what is under the “exFAT” hood.
– Jeff Hamm – Senior Computer Forensic Examiner, Paradigm Solutions
– Robert Shullich – Information Security Officer
Jeff also has a blog for exFAT in WordPress under Paradigm Solutions: http://paradigmsolutions.wordpress.com/2009/12/10/extended-fat-exfat/
Also see: http://blogs.sans.org/computer-forensics/2010/05/20/2010-digital-foreniscs-incident-response-summit-final-agenda-released/
The summit will be split into two rooms, a main room and a technical briefing room, it has gotten so big that now there will be two tracks going on at the same time.