Black Hat //Webcast 33

Beyond files undeleting: OWADE
// Elie Bursztein

wednesday, sept 21, 2011

1200 HRS PST/ 1500 HRS EST • FREE

Register Now

Brought to you by:


Beyond files forensic, OWADE cloud based forensic


You recovered a bunch of files from a used hard drive and now what?

If you ever wanted to push Windows offline forensic to the next level, come to our talk where we will show you how to use our open source tool OWADE (Offline Windows Analyzer and Data Extractor) to recover many interesting information from a used hard drive including web credentials, instant messaging credentials and user habits information.

We will walk you through the entire recovery chain process and demonstrate how to use OWADE to handle Windows various level of encryption (Syskey, DPAPI…) and extract the maximum information from used drives. OWADE is based on our work on DPAPIck our tool to decrypt DPAPI secrets.

We will present various statistics we computed on the data we gathered from the eBay used hard drive we bought to test and develop OWADE.

At the end of the talk we will release OWADE so you can play with it.


Elie Bursztein is a researcher at the Stanford Security Laboratory. His research is on computer security and applied cryptography with a specific attention to web, game and mobile security. He holds an engineering degree and a Ph.D in computer science Elie's research combines the advances in machine learning, cryptography, data mining and HCI to create more usable and secure systems. Lately, he has been working on improving CAPTCHA security and usability . He is also developing a Chrome extension for safer and more private browsing. Elie blogs at and tweets at @elie.

Sponsor Guest:

Alex Cox, MSIA, CISSP, GREM,GPEN,GSEC, Principal Research Analyst, NetWitness Corporation.

As a Principal Security Researcher for RSA NetWitness, Alex Cox is responsible for providing use-case consulting in network forensics and monitoring to clients and studying existing and emerging information security events to develop content and intelligence for the NetWitness solution suite. Prior to joining NetWitness, Mr. Cox was the lead researcher on the emerging threats analysis and solution development team at the Wachovia Corporation and was responsible for forensics analysis and incident response for security events. He is a former Army Officer in the U.S. Army Military Police Corps, and a former Police Officer. Mr. Cox has a B.S in Administration of Justice from Virginia Commonwealth University, and an M.S in Information Assurance from Norwich University.


We would like to thank this month's webcast sponsor RSA. RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations succeed by solving their most complex security challenges including managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM & network monitoring, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit and