File System Forensic Analysis

Brian Carrier

(Some have asked "why are there flowers on the cover?". They are not flowers. They are sea urchins (spiny sea animals) "hiding" in the rocks.)

My Description

This book is about the low-level details of file and volume systems. There already exists digital forensic books that are breadth-based and give you a good overview of the field and the basic concepts. This book complements those books and gives you more details of file and volume systems.

I started this book because there was a large void with respect to documents and books describing file systems. While developing The Sleuth Kit, I frequently had to use source code and trial and error to determine how the data were laid out. The lack of public documents made it difficult to explain, for example, why file recovery is not the same for all file systems and that each NTFS file has at least three sets of timestamps. It also makes it difficult for an investigator to testify how her analysis tool works and where it found the evidence.

There are two target audiences for this book. One is the experienced investigator who has learned about digital investigations from real cases and using analysis tools. The other is someone who is new to the field and is interested in learning about the general theory of an investigation and where digital evidence may exist but is not yet looking for a book that has a tutorial on how to use a specific tool.

The approach of this book is to describe the basic concepts and theory of a volume and file system and then apply it to an investigation. For each file system, this book covers analysis techniques and special considerations that the investigator should make. Scenarios are given to reinforce how the information can be used in an actual case. In addition, the data structures associated with volume and file systems are given, and disk images are analyzed by hand so that you can see where the various data are located. If you are not interested in parsing data structures, you can skip the data structure chapters. Only non-commercial tools are used so that you can download them for free and duplicate the results on your systems.

Back Cover Description

Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.

Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools - including tools he personally developed. Coverage includes

• Preserving the digital crime scene and duplicating hard disks for "dead analysis"
• Identifying hidden data on a disk's Host Protected Area (HPA)
• Reading source data: direct versus BIOS access, dead versus live acquisition, error handling, and more
• Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
• Analyzing the contents of multiple disk volumes such as RAID and disk spanning
• Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
• Finding evidence: file metadata, recovery of deleted files, data hiding locations, and more
• Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter which analysis tools you use.

Reviews

There are many reviews on Amazon as well as:

• ACM Computing Reviews (subscription required)
• IEEE Cipher (by Robert Bruen)
• Network World (by Dave Kearns)
• Packetknife
• Robert Slade (a rebuttal) [NOTE: I asked Robert what he thought was missing from Chapter 3 and he said he would have to "go back to find specific examples."]
• Slashdot by Jose Nazario (also posted to Amazon)
• Unix Review

Other Details

Updated Index (2nd Printing)

Sample Chapter 5 - PC-based Partitions

Online Bibliography

Online bookstores

Amazon

Bookpool

Barnes & Noble

Addison Wesley's site

General Information

ISBN: 0-321-26817-2
Publisher: Addison Wesley
Date: March 17, 2005