File System Forensic Analysis
(Some have asked "why are there flowers on the cover?". They are not flowers. They are sea urchins (spiny sea animals) "hiding" in the rocks.)
This book is about the low-level details of file and volume systems. There already exists digital forensic books that are breadth-based and give you a good overview of the field and the basic concepts. This book complements those books and gives you more details of file and volume systems.
I started this book because there was a large void with respect to documents and books describing file systems. While developing The Sleuth Kit, I frequently had to use source code and trial and error to determine how the data were laid out. The lack of public documents made it difficult to explain, for example, why file recovery is not the same for all file systems and that each NTFS file has at least three sets of timestamps. It also makes it difficult for an investigator to testify how her analysis tool works and where it found the evidence.
There are two target audiences for this book. One is the experienced investigator who has learned about digital investigations from real cases and using analysis tools. The other is someone who is new to the field and is interested in learning about the general theory of an investigation and where digital evidence may exist but is not yet looking for a book that has a tutorial on how to use a specific tool.
The approach of this book is to describe the basic concepts and theory of a volume and file system and then apply it to an investigation. For each file system, this book covers analysis techniques and special considerations that the investigator should make. Scenarios are given to reinforce how the information can be used in an actual case. In addition, the data structures associated with volume and file systems are given, and disk images are analyzed by hand so that you can see where the various data are located. If you are not interested in parsing data structures, you can skip the data structure chapters. Only non-commercial tools are used so that you can download them for free and duplicate the results on your systems.
Back Cover Description
Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.
Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools - including tools he personally developed. Coverage includes
When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter which analysis tools you use.
There are many reviews on Amazon as well as:
Updated Index (2nd Printing)
Copyright © 2005-2009 by Brian Carrier