File System Forensic Analysis

Paperback (Print)
Rent
Rent from BN.com
$21.78
(Save 73%)
Est. Return Date: 09/26/2014
Used and New from Other Sellers
Used and New from Other Sellers
from $32.00
Usually ships in 1-2 business days
(Save 59%)
Other sellers (Paperback)
  • All (19) from $32.00   
  • New (10) from $45.70   
  • Used (9) from $32.00   

Overview

The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques

Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.

Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools—including tools he personally developed. Coverage includes

  • Preserving the digital crime scene and duplicating hard disks for "dead analysis"
  • Identifying hidden data on a disk's Host Protected Area (HPA)
  • Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
  • Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
  • Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
  • Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
  • Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
  • Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.

Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.

Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Product Details

  • ISBN-13: 9780321268174
  • Publisher: Addison-Wesley
  • Publication date: 3/18/2005
  • Pages: 600
  • Sales rank: 469,526
  • Product dimensions: 6.90 (w) x 8.90 (h) x 1.30 (d)

Meet the Author

Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.

Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Foreword.

Preface.

Acknowledgments.

I. FOUNDATIONS.

1. Digital Investigation Foundations.

Digital Investigations and Evidence.

Digital Crime Scene Investigation Process.

Data Analysis.

Overview of Toolkits.

Summary.

Bibliography.

2. Computer Foundations.

Data Organization.

Booting Process.

Hard Disk Technology.

Summary.

Bibiography.

3. Hard Disk Data Acquisition.

Introduction.

Reading the Source Data.

Writing the Output Data.

A Case Study Using dd.

Summary.

Bibliography.

II. VOLUME ANALYSIS.

4. Volume Analysis.

Introduction.

Background.

Analysis Basics.

Summary.

5. PC-based Partitions.

DOS Partitions.

Analysis Considerations.

Apple Partitions.

Removable Media.

Bibliography 109

6. Server-based Partitions.

BSD Partitions.

Sun Solaris Slices.

GPT Partitions.

Summary 145

Bibliography 145

7. Multiple Disk Volumes.

RAID.

Disk Spanning.

Bibliography.

III. FILE SYSTEM ANALYSIS.

8. File System Analysis.

What Is a File System?.

File System Category.

Content Category.

Metadata Category.

File Name Category.

Application Category.

Application-level Search Techniques.

Specific File Systems.

Summary.

Bibliography.

9. FAT Concepts and Analysis.

Introduction.

File System Category.

Content Category.

Metadata Category.

File Name Category.

The Big Picture.

Other Topics.

Summary.

Bibliography.

10. FAT Data Structures.

Boot Sector.

FAT32 FSINFO.

FAT.

Directory Entries.

Long File Name Directory Entries.

Summary.

Bibliography.

11. NTFS Concepts.

Introduction.

Everything is a File.

MFT Concepts.

MFT Entry Attribute Concepts.

Other Attribute Concepts.

Indexes.

Analysis Tools.

Summary.

Bibliography.

12. NTFS Analysis.

File System Category.

Content Category.

Metadata Category.

File Name Category.

Application Category.

The Big Picture.

Other Topics.

Summary.

Bibliography.

13. NTFS Data Structures.

Basic Concepts.

Standard File Attributes.

Index Attributes and Data Structures.

File System Metadata Files.

Summary.

Bibliography.

14. Ext2 and Ext3 Concepts and Analysis.

Introduction.

File System Category.

Content Category.

Metadata Category.

File Name Category.

Application Category.

The Big Picture.

Other Topics.

Summary.

Bibliography.

15. Ext2 and Ext3 Data Structures.

Superblock.

Group Descriptor Tables.

Block Bitmap.

Inodes.

Extended Attributes.

Directory Entry.

Symbolic Link.

Hash Trees.

Journal Data Structures.

Summary.

Bibliography.

16. UFS1 and UFS2 Concepts and Analysis.

Introduction.

File System Category.

Content Category.

Metadata Category.

File Name Category.

The Big Picture.

Other Topics.

Summary.

Bibliography.

17. UFS1 and UFS2 Data Structures.

UFS1 Superblock.

UFS2 Superblock.

Cylinder Group Summary.

UFS1 Group Descriptor.

UFS2 Group Descriptor.

Block and Fragment Bitmaps.

UFS1 Inodes.

UFS2 Inodes.

UFS2 Extended Attributes.

Directory Entries.

Summary.

Bibliography.

Appendix A. The Sleuth Kit and Autopsy.

The Sleuth Kit.

Autopsy.

Bibliography.

Index.

Read More Show Less

Preface

Foreword

Computer forensics is a relatively new field, and over the years it has been called many things: "computer forensics," "digital forensics," and "media analysis" to name a few. It has only been in the past few years that we have begun to recognize that all of our digital devices leave digital breadcrumbs and that these breadcrumbs are valuable evidence in a wide range of inquiries. While criminal justice professionals were some of the first to take an interest in this digital evidence, the intelligence, information security, and civil law fields have enthusiastically adopted this new source of information.

Digital forensics has joined the mainstream. In 2003, the American Society of Crime Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital evidence as a full-fledged forensic discipline. Along with this acceptance came increased interest in training and education in this field. The Computer Forensic Educator's Working Group (now known as the Digital Forensic Working Group) was formed to assist educators in developing programs in this field. There are now over three-dozen colleges and universities that have, or are, developing programs in this field. More join their ranks each month.

I have had the pleasure of working with many law enforcement agencies, training organizations, colleges, and universities to develop digital forensic programs. One of first questions that I am asked is if I can recommend a good textbook for their course or courses. There have been many books written about this field. Most take a targeted approach to a particular investigative approach, such as incident response or criminal investigation. Some tend to be how-to manuals for specific tools. It has been hard to find a book that provides a solid technical and process foundation for the field...That is, until now.

This book is the foundational book for file system analysis. It is thorough, complete, and well organized. Brian Carrier has done what needed to be done for this field. This book provides a solid understanding of both the structures that make up different file systems and how these structures work. Carrier has written this book in such a way that the reader can use what they know about one file system to learn another. This book will be invaluable as a textbook and as a reference and needs to be on the shelf of every digital forensic practitioner and educator. It will also provide accessible reading for those who want to understand subjects such as data recovery.

When I was first approached about writing this Foreword, I was excited! I have know Brian Carrier for a number of years and I have always been impressed with his wonderful balance of incredible technical expertise and his ability to clearly explain not just what he knows but, more importantly, what you need to know. Brian's work on Autopsy and The Sleuth Kit (TSK) has demonstrated his command of this field—his name is a household name in the digital forensic community. I have been privileged to work with Brian in his current role at Purdue University, and he is helping to do for the academic community what he did for the commercial sector: He set a high standard.

So, it is without reservation that I recommend this book to you. It will provide you with a solid foundation in digital media.

Mark M. Pollitt
Former Director of the FBI's Regional Computer Forensic Laboratory Program

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Introduction

One of the biggest challenges that I have faced over the years while developing The Sleuth Kit (TSK) has been finding good file system and media management (partition tables, RAID etc.) documentation. It has also been challenging to explain to users why certain files cannot be recovered or what to do when a corrupt file system is encountered because there are no good references to refer them to. It is easy to find resources that describe file systems at a high level, but source code is typically needed to learn the details. This book describes how data are stored on disk and where and how digital evidence can be found.

There are two target audiences for this book. One is the experienced investigator that has learned about digital investigations from real cases and using analysis tools. The other is someone who is new to the field and is interested in learning about the general theory of an investigation and where digital evidence may exist, but is not yet looking for a book that has a tutorial on how to use a specific tool.

The value of the material in this book is that it helps to provide an education rather than training on a specific tool. Consider some of the more formal sciences or engineering disciplines. All undergraduates are required to take a couple of semesters of physics, chemistry, or biology. These courses are not required because the students will be using all of the material for the rest of their careers. In fact, software and equipment exist to perform many of the calculations students are forced to memorize. The point of the classes is to provide students with insight about how things work so that theyare not constrained by their tools.

The goal of this book is to provide an investigator with an education similar to what Physics 101 is to a mechanical engineer. The majority of digital evidence is found on a disk and knowing how and why the evidence exists can help an investigator to better testify about it. It will also help an investigator find errors and bugs in his analysis tools because he can conduct sanity checks on the tool output.

The recent trends in digital investigations have shown that more education is needed. Forensic labs are being accredited for digital evidence and there are debates about the required education and certification levels. Numerous universities offer courses and even Master's degrees in computer forensics. Government and university labs are conducting theoretical research in the area and focusing on future as well as current problems. There are also peer-reviewed journals for publishing research and investigation techniques. All of these new directions require in-depth knowledge outside of a specific tool or technique.

The approach of this book is to describe the basic concepts and theory of a file system and then apply it to an investigation. For each file system, the book covers analysis techniques and special considerations that the investigator should make. Scenarios are given to reinforce how the information can be used in an actual case. In addition, the data structures associated with file system and media management system are given and disk images are analyzed by hand so that the reader can see where the various data are located. If you are not interested in parsing data structures then you can skip those sections. Only non-commercial tools are used so that you can download them for free and duplicate the results on your systems.

Roadmap

This book is organized into three parts. Part 1 provides the basic foundations and Parts 2 and 3 provide the technical meat of the book. The book is organized so that we move up the layers of abstraction in a computer. We start by discussing hard disks and then discuss how disks are organized into partitions. After we discuss partitions, we discuss the contents of partitions, which is typically a file system.

Part 1 starts with Chapter 1 and discusses the approach that I take to a digital investigation. The different phases and guidelines are presented so that you know where I use the techniques described in this book. This book does not require that you use the same approach that I do. Chapter 2 provides the computer foundations and describes data structures, data encoding, the boot process, and hard disk technology. Chapter 3 provides the theory and a case study of hard disk acquisition so that we have data to analyze in Parts 2 and 3.

Part 2 of the book is on Media Management Analysis, which is the analysis of data structures that organize storage devices. This is typically the lowest layer of data structures on a disk. Chapter 4 provides a general overview of the analysis techniques and Chapter 5 covers the common DOS partitions as well as Apple partitions and GPT partitions, which are found in IA64 systems. Chapter 6 covers Unix partitions that can be found in BSD and Sun systems. Chapter 7 covers media management systems that span multiple disks, including RAID and volume spanning.

Part 3 of the book is on File System Analysis, which is the analysis of data structures that organize the partitions. Chapter 8 covers the general theory of file system analysis and defines terminology for the rest of Part 3. Each file system has at least two chapters dedicated to it where the first chapter covers the basic concepts and investigation techniques and the second chapter includes the data structures and manual analysis of example disk images. You have a choice of reading the two chapters in parallel, reading one after the other, or skipping the data structures chapter altogether.

The designs of the file systems are very different and therefore they are described using a general file system model. The general model organizes the data in a file system into one of five categories: file system, content, metadata, file name, and application. This general model is used to describe each of the file systems so that it is easier to compare them.

Chapters 9 and 10 cover the common FAT file system and Chapters 11, 12, and 13 cover NTFS. Next, we skip to the Unix file systems with Chapters 14 and 15 on the Linux EXT2 and EXT3 file systems. Lastly, Chapters 16 and 17 cover UFS1 and UFS2, which are found in FreeBSD, NetBSD, OpenBSD, and Sun Solaris.

After Part 3 of this book, you will know where a file existed on disk and all of the various data structures that needed to be in sync for you to view it. This book does not discuss how to analyze the file's contents. That falls into the Application Analysis realm and requires another book.


© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 5
( 4 )
Rating Distribution

5 Star

(4)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 4 Customer Reviews
  • Posted June 19, 2013

    WOW... I love MyDeals247 model - they create competition among t

    WOW... I love MyDeals247 model - they create competition among the sellers real-time.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted May 5, 2005

    Must Have Resource for Digital Forensics

    Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters. The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes. The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris. Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout. An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed. Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted April 11, 2005

    very comprehensive across operating systems

    Carrier's book is rare in its comprehensive coverage of how computers actually store data on disks. Other books might give lesser amounts of detail. And then, a particular book usually describes only how a given operating system does its storage. Carrier goes further on both counts. He describes how Microsoft, Apple, BSD, linux and Sun do their disks. Though Microsoft's FAT and NTFS get the most extensive coverage, due to the prevalence of disks using these formats. Hierarchies of disks are also covered, like the RAID levels. Plus logical volumes of disks, which span actual sets of disks. The cutting edge topic is forensics. It is to this end that he explains throughout the book how knowing certain details might aid you in recovering data. Consider his discussion of slack space as one example. He shows how if an operating system does not overwrite this, then a post mortem can reveal fragments of an earlier, supposedly deleted file. (Gosh!) Similar to how an operating system might delete a file by erasing the pointer to the file, but not the actual contents. I'm simplifying here. But perhaps you can see the utility in knowing exactly how files are kept and removed.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted May 17, 2014

    No text was provided for this review.

Sort by: Showing all of 4 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)