One of the biggest challenges that I have faced over the years while developing The Sleuth Kit (TSK) has been finding good file system and media management (partition tables, RAID etc.) documentation. It has also been challenging to explain to users why certain files cannot be recovered or what to do when a corrupt file system is encountered because there are no good references to refer them to. It is easy to find resources that describe file systems at a high level, but source code is typically needed to learn the details. This book describes how data are stored on disk and where and how digital evidence can be found.

There are two target audiences for this book. One is the experienced investigator that has learned about digital investigations from real cases and using analysis tools. The other is someone who is new to the field and is interested in learning about the general theory of an investigation and where digital evidence may exist, but is not yet looking for a book that has a tutorial on how to use a specific tool.

The value of the material in this book is that it helps to provide an education rather than training on a specific tool. Consider some of the more formal sciences or engineering disciplines. All undergraduates are required to take a couple of semesters of physics, chemistry, or biology. These courses are not required because the students will be using all of the material for the rest of their careers. In fact, software and equipment exist to perform many of the calculations students are forced to memorize. The point of the classes is to provide students with insight about how things work so that theyare not constrained by their tools.

The goal of this book is to provide an investigator with an education similar to what Physics 101 is to a mechanical engineer. The majority of digital evidence is found on a disk and knowing how and why the evidence exists can help an investigator to better testify about it. It will also help an investigator find errors and bugs in his analysis tools because he can conduct sanity checks on the tool output.

The recent trends in digital investigations have shown that more education is needed. Forensic labs are being accredited for digital evidence and there are debates about the required education and certification levels. Numerous universities offer courses and even Master's degrees in computer forensics. Government and university labs are conducting theoretical research in the area and focusing on future as well as current problems. There are also peer-reviewed journals for publishing research and investigation techniques. All of these new directions require in-depth knowledge outside of a specific tool or technique.

The approach of this book is to describe the basic concepts and theory of a file system and then apply it to an investigation. For each file system, the book covers analysis techniques and special considerations that the investigator should make. Scenarios are given to reinforce how the information can be used in an actual case. In addition, the data structures associated with file system and media management system are given and disk images are analyzed by hand so that the reader can see where the various data are located. If you are not interested in parsing data structures then you can skip those sections. Only non-commercial tools are used so that you can download them for free and duplicate the results on your systems.

Roadmap

This book is organized into three parts. Part 1 provides the basic foundations and Parts 2 and 3 provide the technical meat of the book. The book is organized so that we move up the layers of abstraction in a computer. We start by discussing hard disks and then discuss how disks are organized into partitions. After we discuss partitions, we discuss the contents of partitions, which is typically a file system.

Part 1 starts with Chapter 1 and discusses the approach that I take to a digital investigation. The different phases and guidelines are presented so that you know where I use the techniques described in this book. This book does not require that you use the same approach that I do. Chapter 2 provides the computer foundations and describes data structures, data encoding, the boot process, and hard disk technology. Chapter 3 provides the theory and a case study of hard disk acquisition so that we have data to analyze in Parts 2 and 3.

Part 2 of the book is on Media Management Analysis, which is the analysis of data structures that organize storage devices. This is typically the lowest layer of data structures on a disk. Chapter 4 provides a general overview of the analysis techniques and Chapter 5 covers the common DOS partitions as well as Apple partitions and GPT partitions, which are found in IA64 systems. Chapter 6 covers Unix partitions that can be found in BSD and Sun systems. Chapter 7 covers media management systems that span multiple disks, including RAID and volume spanning.

Part 3 of the book is on File System Analysis, which is the analysis of data structures that organize the partitions. Chapter 8 covers the general theory of file system analysis and defines terminology for the rest of Part 3. Each file system has at least two chapters dedicated to it where the first chapter covers the basic concepts and investigation techniques and the second chapter includes the data structures and manual analysis of example disk images. You have a choice of reading the two chapters in parallel, reading one after the other, or skipping the data structures chapter altogether.

The designs of the file systems are very different and therefore they are described using a general file system model. The general model organizes the data in a file system into one of five categories: file system, content, metadata, file name, and application. This general model is used to describe each of the file systems so that it is easier to compare them.

Chapters 9 and 10 cover the common FAT file system and Chapters 11, 12, and 13 cover NTFS. Next, we skip to the Unix file systems with Chapters 14 and 15 on the Linux EXT2 and EXT3 file systems. Lastly, Chapters 16 and 17 cover UFS1 and UFS2, which are found in FreeBSD, NetBSD, OpenBSD, and Sun Solaris.

After Part 3 of this book, you will know where a file existed on disk and all of the various data structures that needed to be in sync for you to view it. This book does not discuss how to analyze the file's contents. That falls into the Application Analysis realm and requires another book.

© Copyright Pearson Education. All rights reserved.