File System Forensic Analysis

Truly a landmark reference book. Doesn't claim to, nor desire to teach you forensics, but if this is an area that interests you, it's only a matter of time before you need this book. It's too easy to use current point-and-click forensic tools without understanding what's going on under the hood. This book shows in excruciating detail all the file systems, and how to analyze them with TSK. There's no substitute for down and dirty examinations with a powerful tool like this - and everything you learn can carry over to the "point-and-click" tools so commonly used. Just a superb learning tool. Priceless.

It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated. Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it. File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data. Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic. Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type l

Brian Carrier has stepped up to the plate and filled a void in host based digital forensics that has been missing for years. "File System Forensic Analysis" covers nearly every low level aspect of file systems, the heart of every computer forensics investigation. In an age where most digital forensic investigations are oversimplified with GUI analysis suites, Mr. Carrier brings us back to the basis of investigative techniques in a very easy to understand manner. I especially respect how Mr. Carrier took the extra time to develop a framework used to discuss and compare the file systems. His generalized framework should make it easy for the reader to address the differences discovered between file systems. In addition to the expected file system discussions, there were a few extra surprises in the book that are worth mentioning. Mr. Carrier included information regarding methods different Operating Systems (and versions of those Operating Systems) interface with their file systems. For example, the infamous creation time/date stamp after the last written time/date stamp phenomenon is clearly explained for Microsoft Windows file systems. I keep very few printed books as reference guides, but this book will be close to my computer during every investigation.

Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters. The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes. The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris. Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout. An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed. Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.

More and more good forensics books show up at my doorstep (some bad ones have surfaced as well...). However, Brian's "File System Forensics Analysis" is exceptional in its depth of coverage of modern computer file systems. No other book published so far (and, I suspect, ever) offers that level of details on the internals of file systems such as ext2, ext3, NTFS, FAT and also UFS1 and 2. This is not a general purpose forensics practitioner guide, nor is it a guide to acquiring evidence (however, the book does contain a brief intro to the forensic process). The book just looks at the file systems! There was definitely a need for a source of low-level information on filesystem internals as they apply to forensics. What are the NTFS-specific acquisition issues? Ext3 vs ext2? Etc, etc - many other technical forensics questions are answered in this book. Ok, so you are the type who run EnCase once and think you are ready to go to court to testify? Have you looked at Windows swap file? Alternative data streams? Host-protected area? No? Then get the book. The book will help law enforcement computer crime folks (those already skilled in forensics), forensics consultants and internal investigators to learn what is really going on when bits get copied, removed, acquired, etc. Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org