File System Forensic Analysis

I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.

In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.

FSFA has received lengthy and glowing reviews, so I will keep my comments brief. Of the three books I cited earlier, FSFA was the only one which really grabbed my attention. I am a network-centric security practitioner, but Brian Carrier's organization, thoughtfulness, and delivery really hooked me. I very much appreciate authors who define a framework and explain potentially complicated topics within that framework.

For example, Brian is very keen to promote the scientific method. His emphasis on hypotheses and looking for evidence to refute them made me take a second look at my own practices. Brian differentiates between "essential" and "nonessential" data, where the former must be accurate in order for a user to access data and the latter not necessarily needing to be accurate. Again, this is a great way to think about digital evidence in any form. Investigation is grouped into preservation, search, and event reconstruction phases. Finally, Brian's separation of data structures into five categories (file system, content, metadata, file name, and application) facilitates comparisons of file systems in the third part of FSFA.

Besides being well-organized, FSFA does an excellent job covering material not addressed elsewhere. Server partitions, RAID, and LVM are examples. It is important to understand what is NOT present in FSFA, however. Brian very clearly stops at the application level of data, saving that for other books. I think this is a great idea, since it lets FSFA concentrate on its core topics (file systems) and saves the data on those file systems for other books. At the risk of self-promoting, I think FSFA is a powerful companion to "Real Digital Forensics" (RDF), since we provide sample file system images in dd format suitable for analysis using FSFA techniques. RDF also cares more about content than structure, which is where FSFA stops.

Anyone who even pretends to be a host-centric forensics practitioner must read FSFA. I expect it has the power to save you on the stand should you encounter intense questioning from a defense attorney.

Carrier's book has proven invaluable to this digital forensics trainee, and I expect many of the old hands in the field will be keeping it on hand as well. If you're serious about computer forensics, you need a copy.

I'm pretty technical, so I enjoyed this book. The author has more on file systems than just about anywhere, and I found it helpful in non security work also just to understand how the different systems work.
I was able to use the book Windows Forensics, Corporate Computer Investigations by Chad Steel more in daily use, but this book would have been a better as a starting point in learning about disk based analysis and does a much better job of diving deep into file system specifics.

Some of the programming level content was tough to follow, but if you are ever going to court and really need to know your stuff this is buy far the book you need. I recommend it throughly.

Excellent book for beginning to really understand file system forensics. Good book for reference down the road as well. Highly recommend.

There aren't many information technology books that can be read cover to cover like a novel. If you are interested in file system analysis, then this book is one of them.

The way Brian organizes his book can take a motivated person from knowing very little about file system analysis to guru in a very step by step manner. Brian starts at the bottom and steadily works his way up.

The chapter structure is excellent.

* Digital Investitation Foundations
* Computer Foundations
* Hard Disk Data Acquisition
* Volume Analysis
* File System Analysis

Perfect. Each new section builds on the last.

The File System Analysis section is also structured so that you can get as little or as much as you want out of it.
Each file system is given a chapter for describing how it utilizes the categories defined in The Sleuth Kit (file system, content, metadata, file name, application) and another chapter for digging into the meat of it.

After reading the book, I know it will be an indespensible tool for all my future forensic hard disk analyses.

My only quibble at all is that it does not cover IBM's HPFS file system used for OS/2, because, yes, there are still some OS/2 systems I have to analyze (but not many and getting fewer and fewer). Most of that analysis is application level anyway which is out of scope.

Regardless, this is an amazing and wonderful book.

I eagerly await the 2nd edition in a year or so. I'll buy it, too.