File System Forensic Analysis

If you're a Network Security Engineer, this is the book for you. Combined with "Windows Forensics and Incident Recovery" you'll acquire all the necessary skiils as to why and how, opposed to oooh and hummm, when your network is compromised. Hope you enjoy the book as much as I did, highly recommended!!!

Brian Carrier has stepped up to the plate and filled a void in host based digital forensics that has been missing for years. "File System Forensic Analysis" covers nearly every low level aspect of file systems, the heart of every computer forensics investigation. In an age where most digital forensic investigations are oversimplified with GUI analysis suites, Mr. Carrier brings us back to the basis of investigative techniques in a very easy to understand manner.

I especially respect how Mr. Carrier took the extra time to develop a framework used to discuss and compare the file systems. His generalized framework should make it easy for the reader to address the differences discovered between file systems.

In addition to the expected file system discussions, there were a few extra surprises in the book that are worth mentioning. Mr. Carrier included information regarding methods different Operating Systems (and versions of those Operating Systems) interface with their file systems. For example, the infamous creation time/date stamp after the last written time/date stamp phenomenon is clearly explained for Microsoft Windows file systems.

I keep very few printed books as reference guides, but this book will be close to my computer during every investigation.

There is both decent coverage of file system layout for various operating systems, an forensic examples and scenarios in this book. It's fascinating on both counts. Linux, Windows, and Apple operating systems are covered in detail. And case studies that demonstrate how files were analyzed on each of these systems is provided.

Definitely a solid work for anyone involved in this type of forensics work.

Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters.

The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes.

The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris.

Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout.

An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed.

Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.

If you have a need to thoroughly understand computer file systems for whatever reason, you need this book... File System Forensic Analysis by Brian Carrier. It just doesn't get any more detailed than this.

Chapter List:
Part 1 - Foundations: Digital Investigation Foundations; Computer Foundations; Hard Disk Data Acquisition
Part 2 - Volume Analysis: Volume Analysis; PC-based Partitions; Server-based Partitions; Multiple Disk Volumes
Part 3 - File System Analysis: File System Analysis; FAT Concepts and Analysis; FAT Data Structures; NTFS Concepts; NTFS Analysis; NTFS Data Structures; Ext2 and Ext3 Concepts and Analysis; Ext2 and Ext3 Data Structures; UFS1 and UFS2 Concepts and Analysis; UFS1 and UFS2 Data Structures; The Sleuth Kit and Autopsy; Index

The working concept of the book is that the reader needs to understand file systems in order to do forensic analysis. For instance, they need to recover content that's been deleted or hidden on the drive. And while it's true that this information will definitely address that need, it's really a detailed reference work for anyone who has a need to deeply understand the disk structure of a computer. Developers working on disk utility software come to mind right away.

I was surprised that file systems such as FAT and NTFS really don't have published specifications that can be easily found. Carrier often talks about how few of the detailed parts of the system are documented, so this book is one of the few places you'll find all the information gathered in a single location. On top of that, there are copious diagrams and file dumps that help to take the information from theory to reality. Another part of the material talks about how forensic software tools are used to analyze the disk information. Carrier does primarily talk about forensic software that he helped develop, but it's not (in my opinion) a detriment to the book. I didn't get the impression I was reading a 550 page advertisement (which I've seen on occasion).

Very detailed and complete, and this is the first title you should look at if you need to understand disk structures.