File System Forensic Analysis by Brian Carrier

From the Publisher

The Definitive Guide to File System Analysis: Key Concepts, Hands-on Techniques

Most digital forensics evidence is stored within the computer's file system, but working with file systems is the most technically challenging aspect of forensic analysis. Now, world-renowned expert Brian Carrier has written the definitive reference and "cookbook" for everyone who must perform reliable, legally defensible file system analysis.

Carrier begins with an authoritative, comprehensive overview of contemporary file systems and disk layouts: crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Next, he shows how to use today's most valuable open source file system analysis tools—including tools he personally developed. Carrier's techniques address six leading file systems found on today's Windows, UNIX, and Linux systems: FAT, NTFS, Ext2, Ext3, UFS1, and UFS2. Coverage includes

• Preserving the digital crime scene and duplicating hard disks for "dead analysis"

• Acquiring data safely without diminishing its value as evidence

• Identifying hidden data on a disk's Host Protected Area (HPA)

• Reading source data: direct versus BIOS access, dead versus live acquisition, error handling, and more

• Analyzing contents of both PC-based and server-based partitions

• Working with systems containing multiple disk volumes

• Key concepts, data structures, and specific techniques for analyzing Windows, UNIX, and Linux file systems

• Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

When it comes to file system analysis, no other bookoffers this much detail—or this much specific, usable help. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, you'll rely on it constantly.

Product Details

• Table of Contents
• Forewords & Introductions

Table of Contents

Forewords & Introductions

Computer forensics is a relatively new field, and over the years it has been called many things: "computer forensics," "digital forensics," and "media analysis" to name a few. It has only been in the past few years that we have begun to recognize that all of our digital devices leave digital breadcrumbs and that these breadcrumbs are valuable evidence in a wide range of inquiries. While criminal justice professionals were some of the first to take an interest in this digital evidence, the intelligence, information security, and civil law fields have enthusiastically adopted this new source of information.

Digital forensics has joined the mainstream. In 2003, the American Society of Crime Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital evidence as a full-fledged forensic discipline. Along with this acceptance came increased interest in training and education in this field. The Computer Forensic Educator's Working Group (now known as the Digital Forensic Working Group) was formed to assist educators in developing programs in this field. There are now over three-dozen colleges and universities that have, or are, developing programs in this field. More join their ranks each month.

I have had the pleasure of working with many law enforcement agencies, training organizations, colleges, and universities to develop digital forensic programs. One of first questions that I am asked is if I can recommend a good textbook for their course or courses. There have been many books written about this field. Most take a targeted approach to a particular investigative approach, such asincident response or criminal investigation. Some tend to be how-to manuals for specific tools. It has been hard to find a book that provides a solid technical and process foundation for the field...That is, until now.

This book is the foundational book for file system analysis. It is thorough, complete, and well organized. Brian Carrier has done what needed to be done for this field. This book provides a solid understanding of both the structures that make up different file systems and how these structures work. Carrier has written this book in such a way that the reader can use what they know about one file system to learn another. This book will be invaluable as a textbook and as a reference and needs to be on the shelf of every digital forensic practitioner and educator. It will also provide accessible reading for those who want to understand subjects such as data recovery.

When I was first approached about writing this Foreword, I was excited! I have know Brian Carrier for a number of years and I have always been impressed with his wonderful balance of incredible technical expertise and his ability to clearly explain not just what he knows but, more importantly, what you need to know. Brian's work on Autopsy and The Sleuth Kit (TSK) has demonstrated his command of this field—his name is a household name in the digital forensic community. I have been privileged to work with Brian in his current role at Purdue University, and he is helping to do for the academic community what he did for the commercial sector: He set a high standard.

So, it is without reservation that I recommend this book to you. It will provide you with a solid foundation in digital media.

Mark M. Pollitt
Former Director of the FBI's Regional Computer Forensic Laboratory Program

© Copyright Pearson Education. All rights reserved.