This is an advanced cookbook and reference guide for digital forensic practitioners. File System Forensic Analysis focuses on the file system and disk. The file system of a computer is where most files are stored and where most evidence is found; it also the most technically challenging part of forensic analysis. This book offers an overview and detailed knowledge of the file system and disc layout. The overview will allow an investigator to more easily find evidence, recover deleted data, and validate his tools. The cookbook section will show how to use the many open source tools for analysis, many of which Brian Carrier has developed himself.
File System Forensic Analysis
and over one million other books are available for Amazon Kindle.
Learn more
FREE Two-Day Shipping for Students. Learn more |
| ||||||||||||||||||
 Sell Back Your Copy for $21.90
Whether you buy it used on Amazon for $26.68 or somewhere else, you can sell it back through our Book Trade-In Program at the current price of $21.90.
Used Price$26.68
Trade-in Price$21.90
Price after
Trade-in$4.78 |
Book Description
Special Offers and Product Promotions
- Buy $50 in qualifying physical textbooks, get $5 in Amazon MP3 Credit. Here's how (restrictions apply)
Frequently Bought Together
Editorial Reviews
From the Back Cover
The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques
Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.
Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools—including tools he personally developed. Coverage includes
Preserving the digital crime scene and duplicating hard disks for "dead analysis"
Identifying hidden data on a disk's Host Protected Area (HPA)
Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools
When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.
Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.
Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.
© Copyright Pearson Education. All rights reserved.
About the Author
Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.
Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.
© Copyright Pearson Education. All rights reserved.
Product Details
Would you like to update product info or give feedback on images?
|
More About the Author
Discover books, learn about writers, read author blogs, and more.
Customer Reviews
|
Share your thoughts with other customers:
|
||||||||||||||||||||||
|
Most Helpful Customer Reviews
33 of 35 people found the following review helpful:
5.0 out of 5 stars
excellent coverage of the area, high quality writing,
By jose_monkey_org "jose_monkey_org" (ann arbor, mi, USA) - See all my reviews
This review is from: File System Forensic Analysis (Paperback)
It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.
Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it. File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data. Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic. Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it. The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time. Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation. Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.
10 of 10 people found the following review helpful:
5.0 out of 5 stars
Must Have Resource for Digital Forensics,
By
This review is from: File System Forensic Analysis (Paperback)
Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters.
The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes. The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris. Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout. An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed. Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.
7 of 7 people found the following review helpful:
5.0 out of 5 stars
At Last, A Real Digital Forensics Reference Book,
By
This review is from: File System Forensic Analysis (Paperback)
Brian Carrier has stepped up to the plate and filled a void in host based digital forensics that has been missing for years. "File System Forensic Analysis" covers nearly every low level aspect of file systems, the heart of every computer forensics investigation. In an age where most digital forensic investigations are oversimplified with GUI analysis suites, Mr. Carrier brings us back to the basis of investigative techniques in a very easy to understand manner.
I especially respect how Mr. Carrier took the extra time to develop a framework used to discuss and compare the file systems. His generalized framework should make it easy for the reader to address the differences discovered between file systems. In addition to the expected file system discussions, there were a few extra surprises in the book that are worth mentioning. Mr. Carrier included information regarding methods different Operating Systems (and versions of those Operating Systems) interface with their file systems. For example, the infamous creation time/date stamp after the last written time/date stamp phenomenon is clearly explained for Microsoft Windows file systems. I keep very few printed books as reference guides, but this book will be close to my computer during every investigation.
Share your thoughts with other customers: Create your own review
|
|
Inside This Book
(learn more)
First Sentence:
I am going to assume that anyone interested in this book does not need motivation with respect to why someone would want to investigate a computer or other digital device, so I will skip the customary numbers and statistics. Read the first page Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
volume analysis, super block, primary table, file system category, group summary area, system metadata files, secondary extended partition, file reference address, group descriptor table, direct block pointers, fragment bitmap, superblock data structure, file system journal, allocated directory entry, inode address, tmap file, running fsstat, use hash databases, previous file system, indirect block pointer, example disk image, starting sector address, directory entry structures, file name category, sparse superblock feature Key Phrases - Capitalized Phrases (CAPs): (learn more)
Byte Range Description Essential, Microsoft Windows, The Sleuth Kit, Thu Jun, Tue Aug, File Modified, Slot Start End Length Description, Digital Forensic Tool Testing, Tue Jul, Inode Range, Value Description, Type Description, Allocated Group, Fri Aug, Sun Solaris, Wed Aug, Inode Modified, Inode Times, Block Range, Sun Sparc, Microsoft Knowledge Base Article, Direct Blocks, Partition Table Units, Windows Server, Attribute Values Browse Sample Pages:
Front Cover | Table of Contents | First Pages | Index | Surprise Me!
I am going to assume that anyone interested in this book does not need motivation with respect to why someone would want to investigate a computer or other digital device, so I will skip the customary numbers and statistics. Read the first page Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
volume analysis, super block, primary table, file system category, group summary area, system metadata files, secondary extended partition, file reference address, group descriptor table, direct block pointers, fragment bitmap, superblock data structure, file system journal, allocated directory entry, inode address, tmap file, running fsstat, use hash databases, previous file system, indirect block pointer, example disk image, starting sector address, directory entry structures, file name category, sparse superblock feature Key Phrases - Capitalized Phrases (CAPs): (learn more)
Byte Range Description Essential, Microsoft Windows, The Sleuth Kit, Thu Jun, Tue Aug, File Modified, Slot Start End Length Description, Digital Forensic Tool Testing, Tue Jul, Inode Range, Value Description, Type Description, Allocated Group, Fri Aug, Sun Solaris, Wed Aug, Inode Modified, Inode Times, Block Range, Sun Sparc, Microsoft Knowledge Base Article, Direct Blocks, Partition Table Units, Windows Server, Attribute Values Browse Sample Pages:
Front Cover | Table of Contents | First Pages | Index | Surprise Me!
Citations (learn more)
3
books
cite this book:
- EnCase Computer Forensics: The Official EnCE: EnCaseCertified Examiner Study Guide by Steve Bunting in Front Matter
- Spin-stand Microscopy of Hard Disk Data (Elsevier Series in Electromagnetism) by Isaak D. Mayergoyz on page 144
- Advances in Digital Forensics: IFIP International Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida, February 13-16, 2005 by Mark Pollitt on page 255
What Other Items Do Customers Buy After Viewing This Item?
Tags Customers Associate with This Product(What's this?)Click on a tag to find related items, discussions, and people.
|
Customer Discussions
|
This product's forum
Active discussions in related forums
Search Customer Discussions
|
Related forums
|
Listmania!
|
|
