Customer Reviews


47 Reviews
5 star:
 (39)
4 star:
 (6)
3 star:    (0)
2 star:
 (1)
1 star:
 (1)
 
 
 
 
 
Average Customer Review
Share your thoughts with other customers
Create your own review
 
 

The most helpful favorable review
The most helpful critical review


39 of 41 people found the following review helpful
5.0 out of 5 stars excellent coverage of the area, high quality writing
It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools...
Published on August 30, 2005 by jose_monkey_org

versus
2 of 2 people found the following review helpful
1.0 out of 5 stars Intentionally vagues out.
Kindle version was barely readable. The tables and pictures are so blurry even in desktop viewers that I almost felt like reading Capcha scrambles. Text contents are very good. so 1 star.
Published 10 months ago by David


‹ Previous | 1 25 | Next ›
Most Helpful First | Newest First

39 of 41 people found the following review helpful
5.0 out of 5 stars excellent coverage of the area, high quality writing, August 30, 2005
This review is from: File System Forensic Analysis (Paperback)
It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.

Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.

File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.

Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.

Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.

The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.

Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.

Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


11 of 11 people found the following review helpful
5.0 out of 5 stars Must Have Resource for Digital Forensics, May 5, 2005
By 
D. Baker (Northern Virginia) - See all my reviews
(REAL NAME)   
This review is from: File System Forensic Analysis (Paperback)
Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters.

The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes.

The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris.

Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout.

An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed.

Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


9 of 9 people found the following review helpful
5.0 out of 5 stars At Last, A Real Digital Forensics Reference Book, August 1, 2005
By 
This review is from: File System Forensic Analysis (Paperback)
Brian Carrier has stepped up to the plate and filled a void in host based digital forensics that has been missing for years. "File System Forensic Analysis" covers nearly every low level aspect of file systems, the heart of every computer forensics investigation. In an age where most digital forensic investigations are oversimplified with GUI analysis suites, Mr. Carrier brings us back to the basis of investigative techniques in a very easy to understand manner.

I especially respect how Mr. Carrier took the extra time to develop a framework used to discuss and compare the file systems. His generalized framework should make it easy for the reader to address the differences discovered between file systems.

In addition to the expected file system discussions, there were a few extra surprises in the book that are worth mentioning. Mr. Carrier included information regarding methods different Operating Systems (and versions of those Operating Systems) interface with their file systems. For example, the infamous creation time/date stamp after the last written time/date stamp phenomenon is clearly explained for Microsoft Windows file systems.

I keep very few printed books as reference guides, but this book will be close to my computer during every investigation.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


25 of 31 people found the following review helpful
5.0 out of 5 stars Super-deep filesystem coverage, April 21, 2005
This review is from: File System Forensic Analysis (Paperback)
More and more good forensics books show up at my doorstep (some bad ones have surfaced as well...). However, Brian's "File System Forensics Analysis" is exceptional in its depth of coverage of modern computer file systems. No other book published so far (and, I suspect, ever) offers that level of details on the internals of file systems such as ext2, ext3, NTFS, FAT and also UFS1 and 2. This is not a general purpose forensics practitioner guide, nor is it a guide to acquiring evidence (however, the book does contain a brief intro to the forensic process). The book just looks at the file systems! There was definitely a need for a source of low-level information on filesystem internals as they apply to forensics. What are the NTFS-specific acquisition issues? Ext3 vs ext2? Etc, etc - many other technical forensics questions are answered in this book.

Ok, so you are the type who run EnCase once and think you are ready to go to court to testify? Have you looked at Windows swap file? Alternative data streams? Host-protected area? No? Then get the book. The book will help law enforcement computer crime folks (those already skilled in forensics), forensics consultants and internal investigators to learn what is really going on when bits get copied, removed, acquired, etc.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


6 of 6 people found the following review helpful
4.0 out of 5 stars Very deep, May 24, 2006
By 
This review is from: File System Forensic Analysis (Paperback)
I'm pretty technical, so I enjoyed this book. The author has more on file systems than just about anywhere, and I found it helpful in non security work also just to understand how the different systems work.

I was able to use the book Windows Forensics, Corporate Computer Investigations by Chad Steel more in daily use, but this book would have been a better as a starting point in learning about disk based analysis and does a much better job of diving deep into file system specifics.

Some of the programming level content was tough to follow, but if you are ever going to court and really need to know your stuff this is buy far the book you need. I recommend it throughly.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


5 of 5 people found the following review helpful
5.0 out of 5 stars Doesn't get much more complete than this..., April 30, 2005
This review is from: File System Forensic Analysis (Paperback)
If you have a need to thoroughly understand computer file systems for whatever reason, you need this book... File System Forensic Analysis by Brian Carrier. It just doesn't get any more detailed than this.

Chapter List:

Part 1 - Foundations: Digital Investigation Foundations; Computer Foundations; Hard Disk Data Acquisition

Part 2 - Volume Analysis: Volume Analysis; PC-based Partitions; Server-based Partitions; Multiple Disk Volumes

Part 3 - File System Analysis: File System Analysis; FAT Concepts and Analysis; FAT Data Structures; NTFS Concepts; NTFS Analysis; NTFS Data Structures; Ext2 and Ext3 Concepts and Analysis; Ext2 and Ext3 Data Structures; UFS1 and UFS2 Concepts and Analysis; UFS1 and UFS2 Data Structures; The Sleuth Kit and Autopsy; Index

The working concept of the book is that the reader needs to understand file systems in order to do forensic analysis. For instance, they need to recover content that's been deleted or hidden on the drive. And while it's true that this information will definitely address that need, it's really a detailed reference work for anyone who has a need to deeply understand the disk structure of a computer. Developers working on disk utility software come to mind right away.

I was surprised that file systems such as FAT and NTFS really don't have published specifications that can be easily found. Carrier often talks about how few of the detailed parts of the system are documented, so this book is one of the few places you'll find all the information gathered in a single location. On top of that, there are copious diagrams and file dumps that help to take the information from theory to reality. Another part of the material talks about how forensic software tools are used to analyze the disk information. Carrier does primarily talk about forensic software that he helped develop, but it's not (in my opinion) a detriment to the book. I didn't get the impression I was reading a 550 page advertisement (which I've seen on occasion).

Very detailed and complete, and this is the first title you should look at if you need to understand disk structures.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


10 of 12 people found the following review helpful
5.0 out of 5 stars Accept no substitutes -- THE book to read on file systems, October 9, 2006
This review is from: File System Forensic Analysis (Paperback)
I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.

In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.

FSFA has received lengthy and glowing reviews, so I will keep my comments brief. Of the three books I cited earlier, FSFA was the only one which really grabbed my attention. I am a network-centric security practitioner, but Brian Carrier's organization, thoughtfulness, and delivery really hooked me. I very much appreciate authors who define a framework and explain potentially complicated topics within that framework.

For example, Brian is very keen to promote the scientific method. His emphasis on hypotheses and looking for evidence to refute them made me take a second look at my own practices. Brian differentiates between "essential" and "nonessential" data, where the former must be accurate in order for a user to access data and the latter not necessarily needing to be accurate. Again, this is a great way to think about digital evidence in any form. Investigation is grouped into preservation, search, and event reconstruction phases. Finally, Brian's separation of data structures into five categories (file system, content, metadata, file name, and application) facilitates comparisons of file systems in the third part of FSFA.

Besides being well-organized, FSFA does an excellent job covering material not addressed elsewhere. Server partitions, RAID, and LVM are examples. It is important to understand what is NOT present in FSFA, however. Brian very clearly stops at the application level of data, saving that for other books. I think this is a great idea, since it lets FSFA concentrate on its core topics (file systems) and saves the data on those file systems for other books. At the risk of self-promoting, I think FSFA is a powerful companion to "Real Digital Forensics" (RDF), since we provide sample file system images in dd format suitable for analysis using FSFA techniques. RDF also cares more about content than structure, which is where FSFA stops.

Anyone who even pretends to be a host-centric forensics practitioner must read FSFA. I expect it has the power to save you on the stand should you encounter intense questioning from a defense attorney.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


7 of 8 people found the following review helpful
5.0 out of 5 stars Wide and Deep, January 6, 2006
By 
Jasey DePriest (St Louis, MO USA) - See all my reviews
This review is from: File System Forensic Analysis (Paperback)
There aren't many information technology books that can be read cover to cover like a novel. If you are interested in file system analysis, then this book is one of them.

The way Brian organizes his book can take a motivated person from knowing very little about file system analysis to guru in a very step by step manner. Brian starts at the bottom and steadily works his way up.

The chapter structure is excellent.

* Digital Investitation Foundations

* Computer Foundations

* Hard Disk Data Acquisition

* Volume Analysis

* File System Analysis

Perfect. Each new section builds on the last.

The File System Analysis section is also structured so that you can get as little or as much as you want out of it.

Each file system is given a chapter for describing how it utilizes the categories defined in The Sleuth Kit (file system, content, metadata, file name, application) and another chapter for digging into the meat of it.

After reading the book, I know it will be an indespensible tool for all my future forensic hard disk analyses.

My only quibble at all is that it does not cover IBM's HPFS file system used for OS/2, because, yes, there are still some OS/2 systems I have to analyze (but not many and getting fewer and fewer). Most of that analysis is application level anyway which is out of scope.

Regardless, this is an amazing and wonderful book.

I eagerly await the 2nd edition in a year or so. I'll buy it, too.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


7 of 8 people found the following review helpful
5.0 out of 5 stars Slightly more academic than I'd expected, but what a great book., October 8, 2005
Verified Purchase(What's this?)
This review is from: File System Forensic Analysis (Paperback)
Truly a landmark reference book. Doesn't claim to, nor desire to teach you forensics, but if this is an area that interests you, it's only a matter of time before you need this book.

It's too easy to use current point-and-click forensic tools without understanding what's going on under the hood. This book shows in excruciating detail all the file systems, and how to analyze them with TSK. There's no substitute for down and dirty examinations with a powerful tool like this - and everything you learn can carry over to the "point-and-click" tools so commonly used.

Just a superb learning tool. Priceless.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


8 of 10 people found the following review helpful
5.0 out of 5 stars very comprehensive across operating systems, April 11, 2005
This review is from: File System Forensic Analysis (Paperback)
Carrier's book is rare in its comprehensive coverage of how computers actually store data on disks. Other books might give lesser amounts of detail. And then, a particular book usually describes only how a given operating system does its storage. Carrier goes further on both counts.

He describes how Microsoft, Apple, BSD, linux and Sun do their disks. Though Microsoft's FAT and NTFS get the most extensive coverage, due to the prevalence of disks using these formats. Hierarchies of disks are also covered, like the RAID levels. Plus logical volumes of disks, which span actual sets of disks.

The cutting edge topic is forensics. It is to this end that he explains throughout the book how knowing certain details might aid you in recovering data. Consider his discussion of slack space as one example. He shows how if an operating system does not overwrite this, then a post mortem can reveal fragments of an earlier, supposedly deleted file. (Gosh!) Similar to how an operating system might delete a file by erasing the pointer to the file, but not the actual contents. I'm simplifying here. But perhaps you can see the utility in knowing exactly how files are kept and removed.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No


‹ Previous | 1 25 | Next ›
Most Helpful First | Newest First

Details

File System Forensic Analysis
File System Forensic Analysis by Brian Carrier (Paperback - March 27, 2005)
$79.99 $45.33
In Stock
Add to cart Add to wishlist
Search these reviews only
Send us feedback How can we make Amazon Customer Reviews better for you? Let us know here.