File System Forensic Analysis 1st Edition

by Brian Carrier (Author)

153 ratings

ISBN-13: 978-0321268174

ISBN-10: 0321268172

Why is ISBN important?

Have one to sell?

Sell on Amazon

Share <Embed>

Other Sellers

from

Other Sellers

See all 10 versions

Used: Good | Details

Sold by hidden gems

Fulfilled by Amazon

Access codes and supplements are not guaranteed with used items.

23 used from $17.75

+ $17.18 shipping

Arrives: May 11 - 13

Deliver to Canada

The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques

Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.

Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools―including tools he personally developed. Coverage includes

Preserving the digital crime scene and duplicating hard disks for "dead analysis"
Identifying hidden data on a disk's Host Protected Area (HPA)
Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.

Customers who viewed this item also viewed

Page 1 of 1 Start overPage 1 of 1

Michael Hale Ligh
121
Paperback
41 offers from $49.79
William Oettinger
67
Paperback
$30.08
In Stock.
Harlan Carvey
27
Paperback
$21.81
Only 1 left in stock - order soon.
Bill Nelson
149
Paperback
$126.33
Only 1 left in stock - order soon.
Harlan Carvey
23
Paperback
42 offers from $48.25
Jason T. Luttgens
111
Paperback
52 offers from $27.97

Customers who bought this item also bought

Page 1 of 1 Start overPage 1 of 1

Michael Hale Ligh
121
Paperback
41 offers from $49.79
Harlan Carvey
27
Paperback
$21.81
Only 1 left in stock - order soon.
Harlan Carvey
23
Paperback
42 offers from $48.25
Jason T. Luttgens
111
Paperback
52 offers from $27.97
Michael Sikorski
333
Paperback
$54.57
Usually ships within 6 to 10 days.
Bill Nelson
149
Paperback
$126.33
Only 1 left in stock - order soon.

What other items do customers buy after viewing this item?

Page 1 of 1 Start overPage 1 of 1

Special offers and product promotions

Amazon Business: Make the most of your Amazon Business account with exclusive tools and savings. Login now
Amazon Business : For business-only pricing, quantity discounts and FREE Shipping. Register a free business account

Editorial Reviews

From the Back Cover

The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques

Preserving the digital crime scene and duplicating hard disks for "dead analysis"
Identifying hidden data on a disk's Host Protected Area (HPA)
Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.

Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.

About the Author

Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.

Excerpt. © Reprinted by permission. All rights reserved.

Foreword

Computer forensics is a relatively new field, and over the years it has been called many things: "computer forensics," "digital forensics," and "media analysis" to name a few. It has only been in the past few years that we have begun to recognize that all of our digital devices leave digital breadcrumbs and that these breadcrumbs are valuable evidence in a wide range of inquiries. While criminal justice professionals were some of the first to take an interest in this digital evidence, the intelligence, information security, and civil law fields have enthusiastically adopted this new source of information.

Digital forensics has joined the mainstream. In 2003, the American Society of Crime Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital evidence as a full-fledged forensic discipline. Along with this acceptance came increased interest in training and education in this field. The Computer Forensic Educator's Working Group (now known as the Digital Forensic Working Group) was formed to assist educators in developing programs in this field. There are now over three-dozen colleges and universities that have, or are, developing programs in this field. More join their ranks each month.

I have had the pleasure of working with many law enforcement agencies, training organizations, colleges, and universities to develop digital forensic programs. One of first questions that I am asked is if I can recommend a good textbook for their course or courses. There have been many books written about this field. Most take a targeted approach to a particular investigative approach, such as incident response or criminal investigation. Some tend to be how-to manuals for specific tools. It has been hard to find a book that provides a solid technical and process foundation for the field...That is, until now.

This book is the foundational book for file system analysis. It is thorough, complete, and well organized.Brian Carrier has done what needed to be done for this field. This book provides a solid understanding of both the structures that make up different file systems and how these structures work. Carrier has written this book in such a way that the reader can use what they know about one file system to learn another. This book will be invaluable as a textbook and as a reference and needs to be on the shelf of every digital forensic practitioner and educator. It will also provide accessible reading for those who want to understand subjects such as data recovery.

When I was first approached about writing this Foreword, I was excited! I have know Brian Carrier for a number of years and I have always been impressed with his wonderful balance of incredible technical expertise and his ability to clearly explain not just what he knows but, more importantly, what you need to know. Brian's work on Autopsy and The Sleuth Kit (TSK) has demonstrated his command of this field—his name is a household name in the digital forensic community. I have been privileged to work with Brian in his current role at Purdue University, and he is helping to do for the academic community what he did for the commercial sector: He set a high standard.

So, it is without reservation that I recommend this book to you. It will provide you with a solid foundation in digital media.

Mark M. Pollitt
Former Director of the FBI's Regional Computer Forensic Laboratory Program

Publisher : Addison-Wesley Professional; 1st edition (March 17, 2005)
Language : English
Paperback : 600 pages
ISBN-10 : 0321268172
ISBN-13 : 978-0321268174
Item Weight : 2.05 pounds
Dimensions : 7 x 1.4 x 9.2 inches

Best Sellers Rank: #418,948 in Books (See Top 100 in Books)
- #101 in Bioinformatics (Books)
- #269 in Computer Networking (Books)
- #323 in Privacy & Online Safety

Customer Reviews:
153 ratings

Brief content visible, double tap to read full content.

Full content visible, double tap to read brief content.

Help others learn more about this product by uploading a video!

Upload video

Customer reviews

5 star		79%
4 star		13%
3 star		5%
2 star		1%
1 star		1%

How are ratings calculated?

Top reviews from the United States

There was a problem filtering reviews right now. Please try again later.

Rafael Cepeda

needs a new edition

Reviewed in the United States on April 5, 2020

Verified Purchase

Overall, the big picture is here: file systems, bus interfaces, device info (mostly hdds), file system structures, etc., but the file systems herein are dated, MBR is mostly dated, and SSDs are ubiquitous. The book lists a bunch of auxiliary tools in the way, but most are not practically used here. I'd like to see a new edition that narrows its scope, removes data content, focuses on modern file systems, fs encryption and compression, file formats, and focuses more on TSK usage.

4 people found this helpful

Helpful

Aaron

Essential

Reviewed in the United States on January 16, 2016

Verified Purchase

I've not completed reading this book yet but let me tell you this is absolutely the book that needed to be written on this subject. I've taken lots of courses in forensics and this re-established the knowledge from those courses. I can confirm the validity of the information provided from the courses I've taken and it's served as a good mix of new material and refresher material. Granted, I have a few hundred pages to go but the way this is going I can't recommend it enough. This is basically The Bible of file systems. It's a book you should read once simply to have the exposure to the knowledge he provides. No regrets with this purchase. Wholeheartedly recommending this to anyone who wants to go above and beyond in this field.

3 people found this helpful

Helpful

Marty

Not an easy read but good resource

Reviewed in the United States on May 28, 2016

Verified Purchase

My understanding is that this book is going to be updated and if so, would be welcome. I read a ton of reviews that praised this book and while I'm sure they are correct, it's not light reading. I also felt that some topics weren't covered too well for someone that isn't a novice but isn't an expert either. It's written very matter-of-factly, so I felt like if you are strong at this topic or have a good solid foundation, you'll be good. If you are a newer person or looking to have a clearer understanding, I feel that this let me down a bit.

7 people found this helpful

Helpful

Nicholas Redman Marshall

This is what I keep at my right hand during any forensic analysis.

Reviewed in the United States on February 3, 2013

Verified Purchase

This book is the beginning and ending point for anyone who needs to know how to forensically examine a computers hard drive. Understanding the file system layouts and forensic procedures described in this book is necessary to truly testify as an expert, otherwise you are just trusting that what ever tool you use is going to work. Carrier does a very good job of laying out all of the steps necessary to create a forensically sound disk image as well as going into all of the details of how the most commonly used file systems are structured and how to examine them at the lowest levels using a simple hex editor. While this book alone will not make you a forensic expert, it provides all of the information necessary to perform a forensic examination of the most common file systems and the procedure it lays out on how to perform the examination can be used on any file system.

6 people found this helpful

Helpful

Edmond M Richard

Good book, a bit dense, but a great keeper

Reviewed in the United States on September 25, 2017

Verified Purchase

An informative book can get a bit dense at times. This book helped me with an operating systems class. It is one book for the reference bookshelf, digital or otherwise.

3 people found this helpful

Helpful

Buck

It's a little out dated (2006) but all the basics ...

Reviewed in the United States on April 24, 2017

Verified Purchase

It's a little out dated (2006) but all the basics are there. Microsoft has rewritten some of the rules recently and you have to read up on those but this will give you a start. That is why I bought it!

3 people found this helpful

Helpful

J. Summers

Excellent Reference!

Reviewed in the United States on September 12, 2005

Verified Purchase

File System Forensic Analysis, by Brian Carter, is a great introductory text for both computer forensics and data recovery. This book focuses largely on software techniques, and is not just limited to the legal issues surrounding forensics (as some other books I have read.) I found it well-structured and very readable, with recovery and analysis techniques and tools for more than just the ever common Windows platforms. For me personally, the Sleuth Kit, as well as a few other open-source tools offered by Mr. Carter, have already proven indispensible on at least one occasion. I would strongly recommend this to anyone with even a tangential interest in the subject!

4 people found this helpful

Helpful

Micah Johnson

Great

Reviewed in the United States on September 2, 2019

Verified Purchase

Great

Helpful

Top reviews from other countries

Mr. Ashley Allen

An absolute classic - a little out of date, but still essential

Reviewed in the United Kingdom on October 2, 2020

Verified Purchase

I picked this up as a recommended text for a forensics module in my Cybersecurity Masters degree. I was a little sceptical that a 15 year old book would be of any use, but I am happy to say I was completely wrong. Carrier dives incredibly deeply into FAT, NTFS, and Ext2/3 file systems, and his knowledge is exemplary. Whilst more modern file systems such as EXT4, ZFS, and exFAT, and later additions to NTFS are not covered, the grounding you get from diving into these older file systems is so useful that it makes studying later iterations much easier. I honestly would not start anywhere else if you are looking to get a handle on file system forensics.

Hopefully someone will put together an update to this text at some point to cover the advances that have been made in the last 15 years. Were that to happen, it would be a six star book. For the moment it'll just have to settle for five!

Yay!!

Superb Forensics and Files Structures book

Reviewed in the United Kingdom on March 10, 2010

Verified Purchase

Easy to read textbook for BSc Forensics and IT Security (though not specific to the course, it's a classic text).

Advanced but easy to understand, with descriptions which are quite riveting. For instance the Intel pentium v Unix and Mac systems... the way they order bytes (the big ending order against little ending ordering is reversed. Did you know that? It's written for Forensics students, yet if you're studying general computing this level of expertise will set you apart from everyone else.

* Volume analysis (Pc, Server, Raid)
* File system analysis
* Fat concepts & data structures
* NTFS concepts
* Ext2 and ext3 concepts
* UFS1 and UFS2 data structures

Incredible depth and breadth, and very accessible in attitude.
A classsic text, that *must* be on the bookshelf of anyone studing Forensics, IT security, Encryption.
Wish I'd read it years ago.

5 people found this helpful

Karen

Very, Very Useful !!

Reviewed in the United Kingdom on December 29, 2012

Verified Purchase

My son is at University studying Forensic Computers and book was recommended by his tutor.
Obviously I do not have a clue if the book is any good or not but on asking my son his opinion was that it's priceless! Apparently there are very few books written bout the subject let alone one that is so useful. The book is not cheep to buy (but books aren't now) but if it's just what is needed and allows your study to progress more smoothly it becomes an essential and the price has to be paid, even if its parents that fork out or even family members club together.
Study is hard enough without the correct equipment.
Delivery was very prompt, was well packaged.
I would recommend the book and company to anyone.

deadlyh

This is my bible

Reviewed in the United Kingdom on April 13, 2014

Verified Purchase

OK, so it's now a little outdated as it was originally written in the earlier days of NTFS so some things have changed slightly with Windows 7, 8 and now 8.1 but as a guide to the fundamentals of the FAT and NTFS filesystems, I refer to this every time. This book has saved my bacon on numerous occasions when I just couldn't find what I was looking for online and I would strongly urge anyone working the digital forensic field to get a copy of this book, you won't regret it!

One person found this helpful

Richard

Five Stars

Reviewed in the United Kingdom on April 11, 2018

Verified Purchase

Great book for an understanding of the file system in cases where running IEF isn't enough!

See all reviews

Pages with related products. See and discover other items: data analysis, computer systems

File System Forensic Analysis 1st Edition

Customers who viewed this item also viewed

Customers who bought this item also bought

What other items do customers buy after viewing this item?

Special offers and product promotions