The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques
Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.
Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools—including tools he personally developed. Coverage includes
- Preserving the digital crime scene and duplicating hard disks for "dead analysis"
- Identifying hidden data on a disk's Host Protected Area (HPA)
- Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
- Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
- Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
- Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
- Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
- Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools
When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.
![]({"https://images-na.ssl-images-amazon.com/images/I/51L3IzhM3sL._SX258_BO1,204,203,200_.jpg":[260,345],"https://images-na.ssl-images-amazon.com/images/I/51L3IzhM3sL._SX374_BO1,204,203,200_.jpg":[376,499]})
