The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques

Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.

Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools—including tools he personally developed. Coverage includes

• Preserving the digital crime scene and duplicating hard disks for "dead analysis"

• Identifying hidden data on a disk's Host Protected Area (HPA)

• Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more

• Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques

• Analyzing the contents of multiple disk volumes, such as RAID and disk spanning

• Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques

• Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more

• Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools

When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.

Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.

Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.

© Copyright Pearson Education. All rights reserved.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 27 Ratings

Fantastic - 2008-05-28
Reviewer Rating:
I've been in IT for over 25 years, and in that time I've read a lot of technical books. "File System Forensic Analysis" is not only the best book I have read on computer forensics, it's probably the best technical work in ANY field I've ever read. It's thoroughly researched, clearly written, and contains virtually no fluff. The numerous rave reviews it has received are well-deserved.

My only quibble is the short, but seemingly gratuitous section on hexadecimal and decimal arithmetic. If you're ready for this book, you'll already know this stuff. But, that's only a few pages in a book that's otherwise packed with real substance.

Superb!! - 2008-05-14
Reviewer Rating:
I can't say enough good things about this book and author. The material is beautifully laid out and the writing style is fluid and effortless. The author has a real talent for using metaphors and figures to illustrate elusive concepts.

All but the very rarest file systems are covered, and numerous 'screenshots' show how to use the Linux command prompt and get your hands dirty exploring disks on your own.

While this book is a gold standard for digital forensic examiners, it would also be valuable to the computer enthusiast who's interested in things such as what happens to their hard drive when they format it, exactly what happens during the boot process, etc.

I've had 3 courses in digital forensics, and this book gives an in-depth discussion of disk level concepts (HPA, FAT, MFT, etc) that were merely glossed over in my formal studies.

Kindle version - 2009-04-08
Reviewer Rating:
I purchased the kindle version of this book. The content of this book is great. The kindle version content page does not work. You can not select a chapter from the index and go directly to it. I also found at least one 2 page chart that is not useable on the kindle. The 2 page chart should be reduced to a 1 page image that can be viewed in landscape mode (with the kindle on its side). If the kindle version is fixed, it would then deserve 5 stars!

Computer Forensics - 2009-02-08
Reviewer Rating:
I am takeing two on line courses in computer forensics and this is the text required for the course. I have been very happy with the book "File System Forensic Analsys" and would highly recommend it to any person of like interest. Dale

Excellent reference book - 2009-01-07
Reviewer Rating:
I believe that anyone that is entering the Computer Forensics field should have this book. It is THE reference book that I have found.

Browse Similar Topics

Top Level Categories:
Hardware

Sub-Categories:
Hardware > Performance