0 of 0 people found the following review helpful:
Must Have Resource for Digital Forensics, May 5, 2023
Brian Carrier has written a solid book that should be on the reference shelf of anyone in the Digital Forensics field that conducts analysis of file systems. The book is well organized into three parts, each with multiple chapters.
The first part discusses the foundations necessary to understand digital evidence, computer functions and acquiring data for analysis. This part is intentionally at a higher level, yet still provides the necessary foundations for the subsequent parts. A good explanation of host protected area (HPA) and device configuration overlays (DCO) is included, as well as methods by which one can test for such areas on volumes.
The second part discusses volume analysis. Brian takes this topic and divides it into four chapters addressing basic volumes, personal computer volumes, server volumes and finally multiple disk volumes. He provides detailed information on a variety of common partition types, even including both SPARC and i386 partition information for Sun Solaris.
Finally the third part discusses file system analysis, and the last 10 chapters are dedicated to covering general information, and then detailed descriptions of concepts, analysis and data structures for FAT, NTFS, Ext2, Ext3, UFS1 and UFS2 file systems. The detailed information provided well-documented explanations and included analysis scenarios. For instance, in his discussion of NTFS analysis, an image of a damaged disk is evaluated, and he provides meaningful explanations of reconstructing the damaged tables to allow analysis of the data. He provides many such examples throughout.
An additional positive attribute to this work is the thorough bibliography placed after each chapter, which quickly provides the reader with other data sources, should they be needed.
Overall, this is an excellent reference for anyone that must conduct analysis of file systems for investigative purposes. He provides clear information that is valuable, regardless of what tools an examiner may use to conduct analysis. This is definitely worth having on your bookshelf.
0 of 0 people found the following review helpful:
Doesn't get much more complete than this..., Apr 30, 2023
If you have a need to thoroughly understand computer file systems for whatever reason, you need this book... File System Forensic Analysis by Brian Carrier. It just doesn't get any more detailed than this.
Part 1 - Foundations: Digital Investigation Foundations; Computer Foundations; Hard Disk Data Acquisition
Part 2 - Volume Analysis: Volume Analysis; PC-based Partitions; Server-based Partitions; Multiple Disk Volumes
Part 3 - File System Analysis: File System Analysis; FAT Concepts and Analysis; FAT Data Structures; NTFS Concepts; NTFS Analysis; NTFS Data Structures; Ext2 and Ext3 Concepts and Analysis; Ext2 and Ext3 Data Structures; UFS1 and UFS2 Concepts and Analysis; UFS1 and UFS2 Data Structures; The Sleuth Kit and Autopsy; Index
The working concept of the book is that the reader needs to understand file systems in order to do forensic analysis. For instance, they need to recover content that's been deleted or hidden on the drive. And while it's true that this information will definitely address that need, it's really a detailed reference work for anyone who has a need to deeply understand the disk structure of a computer. Developers working on disk utility software come to mind right away.
I was surprised that file systems such as FAT and NTFS really don't have published specifications that can be easily found. Carrier often talks about how few of the detailed parts of the system are documented, so this book is one of the few places you'll find all the information gathered in a single location. On top of that, there are copious diagrams and file dumps that help to take the information from theory to reality. Another part of the material talks about how forensic software tools are used to analyze the disk information. Carrier does primarily talk about forensic software that he helped develop, but it's not (in my opinion) a detriment to the book. I didn't get the impression I was reading a 550 page advertisement (which I've seen on occasion).
Very detailed and complete, and this is the first title you should look at if you need to understand disk structures.
4 of 4 people found the following review helpful:
Super-deep filesystem coverage, Apr 22, 2023
More and more good forensics books show up at my doorstep (some bad ones have surfaced as well...). However, Brian's "File System Forensics Analysis" is exceptional in its depth of coverage of modern computer file systems. No other book published so far (and, I suspect, ever) offers that level of details on the internals of file systems such as ext2, ext3, NTFS, FAT and also UFS1 and 2. This is not a general purpose forensics practitioner guide, nor is it a guide to acquiring evidence (however, the book does contain a brief intro to the forensic process). The book just looks at the file systems! There was definitely a need for a source of low-level information on filesystem internals as they apply to forensics. What are the NTFS-specific acquisition issues? Ext3 vs ext2? Etc, etc - many other technical forensics questions are answered in this book.
Ok, so you are the type who run EnCase once and think you are ready to go to court to testify? Have you looked at Windows swap file? Alternative data streams? Host-protected area? No? Then get the book. The book will help law enforcement computer crime folks (those already skilled in forensics), forensics consultants and internal investigators to learn what is really going on when bits get copied, removed, acquired, etc.
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II". In his spare time, he maintains his security portal info-secure.org
1 of 1 people found the following review helpful:
IIf you want to know the depths of file systems, here is the, Apr 20, 2023
Brian has done a tremendous job of detailing file systems and forensic analysis of them from every aspect. I personally thought I knew great detail of file system analogy. This book has shed much new light for me. If u]you are in the forensic field, or just want to know more about file systems and how they work, this is a definite addition tom your library!!
4 of 5 people found the following review helpful:
very comprehensive across operating systems, Apr 11, 2023
Carrier's book is rare in its comprehensive coverage of how computers actually store data on disks. Other books might give lesser amounts of detail. And then, a particular book usually describes only how a given operating system does its storage. Carrier goes further on both counts.
He describes how Microsoft, Apple, BSD, linux and Sun do their disks. Though Microsoft's FAT and NTFS get the most extensive coverage, due to the prevalence of disks using these formats. Hierarchies of disks are also covered, like the RAID levels. Plus logical volumes of disks, which span actual sets of disks.
The cutting edge topic is forensics. It is to this end that he explains throughout the book how knowing certain details might aid you in recovering data. Consider his discussion of slack space as one example. He shows how if an operating system does not overwrite this, then a post mortem can reveal fragments of an earlier, supposedly deleted file. (Gosh!) Similar to how an operating system might delete a file by erasing the pointer to the file, but not the actual contents. I'm simplifying here. But perhaps you can see the utility in knowing exactly how files are kept and removed.