- Author:
- Brian Carrier
The Definitive Guide to File System Analysis: Key Concepts and Hands-on TechniquesMost digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis tools-including tools he personally developed. Coverage includes Preserving the digital crime scene and duplicating hard disks for "dead analysis" Identifying hidden data on a disk's Host Protected Area (HPA) Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques Analyzing the contents of multiple disk volumes, such as RAID and disk spanning Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source toolsWhen it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.© Copyright Pearson Education. All rights reserved.
Cited By
Lien Y, Chen Y, Chang Y, Liang Y and Shih W (2023). FSIMR: File-system-aware Data Management for Interlaced Magnetic Recording, ACM Transactions on Embedded Computing Systems, 22:5s, (1-18), Online publication date: 31-Oct-2023.- Göbel T, Baier H and Breitinger F (2023). Data for Digital Forensics: Why a Discussion on “How Realistic is Synthetic Data” is Dispensable, Digital Threats: Research and Practice, 4:3, (1-18), Online publication date: 30-Sep-2023.
- Hammer A, Ohlig M, Geus J and Freiling F (2023). A Functional Classification of Forensic Access to Storage and its Legal Implications, Digital Threats: Research and Practice, 4:3, (1-14), Online publication date: 30-Sep-2023.
- Kim D, Lee Y and Jeong J NULL byte injection Proceedings of the Twenty-Third International Symposium on Theory, Algorithmic Foundations, and Protocol Design for Mobile Networks and Mobile Computing, (265-270)
- Albadri N and Dekeyser S (2022). A novel file system supporting rich file classification, Computers and Electrical Engineering, 103:C, Online publication date: 1-Oct-2022.
- Galhuber M and Luh R Time for Truth: Forensic Analysis of NTFS Timestamps Proceedings of the 16th International Conference on Availability, Reliability and Security, (1-10)
- Lee W, Kim K, Yang H and Ko Y (2020). Automatic reconstruction of deleted AVI video files composed of scattered and corrupted fragments, Multimedia Tools and Applications, 79:37-38, (28355-28367), Online publication date: 1-Oct-2020.
- Harshany E, Benton R, Bourrie D, Black M and Glisson W DFS3 Proceedings of the 15th International Conference on Availability, Reliability and Security, (1-10)
- Karresand M, Axelsson S and Dyrkolbotn G (2019). Disk Cluster Allocation Behavior in Windows and NTFS, Mobile Networks and Applications, 25:1, (248-258), Online publication date: 1-Feb-2020.
- Stepanov V File tracing by intercepting disk requests Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, (1190-1192)
- Lien Y, Chen Y and Huang P Compaction and Compression Techniques for File Systems based on Persistent Memories Proceedings of the 2019 2nd International Conference on Data Storage and Data Engineering, (9-14)
- Mechtly B, Helbert F, Cox D and Hastings Z (2019). The visible file system, Journal of Computing Sciences in Colleges, 34:4, (24-31), Online publication date: 1-Apr-2019.
- Feng X and Conrad M Security Audit in Mobile Apps Security Design Proceedings of the 2nd International Conference on Computer Science and Application Engineering, (1-5)
- Plum J and Dewald A Forensic APFS File Recovery Proceedings of the 13th International Conference on Availability, Reliability and Security, (1-10)
- Jo W, Chang H and Shon T (2018). Digital forensic science approach by file recovery research, The Journal of Supercomputing, 74:8, (3704-3725), Online publication date: 1-Aug-2018.
- Kim H, Kang D, Lee K and Choi J Fragmentation-Less FAT-compatible File System for Internet of Things Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication, (1-5)
- (2017). Decoding the APFS file system, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 22:C, (107-132), Online publication date: 1-Sep-2017.
- Hilgert J, Lambertz M and Plohmann D (2017). Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 22:S, (S76-S85), Online publication date: 1-Aug-2017.
- Chen T, Chang Y, Chen S, Hsu N, Wei H and Shih W (2017). On Space Utilization Enhancement of File Systems for Embedded Storage Systems, ACM Transactions on Embedded Computing Systems, 16:3, (1-28), Online publication date: 7-Jul-2017.
- Kortsarts Y (2017). Teaching computer forensics course, Journal of Computing Sciences in Colleges, 32:6, (208-209), Online publication date: 1-Jun-2017.
- Yang Y, Xu Z, Liu L and Sun G (2017). A security carving approach for AVI video based on frame size and index, Multimedia Tools and Applications, 76:3, (3293-3312), Online publication date: 1-Feb-2017.
- Kim Y, Woo Y, Lee H and Seo E (2016). Design and implementation of split/merge operations for efficient multimedia file manipulation, Computer Standards & Interfaces, 48:C, (80-89), Online publication date: 1-Nov-2016.
- Neuner S, Schmiedecker M and Weippl E (2016). PeekaTorrent, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 18:S, (S149-S156), Online publication date: 7-Aug-2016.
- Neuner S, Voyiatzis A, Schmiedecker M, Brunthaler S, Katzenbeisser S and Weippl E (2016). Time is on my side, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 18:S, (S76-S86), Online publication date: 7-Aug-2016.
- Yang M, Chang Y and Tsao C (2016). Byte-Addressable Update Scheme to Minimize the Energy Consumption of PCM-Based Storage Systems, ACM Transactions on Embedded Computing Systems, 15:3, (1-20), Online publication date: 21-Jul-2016.
- Cho G (2016). A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence, International Journal of Digital Crime and Forensics, 8:3, (11-33), Online publication date: 1-Jul-2016.
- Chen T, Chang Y, Yang M, Chen Y, Wei H and Shih W (2016). Multi-Grained Block Management to Enhance the Space Utilization of File Systems on PCM Storages, IEEE Transactions on Computers, 65:6, (1831-1845), Online publication date: 1-Jun-2016.
- Park J, Kim D, Park J and Lee S (2016). An enhanced security framework for reliable Android operating system, Security and Communication Networks, 9:6, (528-534), Online publication date: 1-Apr-2016.
- Lees C (2016). GVFS metadata, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 16:C, (12-18), Online publication date: 1-Mar-2016.
- Lee W, Kwon H and Lee H (2015). Comments on the Linux FAT32 allocator and file creation order reconstruction Digit Investig 11(4), 224-233, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 15:C, (119-123), Online publication date: 1-Dec-2015.
- Grier J and Richard G (2015). Rapid forensic imaging of large disks with sifting collectors, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 14:S1, (S34-S44), Online publication date: 1-Aug-2015.
- Kharraz A, Robertson W, Balzarotti D, Bilge L and Kirda E Cutting the Gordian Knot Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148, (3-24)
- Boztas A, Riethoven A and Roeloffs M (2015). Smart TV forensics, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 12:S1, (S72-S80), Online publication date: 1-Mar-2015.
- Zonouz S, Berthier R, Khurana H, Sanders W and Yardley T (2015). Seclius: An Information Flow-Based, Consequence-Centric Security Metric, IEEE Transactions on Parallel and Distributed Systems, 26:2, (562-573), Online publication date: 1-Feb-2015.
- Kaart M and Laraghy S (2015). Android forensics, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 11:3, (234-248), Online publication date: 1-Sep-2014.
- Nelson A, Steggall E and Long D (2014). Cooperative mode, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 11:S2, (S46-S56), Online publication date: 1-Aug-2014.
- Kang S, Park K and Kim J (2014). Cost effective data wiping methods for mobile phone, Multimedia Tools and Applications, 71:2, (643-655), Online publication date: 1-Jul-2014.
- Casser T and Ketel M Developing a forensics tool for social media Proceedings of the 2014 ACM Southeast Conference, (1-4)
- Poisel R, Rybnicek M, Schildendorfer B and Tjoa S (2013). Classification and Recovery of Fragmented Multimedia Files using the File Carving Approach, International Journal of Mobile Computing and Multimedia Communications, 5:3, (50-67), Online publication date: 1-Jul-2013.
- Cho G (2013). A computer forensic method for detecting timestamp forgery in NTFS, Computers and Security, 34, (36-46), Online publication date: 1-May-2013.
- Khan M (2012). Performance analysis of Bayesian networks and neural networks in classification of file system activities, Computers and Security, 31:4, (391-401), Online publication date: 1-Jun-2012.
- Chang Y, Wu P, Kuo T and Hung S (2012). An adaptive file-system-oriented FTL mechanism for flash-memory storage systems, ACM Transactions on Embedded Computing Systems, 11:1, (1-19), Online publication date: 1-Mar-2012.
- Chang Y, Hsieh C, Huang P and Hsiu P (2012). A caching-oriented management design for the performance enhancement of solid-state drives, ACM Transactions on Storage, 8:1, (1-21), Online publication date: 1-Feb-2012.
- Kieseberg P, Schrittwieser S, Morgan L, Mulazzani M, Huber M and Weippl E Using the structure of B+-trees for enhancing logging mechanisms of databases Proceedings of the 13th International Conference on Information Integration and Web-based Applications and Services, (301-304)
- Huber M, Mulazzani M, Leithner M, Schrittwieser S, Wondracek G and Weippl E Social snapshots Proceedings of the 27th Annual Computer Security Applications Conference, (113-122)
- Zonouz S, Joshi K and Sanders W Floguard Proceedings of the 30th international conference on Computer safety, reliability, and security, (338-354)
- Shields C, Frieder O and Maloof M (2011). A system for the proactive, continuous, and efficient collection of digital forensic evidence, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 8, (S3-S13), Online publication date: 1-Aug-2011.
- Yu M, Lin Q, Li B, Qi Z and Guan H Vis Proceedings of the Second Asia-Pacific Workshop on Systems, (1-5)
- Chang Y, Hsu P, Lu Y and Kuo T (2011). A driver-layer caching policy for removable storage devices, ACM Transactions on Storage, 7:1, (1-23), Online publication date: 1-Jun-2011.
- Ding X and Zou H Time based data forensic and cross-reference analysis Proceedings of the 2011 ACM Symposium on Applied Computing, (185-190)
- Hayashida S A Study of Building a Database System based on ISSEI Data Management Method Proceedings of the 2010 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the 9th SoMeT_10, (203-211)
- Hargreaves C and Chivers H Detecting hidden encrypted volumes Proceedings of the 11th IFIP TC 6/TC 11 international conference on Communications and Multimedia Security, (233-244)
- Fairbanks K, Lee C and Owen H Forensic implications of Ext4 Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, (1-4)
- Billard D and Hauri R Making sense of unstructured flash-memory dumps Proceedings of the 2010 ACM Symposium on Applied Computing, (1579-1583)
- Srinivasan S Computer forensics curriculum in security education 2009 Information Security Curriculum Development Conference, (32-36)
- Davidson A, Oja R and Yngstrom L (2009). A Swedish IT forensics course – expert opinions, International Journal of Electronic Security and Digital Forensics, 2:3, (322-333), Online publication date: 1-Jul-2009.
- Bares R Hiding in a virtual world Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, (276-284)
- Chawathe S Effective whitelisting for filesystem forensics Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, (131-136)
- Collins D (2009). XFT: a forensic toolkit for the original Xbox game console, International Journal of Electronic Security and Digital Forensics, 2:2, (199-205), Online publication date: 1-May-2009.
- Wu P, Chang Y and Kuo T A file-system-aware FTL design for flash-memory storage systems Proceedings of the Conference on Design, Automation and Test in Europe, (393-398)
- Case A, Cristina A, Marziale L, Richard G and Roussev V (2008). FACE, Digital Investigation: The International Journal of Digital Forensics & Incident Response, 5, (S65-S75), Online publication date: 1-Sep-2008.
- Purcell D and Lang S Forensic Artifacts of Microsoft Windows Vista System Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics, (304-319)
- Peisert S, Bishop M and Marzullo K (2008). Computer forensics in forensis, ACM SIGOPS Operating Systems Review, 42:3, (112-122), Online publication date: 1-Apr-2008.
- Xia Y, Fairbanks K and Owen H (2008). A program behavior matching architecture for probabilistic file system forensics, ACM SIGOPS Operating Systems Review, 42:3, (4-13), Online publication date: 1-Apr-2008.
- Altheide C, Merloni C and Zanero S A methodology for the repeatable forensic analysis of encrypted drives Proceedings of the 1st European Workshop on System Security, (22-26)
- Parisi M Customized file systems Proceedings of the 46th annual ACM Southeast Conference, (13-17)
- Jee H, Lee J and Hong D High speed search for large-scale digital forensic investigation Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, (1-4)
- Cohen M Advanced JPEG carving Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, (1-6)
- Willassen S Timestamp evidence correlation by model based clock hypothesis testing Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, (1-6)
- Stahlberg P, Miklau G and Levine B Threats to privacy in the forensic analysis of database systems Proceedings of the 2007 ACM SIGMOD international conference on Management of data, (91-102)
- Figg W and Zhou Z (2007). A computer forensics minor curriculum proposal, Journal of Computing Sciences in Colleges, 22:4, (32-38), Online publication date: 1-Apr-2007.
- Adelstein F (2006). Live forensics, Communications of the ACM, 49:2, (63-66), Online publication date: 1-Feb-2006.
- Carrier B (2006). Risks of live digital forensic analysis, Communications of the ACM, 49:2, (56-61), Online publication date: 1-Feb-2006.
Index Terms
- File System Forensic Analysis
Reviews
Panagiotis Louridas
This book is nominally about forensic data analysis, but, arguably, its real subject matter is different, and worthy of a larger audience; this might not be obvious from the book's title, or its first few chapters. The book starts with the very basics: an explanation of the forensic analysis of digital data, and an introduction to the fundamentals of computers and hard disk storage. Readers might or might not be interested to know that "the heart of a modern computer is one or more central processing units [CPUs]," but the pace is swift, so they will not tire of such trivia. The book's real subject is disk storage. Carrier follows a layered approach, describing volumes and partitions first, and then file systems. He talks effortlessly about disk operating system (DOS) partitions, Apple partitions, Berkeley software distribution (BSD) partitions, Solaris slices, globally unique identifier (GUID) partition table (GPT) partitions, and redundant array of independent disks (RAID) and disk spanning, before moving smoothly to file allocation table (FAT), new technology file system (NTFS), second extended file system (Ext2), third extended file system (Ext3), Unix file system 1 (UFS1), and Unix file system 2 (UFS2). A comparative reading of the material is a rewarding experience, especially since, these days, savvy computer professionals are more likely than not to work with a multitude of operating systems. After introducing a topic, the author illustrates it by means of open source tools (he is the author of a popular Unix-based forensic toolkit, The Sleuth Kit). This reads like "Disk Storage Illustrated," and it is, to the book's advantage. It is easy when describing such topics as file systems to remain at the level of boxes and arrows, but Carrier drills down, and shows how the overall architecture is reflected in the real data saved. It is at this point that forensic analysis kicks in. We find out what we should expect to find in our disks, and how we should find it. The author graces us with intriguing details on where data may remain hidden, and there are many nuggets on where to look for (or where to hide) information. This is an engaging and well-written book that manages not to be simplistic while it takes nothing for granted. Although its intended audience is security-related professionals, anybody who needs a refresher in, or an overview of, file system concepts would enjoy reading it. Online Computing Reviews Service
Radu State
Digital forensics is a relatively new science (and art), aimed at recovering evidence from security-related incidents. Such incidents arise mostly when a vulnerable machine is compromised, and starts to host malware and unacceptable files (copyright protected software and/or offensive content). Recovering digital evidence from such a compromised machine requires from an investigator both adequate software and the necessary knowledge. Reading this book is a journey to the bits on your hard disk. The journey starts with an introduction to the foundations of digital investigation: existing toolkits, search and preservation methods, and data analysis methods. The computer science foundations required to perform digital forensics are presented in the next chapters, covering mostly hard disk technologies, disk reading, and hexadecimal and binary number representation. This section might seem to be a simple and basic overview, but several slipped-in details, like host protected area (HPA) and basic input-output system (BIOS) versus direct data access, can also be appreciated by more experienced readers. The second part of the book addresses the analysis of different types of data partitions. The four chapters making up this part cover personal computer (PC)/Apple partitions, BSD/Solaris partitions, and multiple disk volumes. I found the chapter on redundant array of independent disks (RAID) to be very interesting and informative, and wished I'd had this book a year ago, when my RAID server crashed. File system analysis is the focus of the third part of the book. The main three file systems (file allocation table/new technology file system (FAT/NTFS), second extended filesystem/third extended filesystem (Ext2/Ext3), and Unix file system 1/Unix file system 2 (UFS1/UFS2)) are described, and their digital forensic analysis is shown and illustrated with great detail. I liked this comprehensive approach, focusing on the all-important file systems without narrowing in on only one particular operating system. This approach is in accord with what an investigator might be confronted with, since Microsoft Windows machines use FAT/NTFS, Linux uses Ext2/Ext3, and UFS1/UFS2 is found on FreeBSD, OpenBSD, and most other Unix-derived operating systems. The author does an excellent job of addressing his topic, illustrating key concepts with practical examples, and using several open source toolkits, among which is the well-known Sleuth Kit, which he authored. The examples are well chosen, and the writing style is clear and sharp. Readers are assisted in their journey by many illustrations, tables, and chapter-based reference sections for further reading. Although several other books address digital forensics, this is the first book dedicated entirely to the analysis of file system related data. These issues are addressed in great depth, and the author goes into the innermost details of file systems and their analysis. As such, the book successfully meets the challenge, to be a complete reference for a security investigator, and to be the most comprehensive introduction to the most important file systems used. I consider this book to be highly relevant to at least four reader categories. The first two parts of the book are of immense value to readers interested in computer file systems. Graduate and undergraduate students taking an operating systems class will find in this part the essence of file systems, and their implementation. For those readers working on data rescue and recovery projects, this book contains all of the low-level details required to recover lost data due to hardware failures or accidental erasures. A third category would be security investigators: this book can serve as a very valuable reference for the analysis of digital data. Finally, readers willing to learn how file systems are implemented, and how to perform digital forensics on file systems, are more than encouraged to read this book. Overall, this long-awaited book on the digital forensics of file systems is very informative, relevant, and well written. Addressing a large category of technical readers, it meets all of the prerequisites to become "the" reference for the digital forensics of file systems. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Recommendations
Forensic Analysis of Windows Swap File
MINES '13: Proceedings of the 2013 Fifth International Conference on Multimedia Information Networking and SecurityWindows swap file contains a large number of information about digital crime forensic investigation. In order to help investigators to investigate digital crimes, the Windows swap file forensic Analysis system is designed to acquire swap file and find ...
Forensic analysis of deduplicated file systems
Deduplication splits files into fragments, which are stored in a chunk repository. Deduplication stores chunks that are common to multiple files only once. From a forensics point of view, a deduplicated device is very difficult to recover and it ...
Forensic APFS File Recovery
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityIn forensic computing, especially in the field of postmortem file system forensics, the reconstruction of lost or deleted files plays a major role. The techniques that can be applied to this end strongly depend on the specifics of the file system in ...