REVIEW: "File System Forensic Analysis", Brian Carrier
- BKFSFRAN.RVW 20050608
"File System Forensic Analysis", Brian Carrier, 2005, 0-321-26817-2,
%A Brian Carrier
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 569 p.
%T "File System Forensic Analysis"
The preface states, correctly, that there is little information for
the forensic investigator on the topic of file system structures and
internals that are useful for providing direction on tracing and
tracking information on the disk. The author also notes that there
are a number of worthwhile texts that address the general topic of
investigation. Therefore, the author intends to address the former
rather than the latter. At the same time, there is an implication in
the initial section that this work is only the merest introduction to
the subject of computer forensics.
Part one is aimed at providing foundational concepts. Chapter one, in
fact, does provide a quick review of the investigation process, and a
list of forensic software toolkits. A sort of "Computers 101" is in
chapter two, with a not-terribly-well structured collection of facts
about data organization, drive types, and so forth, with varying
levels of detail. Chapter three addresses different factors and
problems in hard disk data acquisition, although the inventory is
neither complete nor fully explained.
Part two deals with the analysis of drive volumes or partitions, with
chapter four outlining basic structures. DOS (FAT [File Allocation
Table] and NTFS) and Apple partition details are discussed in chapter
five. Chapter six reviews various UNIX partitions. Multi-disk
systems, such as RAID (Redundant Array of Inexpensive Disks) are
covered in chapter seven.
Part three delves into the data structures of the file system itself.
Chapter eight introduces concepts used in considering file systems.
Details of the FAT system are in chapters nine and ten. A very
detailed explanation of the disk and file structures of the NTFS
system, as well as considerations for analysis, is provided in
chapters eleven to thirteen. The Linux Ext2 and Ext3 structures are
discussed in chapters fourteen and fifteen. Chapters sixteen and
seventeen cover the UFS1 and UFS2 schemes, found primarily in BSD
(Berkeley Systems Distribution) derived versions.
This book does provide a wealth of detail, once it gets into the
specifics of partitions and structures. The introductory material,
writing, and technical level are quite uneven, which makes it
difficult to use. Still, those seriously involved with the data
recovery aspect of digital forensics should consider this work a
copyright Robert M. Slade, 2005 BKFSFRAN.RVW 20050608
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
In coming months, politicians will flail about looking for
freedoms to eliminate to `curb the terrorist threat.' We must
remember throughout that you cannot preserve freedom by
eliminating it. - Metzger, post 9/11
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade