File System Forensic Analysis

nazarijo writes "The field of investigative forensics has seen a huge surge in interest lately, with many looking to study it because of shows like CSI or the increasing coverage of computer-related crimes. Some people see a career opportunity there, and are moving toward computer forensics, marrying both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic with clarity and an uncommon skill." Read on for the rest of Nazario's review.

File System Forensic Analysis
author	Brian Carrier
pages	600
publisher	Addison Wesley Professional
rating	9
reviewer	Jose Nazario
ISBN	0321268172
summary	The standard for digital filesystem forensics

It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.

Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.

File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.

Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.

Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.

The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.

Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.

Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.

---

You can purchase File System Forensic Analysis from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Other views on the book

[sidney]

For alternate opinions on the book see this review by Rob Slade [ncl.ac.uk] in RISKS Digest, and this short rebuttal of Slade's review [ncl.ac.uk] by Simson Garfinkle.

STEP ZERO:

[abb3w]

Make sure by ordering the right adapter [wiebetech.com] for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up. A read-only adapter means the drive can't be mounted rewritably. No, it's not cheap. But what's $500 to the assurance that your evidence chain is prevented from fuckup at the hardware level?

And no, I don't work for these people. I just think they make some nifty geek toys.

No, that's not why I have SCSI drives on my home server. Honest; it's for the RAID performance....

2 other great books I have used...

[Anonymous Coward]

I suggest getting: Incident Response (Kevin Mandia and Chris Prosize) and also Computer Forensics (Warren G. Kruse and Jay G. Heiser). Both are an excellent read, and the Mandia book has some wonderful documents to use for real-life situations.

Forensics? Wouldn't know it from the review

[Red Flayer]

In all, a good review of the book. However, the focus on forensics is left out of the review -- just wanted to point out that the book is more than a text on file system management, search, and data recovery.

Although, of course, the book does a very good job of being that as well.

people who bought this book also bought:

[museumpeace]

a series of how-tos and standards docs [nist.gov]
At the behest of the DOJ, NIST has been grinding out standards on how to forensically analyze a hard drive an other arcana for several years now.

NIST even provides tools: http://www.cftt.nist.gov/ [nist.gov]

Related Links

[jkitchel]

Related links:
Digital Forensic Tool Testing Images [sourceforge.net]
Brian's Tools [digital-evidence.org] - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial [accessdata.com]

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 [honeynet.org] and 26 [honeynet.org] from The Honeynet Project [honeynet.org]a shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

Crooks are going to read-only + encryption

[davidwr]

Crooks who are "smart" are going to encrypted systems and making darn sure there's no unencrypted writable storage lying around. This, plus tamper-evident computer including tamper-evident keyboard and keyboard-connectors and a faraday cage makes it very hard on the police.

Can you say "boot with Suse Live CD and encrypt /dev/hda"? I knew you could.

This only works in jurisdictions that can't force you to reveal your passphrase. In those jurisdictions, smart crooks outsource thier IT to North Korea :).

That still leaves plenty of forensics work for criminals using other people's computers such as white-collar crooks and the 99% of crooks who aren't smart.

Re:The "How To Destroy Your HD" Thread

[hoxford]

You'll want more than a water tank below the computer since water doesn't stop a thermite reaction. Try a couple of layers of firebrick or some other ceramic that won't shatter due to exteme heat.

Save SEVEN BUCKS

[Anonymous Coward]

Save yourself SEVEN BUCKS by buying the book here: File System Forensic Analysis [amazon.com]

Having done forensic work...

[bradleyland]

Honestly, this job is probably the coolest I've done. We get the run of any joint we enter. We get to crack people's passwords, read their stuff, and pry into the details that they're trying to hide.

Outside of the unreal timeframe, it is a bit like television. I've been on location at 1 AM acquiring hard drives so that the debtor principles didn't know what we were doing. Walking through the data center with my mag light at that hour of the morning comes pretty close to that feeling you get when you watch CSI on TV. Most of the time, we tell the people on location we're making "backups" of the data so that we can preserve the data in the event of a crash. There's definitely a social element to forensic work (at least in bankruptcy cases).

A typical acquisition may go something like this:

You set up, pull your forms, start noting observations, pull the drives, hook them up to the little black box connected to your laptop's firewire port (a write-blocker), and start having a look at the data. If you've got what you're looking for, you acquire the drive and put everything back together. Boot it all up and be on your way.

You may be doing this in the CEO's office, or in the data center looking for a mail server. The top officers are usually the most important, since they have the most important correspondence and data.

It's a fun job. It's every bit as exciting as what you see on television (for once).

Re:Related Links

[Stibidor]

Another nifty tool from AccessData that plugs nicely into the FTK is the Registry Viewer [accessdata.com]. Using the FTK you can find all the Windows registry files on the drive. The Registry Viewer (obviously) will open them and allow you to view just about any key/value including encrypted keys like the Protected Storage (Internet Explorer autofill and Outlook/Outlook Express saved passwords).

Since I enjoy tooting my own horn from time to time, the information referenced in this article [whitecanyon.com] was obtained by me and my co-worker (I shamelessly admit to working for WhiteCanyon) using AccessData's FTK and Registry Viewer. It was quite a bit of fun to see our results hit national T.V. :)

Re:The "How To Destroy Your HD" Thread

[Anonymous Coward]

actually if you microwave a CD, it is still about 30% readable which is enough to bust you. I'd expect similar performance from hard drive patters.

Re:CSI

[That's Unpossible!]

Why in the hell would you choose a dull career like forensic investigation...

As opposed to an exciting career, like computer programming?

Seriously, I do a lot of programming as part of my job, and perhaps the most fun I have at work is when some luser decides to fuck with us and I get assigned to track down as much information as possible about this person's activity on our network.

If I ever had to find another job, I'd seriously consider getting into computer forensics, or the FBI computer investigation division.

Just because you don't go make an arrest doesn't mean your discoveries won't directly lead to an arrest. And usually the best kind ... when the loser is least expecting it, because they didn't think anyone was sharp enough on the other end of the line.

Actually

[DnemoniX]

You DO NOT want a water tray at the bottom. What makes you think a little bit of water will stop thermite? You need a tray full of sand. The thermite is hot enough to seperate the hydrogen out of water, not a great move.

Re:STEP ZERO:

[COMON$]

Why use an OS at all, there are plenty of imagemasters out there logicube has some nice ones that I have used personally. Sure they are pricey but you can do whatever you want to the cloned drive, mount it, run its OS to see what kind of setup the offender had, rip out items, delete, add run hashes, whatever you want and not worry about hurting the original drive sitting across the room from you in an antistatic bag.

Re:STEP ZERO:

[Shanep]

Uh, most drives have a write-protect jumper on them.

Even if the HDD you were capturing evidence from had a write-protect jumper, the point of a write-blocker is that it removes doubt. You plug it in and it will not allow writes to the drive. You don't have to worry about what jumper to short, etc. A simple and absolute solution leads to a simple and absolute statement on the stand.

BTW, can you point me to a HDD which has a write-protect jumper? I don't recall ever seeing one.

Re:Me too

[ari_j]

File access times. Word to the wise: If you want to copy all the files off of a hard drive, mount it read-only or make an image of it and work from that instead.