File System Forensic Analysis 225
nazarijo writes "The field of investigative forensics has seen a huge surge in interest
lately, with many looking to study it because of shows like CSI or the
increasing coverage of computer-related crimes. Some people see a
career opportunity there, and are moving toward computer forensics, marrying
both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic
with clarity and an uncommon skill." Read on for the rest of Nazario's review.
File System Forensic Analysis | |
author | Brian Carrier |
pages | 600 |
publisher | Addison Wesley Professional |
rating | 9 |
reviewer | Jose Nazario |
ISBN | 0321268172 |
summary | The standard for digital filesystem forensics |
It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.
Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.
File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.
Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.
Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.
The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.
Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.
Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.
You can purchase File System Forensic Analysis from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
CSI (Score:5, Insightful)
Re:Your rights online? (Score:4, Insightful)
I might get this (Score:5, Insightful)
As the OS has become more sophisticated, most computer users now never see things like a disk defrag. They really think that there is a file, all in one spot in their computer, that sits literally next to other files in the same folder. The idea that you can recover a file that has been "deleted" seems like deep wizardry, with no thought to the more impressive wizardry that makes "files" out of pieces of metal with a magnet.
Re:Here is an even better question (Score:3, Insightful)
That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology. You see it all the time, unfortunately. You don't have to be passionate about your current job - but you should be passionate about tech.
I mean, you wouldn't go into teaching if you didn't care about teaching, right? (At least, initially).
Re:CSI (Score:3, Insightful)
Or engineering? After all, if ya canna change the laws of physics, where's the fun in it?
Monkey see, monkey do....
What about encryption? (Score:5, Insightful)
How do those things fit into this topic? I mean, the filesystem stuff is great and interesting but it doesn't seem to do any good if all you can recover is a PGP Disk file*.
Can someone much smarter than me tell me how data forensics deals with that????
* PGP Disk: a pgp encrypted file that can be mounted as a drive letter. It is, literally, a file just sitting there on your harddrive. You mount the file (after providing the secret passphrase) and voila! - you now have an encrypted drive to copy files in and out of.
Re:I do this sometimes... (Score:1, Insightful)
Is that what you tell yourself? How the hell can you make a bald assertion like that? On what evidence?
Bigger questions (Score:4, Insightful)
With the existence of zero-day exploits, spyware-zombies-for-sale, broadband, etc., how can anyone convince a jury beyond a reasonable doubt that someone put the bits there THEMSELF without a confession or video of them actually putting the content there?
People are going to jail because of this shit. Digital evidence is an oxymoron.
Re:Morality of Privacy (Score:1, Insightful)
Yep... and if you go snooping yourself instead of hiring it out also be prepared to get hurt. I had an extremely rocky marriage, suspected my newlywed wife of wrongdoing and started spooling off copies of all her email conversations.
What started as a "what can I learn that will help me save this marriage" quickly turned into a nightmare when I discovered how bad things really were... cheating, backstabbing, outright plots against me, etc. It hurt, but it also gave me the leverage I needed to get out of the situation before it got immeasurably worse.
Personally, I say "good for you" to anyone who uncovers this kind of thing for spouses. If they have reason to suspect things, they are probably valid and it can be just the push they need to get out of a really bad situation before it gets worse.
Re:The "How To Destroy Your HD" Thread (Score:2, Insightful)
Do you really think that aluminum and iron oxide are that hard to get a hold of? Anyone who has passed high school chemistry could make it.
In my experience it is harder finding a way to light the thermite then it is to acutally make the stuff.
Re:STEP ZERO: (Score:5, Insightful)
I agree, gathering evidence with Windows sucks.
why don't you use Linux and simply create a drive image straight from the raw device without mounting at all?
Because in court, things can get nasty like this...
Barrister: Did you use a (looks at freshly written note) "write blocker", Mr. Smith?
Forensics guy: No, I did not need to. I refrained from mounting the disk and copied it at a raw block-for-block level (confusing to judge).
Barrister: Yes or No Mr. Smith, did you use a "write blocker".
Forensics guy: No.
Barrister: And a "write blocker" is a forensics industry standard method for preventing contamination of captured evidence? (Judge respects witnesses who respect the court enough to make sure their captured evidence is absolutely accurate and original evidence could not have been altered).
Forensics guy: Yes, but...
Barrister: Mr. Smith, you failed to take a basic precaution to make absolutely certain that the captured evidence was not altered in any way, by using a basic device that is normally a part of the toolkit of a computer forensic professional. Do you posess a "write blocker" Mr. Smith?
Forensics guy: Yes (No).
Barrister: Then WHY did you not use it?! (You ARE a computer forensics professional are you not Mr. Smith?)
Forensics guy: gasp gasp (blush) choke...
The point is, if you are gathering evidence of this sort, then write blockers are tools you should have and always use. All the opposition needs to do is raise doubt. And then you and your client are screwed.
When you take the stand or put on an affidavit, the opposing legal team will attack:
1/ Your findings and the methods you used to get to them.
2/ Your evidence.
3/ You credibility.
and at a worst case...
4/ Accuse you of tampering with ORIGNAL EVIDENCE which has been tendered to the court!
Not having a write-blocker says, "I am not a computer forensics professional".
Having a write-blocker and not using it says, "I am sloppy and failed to use a simple tool at my disposal to assist the court as best I could".
Whether your evidence is exactly the same as the other forensics experts is beside the point. They have attacked your credibility and that can go against your findings (even if they are completely correct). You have nothing to gain from not using a write-blocker (which you should already have) and everything to loose. I would love to just capture evidence with FreeBSD and just copy from the raw device. But at the end of the day, the cost of a $500 write-blocker, which you get to use over and over, should be peanuts compared with what you make each day you work on cases which requires its use.
Linux and juries - bad combination (Score:4, Insightful)
Because once you start blathering on and on under cross-examination about raw devices, MD5 hash integrity, etc., the jury, which will probably consist of morons, will slowly doze off into la la land and blow off evrything you are saying.
Much better to spend $500 and tell the jury, "Jethto, Earlene, I got this here special dee-vice that physically prevents tampering."
To quote (fairly accurately IIRC) a juror in the Vioxx trial that just ended, "They started talkin' all that science talk and it was like - wah wah wah wah wah wah" (sound of the Teacher talking from the Charlie Brown videos).
Re:Bigger questions (Score:2, Insightful)
Do you have documented cases where someone was convicted solely on the evidence of files found on a computer? Show Us! This would definately have me worried. But I doubt there could ever be a case.
In order for a forensic investigator to even begin searching your computer, they have to have a good cause to sieze it. They won't get a good cause without other evidence that suggests you might have something to hide there.
Even if Mr.Enemy places such evidence on your PC (using info like in this book to make it look convincing) and then goes to the police claiming your are harbouring kiddie porn and he's worried you might be a distributor, they are going to ask how he knows (he saw it / you showed him it on your computer) and if you then say "but Mr.Enemy framed me" it becomes a he-said/she-said and they are going to need more evidence to convict. They won't neglect the posibility that Mr.Enemy placed it there, especially if Mr.Enemy had the access needed (long hours alone with your PC).
It's easy to be paranoid, but I really feel forensics like this to be much more helpful in leading to evidence that can convict, rather than to being the basis of a conviction itself. And for that I am grateful it's there as a tool.
Re:STEP ZERO: (Score:3, Insightful)
Cause he was otherwise a very cool guy. Standard with-clue geek with other character redeeming characteristics... Not everyone who works for Uncle Fed is a mindless drone. Especially this three-letter organization... (Come to think of it, he was leaving Uncle Fed to start his own practice.)
Re:STEP ZERO: (Score:3, Insightful)
I agree with a lot of what you have said. But...
Court cases are all about being most convincing to a judge and sometimes a jury. They typically don't understand the technical issues, so expert witnesses are expected to explain the findings in an accessible manner.
Write-blockers do however work and are expected to be used. There is little to go wrong with a write-blocker/expert combination and a lot more that can go wrong with a software/expert combination.
You do the best for the court and write-blockers provide the best solution for capturing evidence accurately without modifying the orignal. You can't accurately capture original evidence if the act itself alters it, even if ever so slightly.
What you have to understand though, is that even if you are the best computer forensics expert to have ever walked the Earth, the barristers on the opposing side NEED to find fault with you, your findings and your evidence. They do it for a living and they are really good at it. That can take a small issue and have your evidence and findings thrown out.
Because such a device is Kludge. It is a black-box that cannot be verified and as such as is no better than the "black-box" of the operating system.
I would not call the forensic quality write-blockers on the market "a kludge". They perform a basic role to a level that is accepted by the highest courts and experts (the real ones). They are very simple, yet vital. They go a long way to preventing human error.
Moreover, the latter is used and effectively tested by millions whereas only a handful of people purchase such "write blockers"
The software in question is extremely complex and has to be driven by an error prone human. The write-blocker on the other hand, is a very simple device dedicated for one thing and is simply plugged into the drive to be captured.