File System Forensic Analysis 225
nazarijo writes "The field of investigative forensics has seen a huge surge in interest
lately, with many looking to study it because of shows like CSI or the
increasing coverage of computer-related crimes. Some people see a
career opportunity there, and are moving toward computer forensics, marrying
both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic
with clarity and an uncommon skill." Read on for the rest of Nazario's review.
File System Forensic Analysis | |
author | Brian Carrier |
pages | 600 |
publisher | Addison Wesley Professional |
rating | 9 |
reviewer | Jose Nazario |
ISBN | 0321268172 |
summary | The standard for digital filesystem forensics |
It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.
Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.
File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.
Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.
Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.
The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.
Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.
Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.
You can purchase File System Forensic Analysis from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Here is an even better question (Score:2, Interesting)
I do this sometimes... (Score:5, Interesting)
Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth.
It was odd explaining to the ladies that the VAST majority of men on the web look at porn, and that it's not anything to worry about. I was looking for personal ads, dating sites, child or extreme porn, and S&M personals sites.
It's exciting to get the call at 8am to come and clone a drive on-site. I then take it home and get what I can from it however I can, from mounting and browsing to hexdumping and grepping.
Re:STEP ZERO: (Score:5, Interesting)
Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default), why don't you use Linux and simply create a drive image straight from the raw device without mounting at all? Gen an MD5 on the fly to ensure integrity. Use DCFLDD instead of dd for that trick...
Funny story: I was in a training class and the topic turned to forensic analysis. I mentioned that the Air Force wrote a wonderful tool, the previously mentioned DCFLDD. Well, this math geek that I was certain worked for some three-letter outfit turned around and looked at me like I was spewing nuclear launch codes! After I assured him that the Air Force open sourced it (and brought up a download URL on his laptop), he seemed to get the clue...
Since he's also a likely slashdot reader, "Hi Dave!"
Re:I do this sometimes... (Score:3, Interesting)
For a princely sum I began doing 'stealth' missions for many distressed spouses.
I'm glad that I use OS X's encrypted home directory, then. I guess you won't be reading my files. You could change my pass by booting to CD (and then I'd know!) but you still couldn't get to my home dir.
Seriously, you ever run into a Mac that had more than a passing effort made at security, and if so were you able to get around the safeguards? Or did you just sub that out?
fwiw, I guess if they wanted you to testify you wouldn't have much of a leg to stand on--a subpoena is a subpoena, and you would either have to ignore it, respect it but stay silent, or 'fess. All would involve legal fees, and I think it could be construed as not legally admissible evidence. In any event, if I was the husband's divorce lawyer, I would ask you some sharp questions.
Re:The "How To Destroy Your HD" Thread (Score:3, Interesting)
If I had my way, I'd just put a small shapped charge ontop of the harddrive. Small enough to distroy the harddrive (and probably some other stuff in the machine w/ fragmentation) but not big enough to blow up the entire machine. Cases are preety well built now adays, and with some re-enforcement they could take a small shapped explosion (that was not pointed at them). But this is all under the guise that you can get your hands on all this stuff.
What can the real person do to protect themselves is a better question. What quick/distructive meathods are there for the real person.
Morality of Privacy (Score:3, Interesting)
On a more fundamental level, privacy is a conditional right. A person has to behave in order to enjoy it. It is not a shield for wrongdoing. Moreover, in a marriage it is patently obvious that both are willingly giving up privacy. I have fewer qualms with spousal snooping than that on kids or employees.
But beware, the discoveries hurt!
Me, too.. I have done some of this work.. (Score:2, Interesting)
cool stuff.
Me too (Score:3, Interesting)
In this case, I determined that the employee had mounted each partition on the drive to a separate mount point, not in the original structure (such as
It's not as glamorous as extreme porn or personal ads, but it was still interesting.
Re:I do this sometimes... (Score:3, Interesting)
Did you ever find one and have the wife respond, "If I'd known earlier he liked that, I'd have given him all the S&M he wants. No need for him to look elsewhere."
Re:Bigger questions (Score:2, Interesting)
Re:Here is an even better question (Score:3, Interesting)
One of my pet peeves is people who work in technology jobs who are passionate about technology to the point where they will convince a client to go for the latest, most bleeding-edge technologies for their most critical, sensitive, 'must never go down' applications.
I prefer a cautious approach when it involves getting woken up at 3am on a regular basis because some *geek* decided to use something that had never been properly tested, had only just been released, that noone else in the company has ever used, for some production system... thats when I get that murderous blood-rage for people who are 'passionate about technology'.
Re:Having done forensic work... (Score:2, Interesting)
The adrenaline of solving the puzzle and turning up evidence which no other team has been able to prior is pretty awesome too.
I LOVE computer forensics. Nothing on TV comes close to how cool it can be.
Collecting evidence can be boring. But finding evidence that is intentionally hidden in really creative ways is exciting. Being creative in your methods is also fun and VERY VERY cool when it is a method nobody has ever used before for that problem. Especially when others around you are telling you that you are "going about it all wrong" and then it is *your* evidence and findings which become most important to the case.
Re:CSI (Score:3, Interesting)
Computer forensics does not always have to be dull.
You can sometimes do things you ordinarily would not be allowed to do, because you are doing them to "assist the court", sometimes which explicit blessing from the court in the form of a court order. Reverse engineering, network packet analysis, log file analysis, filesystem analysis, cryptography (algorithm deduction, password cracking), statistics, data mining. Using sniffers, hacking tools, debuggers like IDA Pro, getting to use devices not available to the public, etc.
It does not have to be boring. And the more you delve beyond the superficial, the more rewarding it is to find evidence yourself and others had missed.
It can actually be very exciting.
A guide to forensic Analysis (Score:1, Interesting)