Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Data Storage Books Media Security Book Reviews

File System Forensic Analysis 225

nazarijo writes "The field of investigative forensics has seen a huge surge in interest lately, with many looking to study it because of shows like CSI or the increasing coverage of computer-related crimes. Some people see a career opportunity there, and are moving toward computer forensics, marrying both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic with clarity and an uncommon skill." Read on for the rest of Nazario's review.
File System Forensic Analysis
author Brian Carrier
pages 600
publisher Addison Wesley Professional
rating 9
reviewer Jose Nazario
ISBN 0321268172
summary The standard for digital filesystem forensics

It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.

Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.

File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.

Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.

Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.

The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.

Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.

Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.

You can purchase File System Forensic Analysis from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

File System Forensic Analysis

Comments Filter:
  • STEP ONE (Score:5, Funny)

    by jos3000 ( 202805 ) on Tuesday August 30, 2005 @02:29PM (#13438201) Homepage
    Don't forget to mount the drive as read only!
    • Make a bit for bit duplicate.
    • Don't forget to mount the drive (physically) first.
      • I, for one, do not want to know about your personal life. Thanks.
      • > Don't forget to mount the drive (physically) first.

        And if you can't securely delete or deniably encrypt your pictures of that step, you deserve whatever punishment the geeks in the forensic lab can nail you with. Dude, sick!

    • STEP ZERO: (Score:5, Informative)

      by abb3w ( 696381 ) on Tuesday August 30, 2005 @02:49PM (#13438376) Journal
      Make sure by ordering the right adapter [] for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up. A read-only adapter means the drive can't be mounted rewritably. No, it's not cheap. But what's $500 to the assurance that your evidence chain is prevented from fuckup at the hardware level?

      And no, I don't work for these people. I just think they make some nifty geek toys.

      No, that's not why I have SCSI drives on my home server. Honest; it's for the RAID performance....

      • Re:STEP ZERO: (Score:5, Interesting)

        by pegr ( 46683 ) on Tuesday August 30, 2005 @03:28PM (#13438667) Homepage Journal
        Make sure by ordering the right adapter for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up.
        Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default), why don't you use Linux and simply create a drive image straight from the raw device without mounting at all? Gen an MD5 on the fly to ensure integrity. Use DCFLDD instead of dd for that trick...
        Funny story: I was in a training class and the topic turned to forensic analysis. I mentioned that the Air Force wrote a wonderful tool, the previously mentioned DCFLDD. Well, this math geek that I was certain worked for some three-letter outfit turned around and looked at me like I was spewing nuclear launch codes! After I assured him that the Air Force open sourced it (and brought up a download URL on his laptop), he seemed to get the clue...
        Since he's also a likely slashdot reader, "Hi Dave!" ;)
        • Funny story

          You keep using that word. I do not think it means what you think it means.

          • Funny story

            You keep using that word. I do not think it means what you think it means.

            Guess you had to be there...
        • Why is it always a Dave?
        • Re:STEP ZERO: (Score:2, Informative)

          by COMON$ ( 806135 )
          Why use an OS at all, there are plenty of imagemasters out there logicube has some nice ones that I have used personally. Sure they are pricey but you can do whatever you want to the cloned drive, mount it, run its OS to see what kind of setup the offender had, rip out items, delete, add run hashes, whatever you want and not worry about hurting the original drive sitting across the room from you in an antistatic bag.
        • Yeah, and then like the parent said, the new guy confuses 'if' and 'of' and bye-bye evidence... does the AF tool have some reasonable sanity checks?
          • The tool is dd that automagically pipes the data stream through a checksummer to generate an md5/sha1/sha128/sha256 (IIRC) on a specified windowsize (from one 512b block to the entire device/file).

            There is nothing special as far as what is/is not a valid source/destination device.

        • Re:STEP ZERO: (Score:5, Insightful)

          by Shanep ( 68243 ) on Tuesday August 30, 2005 @05:58PM (#13439785) Homepage
          Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default),

          I agree, gathering evidence with Windows sucks.

          why don't you use Linux and simply create a drive image straight from the raw device without mounting at all?

          Because in court, things can get nasty like this...

          Barrister: Did you use a (looks at freshly written note) "write blocker", Mr. Smith?
          Forensics guy: No, I did not need to. I refrained from mounting the disk and copied it at a raw block-for-block level (confusing to judge).
          Barrister: Yes or No Mr. Smith, did you use a "write blocker".
          Forensics guy: No.
          Barrister: And a "write blocker" is a forensics industry standard method for preventing contamination of captured evidence? (Judge respects witnesses who respect the court enough to make sure their captured evidence is absolutely accurate and original evidence could not have been altered).
          Forensics guy: Yes, but...
          Barrister: Mr. Smith, you failed to take a basic precaution to make absolutely certain that the captured evidence was not altered in any way, by using a basic device that is normally a part of the toolkit of a computer forensic professional. Do you posess a "write blocker" Mr. Smith?
          Forensics guy: Yes (No).
          Barrister: Then WHY did you not use it?! (You ARE a computer forensics professional are you not Mr. Smith?)
          Forensics guy: gasp gasp (blush) choke...

          The point is, if you are gathering evidence of this sort, then write blockers are tools you should have and always use. All the opposition needs to do is raise doubt. And then you and your client are screwed.

          When you take the stand or put on an affidavit, the opposing legal team will attack:

          1/ Your findings and the methods you used to get to them.
          2/ Your evidence.
          3/ You credibility.

          and at a worst case...

          4/ Accuse you of tampering with ORIGNAL EVIDENCE which has been tendered to the court!

          Not having a write-blocker says, "I am not a computer forensics professional".

          Having a write-blocker and not using it says, "I am sloppy and failed to use a simple tool at my disposal to assist the court as best I could".

          Whether your evidence is exactly the same as the other forensics experts is beside the point. They have attacked your credibility and that can go against your findings (even if they are completely correct). You have nothing to gain from not using a write-blocker (which you should already have) and everything to loose. I would love to just capture evidence with FreeBSD and just copy from the raw device. But at the end of the day, the cost of a $500 write-blocker, which you get to use over and over, should be peanuts compared with what you make each day you work on cases which requires its use.
        • by wsanders ( 114993 ) on Tuesday August 30, 2005 @06:00PM (#13439801) Homepage
          > why don't you use Linux and simply create a drive image straight from the raw device without mounting at all

          Because once you start blathering on and on under cross-examination about raw devices, MD5 hash integrity, etc., the jury, which will probably consist of morons, will slowly doze off into la la land and blow off evrything you are saying.

          Much better to spend $500 and tell the jury, "Jethto, Earlene, I got this here special dee-vice that physically prevents tampering."

          To quote (fairly accurately IIRC) a juror in the Vioxx trial that just ended, "They started talkin' all that science talk and it was like - wah wah wah wah wah wah" (sound of the Teacher talking from the Charlie Brown videos).
      • No, that's not why I have SCSI drives on my home server.

        There are plenty of SCSI write blockers out there.
      • Don't a lot of drives have a Read-Only jumper these days?
  • CSI (Score:5, Insightful)

    by Seumas ( 6865 ) * on Tuesday August 30, 2005 @02:32PM (#13438234)
    Why in the hell would you choose a dull career like forensic investigation based on a TV show? That would be like becoming a cop because you want to be like Dirty Harry. How many of these gits go into college for this kind of career, because they think it's going to be exciting and they're going to discover the case-cracking evidence in a few hours, grab their gun and go make an arrest?

    • How long will it be before there are a million "IT Forensics" certification mills out there advertising on the radio to knuckle-dragging GEDs to come get certified and make $$$ in this "HOT, NEW, EXCITING INDUSTRY!!!"
      • Will they have to have wavy blonde hair and wear pink polo shirts and go to Brown College? :P

        That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology. You see it all the time, unfortunately. You don't have to be passionate about your current job - but you should be passionate about tech.

        I mean, you wouldn't go into teaching if you didn't care about teaching, right? (At least, initially).
        • The computer industry could use an infinite number of women with wavy blonde hair, pink polo shirts, and a good education, as far as I'm concerned.
        • "That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology."

          One of my pet peeves is people who work in technology jobs who are passionate about technology to the point where they will convince a client to go for the latest, most bleeding-edge technologies for their most critical, sensitive, 'must never go down' applications.

          I prefer a cautious approach when it involves getting woken up at 3am on a regular basis because some *geek* decided to use something
          • your passion is dead. the passionate people are more than happy to be waken up at 3am if something has gone wrong
            • "the passionate people are more than happy to be waken up at 3am if something has gone wrong"

              And they are usually the people who cause the problem in the first place.

              When you work with sensitive systems they should *not* go wrong at 3am.

              It should never be a *happy time* to get up at 3am to fix something. You should get mad as hell, fix it then make sure that it doesn't break again.

              If you are *happy* to get up at 3am to fix it, you have less incentive to make sure it doesn't happen again.

              Eager Beavers typica
              • I'm not saying you should be excited and happy to be getting waken up at 3am to fix something. You make it sound like there is a conflict of interest. Of course its frustrating and inconvenient to have to do this. However, the passionate person puts the features and functionality of modern software before his selfish desire to never be bothered.

                You sound like the sort of grump who would deploy 10 year old feature-lacking constrictive software, because you are unwilling to be bothered to learn the idiosyncra
    • Re:CSI (Score:5, Funny)

      by Brento ( 26177 ) <{brento} {at} {}> on Tuesday August 30, 2005 @02:39PM (#13438298) Homepage
      That would be like becoming a cop because you want to be like Dirty Harry.

      Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.
      • by garcia ( 6573 ) *
        Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.

        Too bad your mom wouldn't let you buy that motorcycle [] eh?
      • Re:CSI (Score:3, Funny)

        by jpostel ( 114922 )
        I wanted to meet Angelina Jolie... I should have become a cambodian orphan instead.
      • "Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be."

        Which reminds me of that recent movie poster of her... I could have sworn that Sandra had cleavage. What, did they airbrush it out or was I imagining things in the first place?
    • Re:CSI (Score:3, Insightful)

      by abb3w ( 696381 )
      Why in the hell would you choose a dull career like forensic investigation based on a TV show?

      Or engineering? After all, if ya canna change the laws of physics, where's the fun in it?

      Monkey see, monkey do....

    • by bradleyland ( 798918 ) on Tuesday August 30, 2005 @03:43PM (#13438751)
      Honestly, this job is probably the coolest I've done. We get the run of any joint we enter. We get to crack people's passwords, read their stuff, and pry into the details that they're trying to hide.

      Outside of the unreal timeframe, it is a bit like television. I've been on location at 1 AM acquiring hard drives so that the debtor principles didn't know what we were doing. Walking through the data center with my mag light at that hour of the morning comes pretty close to that feeling you get when you watch CSI on TV. Most of the time, we tell the people on location we're making "backups" of the data so that we can preserve the data in the event of a crash. There's definitely a social element to forensic work (at least in bankruptcy cases).

      A typical acquisition may go something like this:

      You set up, pull your forms, start noting observations, pull the drives, hook them up to the little black box connected to your laptop's firewire port (a write-blocker), and start having a look at the data. If you've got what you're looking for, you acquire the drive and put everything back together. Boot it all up and be on your way.

      You may be doing this in the CEO's office, or in the data center looking for a mail server. The top officers are usually the most important, since they have the most important correspondence and data.

      It's a fun job. It's every bit as exciting as what you see on television (for once).
      • by Anonymous Coward
        Honestly, this job is probably the coolest I've done.

        The adrenaline of solving the puzzle and turning up evidence which no other team has been able to prior is pretty awesome too.

        I LOVE computer forensics. Nothing on TV comes close to how cool it can be.

        Collecting evidence can be boring. But finding evidence that is intentionally hidden in really creative ways is exciting. Being creative in your methods is also fun and VERY VERY cool when it is a method nobody has ever used before for that problem. Especial
    • It's almost like choosing a president based on what you see on TV...

      But seriously, imagination is an important part of human life. I've made a lot of important choices based on my perceptions and ideals that were pretty ignorant and idyllic. Of course real life is boring. I will probably stay within the same 50 mile radius for most of my life. I will eat the same things over and over again. I will only really know a handleful of people. I will pass by the same strangers everyday. And my job doesn't r
    • Re:CSI (Score:3, Informative)

      Why in the hell would you choose a dull career like forensic investigation...

      As opposed to an exciting career, like computer programming?

      Seriously, I do a lot of programming as part of my job, and perhaps the most fun I have at work is when some luser decides to fuck with us and I get assigned to track down as much information as possible about this person's activity on our network.

      If I ever had to find another job, I'd seriously consider getting into computer forensics, or the FBI computer investigation d
    • Re:CSI (Score:3, Interesting)

      by Shanep ( 68243 )
      Why in the hell would you choose a dull career like forensic investigation based on a TV show?

      Computer forensics does not always have to be dull.

      You can sometimes do things you ordinarily would not be allowed to do, because you are doing them to "assist the court", sometimes which explicit blessing from the court in the form of a court order. Reverse engineering, network packet analysis, log file analysis, filesystem analysis, cryptography (algorithm deduction, password cracking), statistics, data mining. U
  • I might get this (Score:5, Insightful)

    by L. VeGas ( 580015 ) on Tuesday August 30, 2005 @02:40PM (#13438307) Homepage Journal
    This sounds really interesting. I've been fascinated for a while with how the file / folder metaphor has become so entrenched that people have a difficult time imagining any other way of thinking about it.

    As the OS has become more sophisticated, most computer users now never see things like a disk defrag. They really think that there is a file, all in one spot in their computer, that sits literally next to other files in the same folder. The idea that you can recover a file that has been "deleted" seems like deep wizardry, with no thought to the more impressive wizardry that makes "files" out of pieces of metal with a magnet.
    • I was more interested in a story that recently appeared on CourtTV's Forensic Files. It was about the first known (at least what they claim as such) forensic analysis of computer disks that had been cut (with pinking shears).

      From their website []:

      "Shear" Luck"

      When the wife of an Air Force Sergeant is found dead on a Philippines air base, investigators are baffled. With no leads and no new suspects, they are forced to re-examine the man they suspected all along. Using a pioneering technique in computer forensi
      • Back in the 5 1/4" floppy days the media on HDDs was crude enough that you could stain the platter with a special chemical and examine the orientation (well probably the *magnetic* not physical orientation) of the magnetic particles with a microscope.

        I am sure a similar technology could exist today, deep in the skunk works of some three-letter-agency.
        • Oh, you can hire these guys [] or someone like them to use their scanning electron microscopes to map out the electrons. They can recover several layers of files, even after being deleted/overwritten/zeroed if not done thoroughly enough. Just hope you have over $100k per disk...
    • It's really profitable... I was charging $200 an hour. Spent a ton of time digging around on a bunch of CDs, a hard drive and thru a couple of email inboxes. Plus my client had a key logger.

      cool stuff.
  • by sidney ( 95068 ) on Tuesday August 30, 2005 @02:43PM (#13438335) Homepage
    For alternate opinions on the book see this review by Rob Slade [] in RISKS Digest, and this short rebuttal of Slade's review [] by Simson Garfinkle.
  • by Anonymous Coward
    I suggest getting: Incident Response (Kevin Mandia and Chris Prosize) and also Computer Forensics (Warren G. Kruse and Jay G. Heiser). Both are an excellent read, and the Mandia book has some wonderful documents to use for real-life situations.
  • by Red Flayer ( 890720 ) on Tuesday August 30, 2005 @02:50PM (#13438389) Journal
    In all, a good review of the book. However, the focus on forensics is left out of the review -- just wanted to point out that the book is more than a text on file system management, search, and data recovery.

    Although, of course, the book does a very good job of being that as well.
  • by museumpeace ( 735109 ) on Tuesday August 30, 2005 @03:05PM (#13438504) Journal
    a series of how-tos and standards docs []
    At the behest of the DOJ, NIST has been grinding out standards on how to forensically analyze a hard drive an other arcana for several years now.

    NIST even provides tools: []
  • by Bnderan ( 801928 ) on Tuesday August 30, 2005 @03:05PM (#13438508)
    I will look forward to watching SCSI-Miami.
  • by tacokill ( 531275 ) on Tuesday August 30, 2005 @03:06PM (#13438512)
    I know that encryption is a topic unto itself but it is becoming more and more common for people to create PGP Disks or DriveCrypt disks.

    How do those things fit into this topic? I mean, the filesystem stuff is great and interesting but it doesn't seem to do any good if all you can recover is a PGP Disk file*.

    Can someone much smarter than me tell me how data forensics deals with that????

    * PGP Disk: a pgp encrypted file that can be mounted as a drive letter. It is, literally, a file just sitting there on your harddrive. You mount the file (after providing the secret passphrase) and voila! - you now have an encrypted drive to copy files in and out of.
    • > tell me how data forensics deals with [a PGP Disk file]?

      First you recover the PGP Disk file, using the sorts of techniques discussed in the book this review covers. Then you apply cryptanalysis, using the sorts of techniques discussed in cryptography and cryptanalysis books.
    • Can someone much smarter than me tell me how data forensics deals with that????

      You also recover the swap file / partition and grep it for passphrases. Because even though PGP is pretty good :-) about keeping things out of swap, "grep the swap file" is probably the next thing to do after a dictionary attack fails.
      • What if I don't have a swap partition? With memory prices being so low these days, who needs swap anymore? Personally I'm happy with my 1 GB of real RAM. When I'll need more, an extra GB can be had for the price of a dinner at a fancy restaurant...
    • They'll start with a brute-force of the passphrase. Many people choose foolishly short passphrases.

      Then comes the rubber hose []. Basically, they just beat the key out of you.

      Forget the cryptanalysis stuff. That takes too long, and unless the subject is dead or it has to be covert, this is much faster.

  • by MarcQuadra ( 129430 ) * on Tuesday August 30, 2005 @03:06PM (#13438513)
    I do 'forensics' sometimes. I was freelance fixing computers for a while when one of my clients asked me to find out what her husband was doing online. For a princely sum I began doing 'stealth' missions for many distressed spouses. I uncovered a lot of dirt and presented it with the understanding that I never be named or asked to testify.

    Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth.

    It was odd explaining to the ladies that the VAST majority of men on the web look at porn, and that it's not anything to worry about. I was looking for personal ads, dating sites, child or extreme porn, and S&M personals sites.

    It's exciting to get the call at 8am to come and clone a drive on-site. I then take it home and get what I can from it however I can, from mounting and browsing to hexdumping and grepping.
    • by Dogtanian ( 588974 ) on Tuesday August 30, 2005 @03:28PM (#13438666) Homepage
      I was looking for personal ads, dating sites, child or extreme porn

      What the heck is 'extreme porn'?!

      People f*****g on snowboards at 120MPH? Some naked chick with massive fake breasts doing skateboard stunts on a halfpipe while guys standing at the top on each side try to bukakke her while she's paused in mid-air?

      "It's not XXX rated.... it's XXXTREME rated!"
    • Don't get to uptight about explaining to the ladies that men look at porn online, they have a darker secret.

      The fact most men are blind to is that the ladies have online boyfriends they chat with all day long.
      • True. Infidelity is hardly a male-only activity. Females indulge about 2/3rds as often (odd disparity--with whom?), but are always more careful because of larger consequences.

    • For a princely sum I began doing 'stealth' missions for many distressed spouses.

      I'm glad that I use OS X's encrypted home directory, then. I guess you won't be reading my files. You could change my pass by booting to CD (and then I'd know!) but you still couldn't get to my home dir.

      Seriously, you ever run into a Mac that had more than a passing effort made at security, and if so were you able to get around the safeguards? Or did you just sub that out?

      fwiw, I guess if they wanted you to testify you wou

      • Ok, fine. Boot to CD, Modify the Kernel [] (log the first 5 minutes of keystrokes, perhaps?), and come back in a few days.

        Depending on your state's laws, there is a very good chance that if you are married, the computer is just as much hers as yours.
    • Morality of Privacy (Score:3, Interesting)

      by redelm ( 54142 )
      You may be concerned that you violated someone's privacy. I would not be. You did not get anything that wouldn't be discoverable during divorce proceedings.

      On a more fundamental level, privacy is a conditional right. A person has to behave in order to enjoy it. It is not a shield for wrongdoing. Moreover, in a marriage it is patently obvious that both are willingly giving up privacy. I have fewer qualms with spousal snooping than that on kids or employees.

      But beware, the discoveries hurt!

    • Me too (Score:3, Interesting)

      by ari_j ( 90255 )
      For a law firm, I investigated a drive that had been stolen by a former employee. The drive had been recovered, and my task was to determine what he had done with it and whether he had taken or tampered with any of the intellectual property on the drive. It paid very handsomely for the amount of work involved, and it was an intellectual challenge. That said, this book may have made it easier (I didn't read the review in-depth or the book itself, but I assume it wouldn't make the task more difficult).

    • ...and S&M personals sites.

      Did you ever find one and have the wife respond, "If I'd known earlier he liked that, I'd have given him all the S&M he wants. No need for him to look elsewhere."

      • "I'd be happy to beat the crap out of him!"
        • That wasn't exactly what I was thinking of, but it works. I was thinking more in terms of a masochistic husband never realizing that his wife has sadistic tendencies, or a submissive man who didn't know his wife had always wanted to be a dominatrix. You wouldn't think it would happen, but if both are a bit inhibited about their secret desires it could be.
  • Related Links (Score:4, Informative)

    by jkitchel ( 615599 ) <> on Tuesday August 30, 2005 @03:17PM (#13438588)
    Related links:
    Digital Forensic Tool Testing Images []
    Brian's Tools [] - Includes links to SleuthKit and Autopsy
    Forensic Tool Kit free trial []

    FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 [] and 26 [] from The Honeynet Project []a shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.
    • Re:Related Links (Score:3, Informative)

      by Stibidor ( 874526 )
      Another nifty tool from AccessData that plugs nicely into the FTK is the Registry Viewer []. Using the FTK you can find all the Windows registry files on the drive. The Registry Viewer (obviously) will open them and allow you to view just about any key/value including encrypted keys like the Protected Storage (Internet Explorer autofill and Outlook/Outlook Express saved passwords).

      Since I enjoy tooting my own horn from time to time, the information referenced in this article [] was obtained by me and my co-w
  • by davidwr ( 791652 ) on Tuesday August 30, 2005 @03:24PM (#13438644) Homepage Journal
    Crooks who are "smart" are going to encrypted systems and making darn sure there's no unencrypted writable storage lying around. This, plus tamper-evident computer including tamper-evident keyboard and keyboard-connectors and a faraday cage makes it very hard on the police.

    Can you say "boot with Suse Live CD and encrypt /dev/hda"? I knew you could.

    This only works in jurisdictions that can't force you to reveal your passphrase. In those jurisdictions, smart crooks outsource thier IT to North Korea :).

    That still leaves plenty of forensics work for criminals using other people's computers such as white-collar crooks and the 99% of crooks who aren't smart.
  • Is anyone still in the business of data recovery for badly crashed hard drives? Like after a headcrash, or being repeatedly smashed inside a notebook during a botched mugging? I used to use a few companies in Manhattan's Financial District, but they're all gone. First they moved to Jersey, now there's no trace. I guess their Financial biz customers all decided, after years of paying $500 per recovery, several times a week, to take out the "backup insurance" their IT was always recommending. So demand dried
  • So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?

    I'd love to see reliable and fast NTFS writing capability in Linux without having to use Captive-NTFS. Maybe the developers should buy a copy of this book.

    • So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?

      Why would he need it? The current Linux NTFS driver already has was he needs -- reading.

      When you're doing any sort of analysis or data recovery of a disk, the first rule is you don't write to the disk. You copy everything somewhere else, preferably bit by bit, then disconnect the original, and then mount the copy of the original, read only and work on it, copying what you recover

      • He wouldn't; where did I say that he did?

        I was wondering if the NTFS driver developers for the Linux kernel might find this documentation useful in order to enable NTFS writing in Linux, finally. My question had nothing to do with data recovery and everything to do with the fact that apparently somebody has finally documented NTFS.

        • that apparently somebody has finally documented NTFS.

          I haven't read the book, but I doubt the author has any more information on the NTFS file formats than the Linux NTFS driver developers.

          He doesn't need to know any more than they do to recover data off the disk. In fact, it may be that the author learned everything he needed to know about the NTFS file system by reading the Linux NTFS driver source code and any associated reverse-engineered documentation.

          Actually, you can recover a lot of dat

  • Bigger questions (Score:4, Insightful)

    by cpu_fusion ( 705735 ) on Tuesday August 30, 2005 @04:21PM (#13438994)
    Rather than being so worried about what is there or not, the deeper and far more difficult question is: why is it there?

    With the existence of zero-day exploits, spyware-zombies-for-sale, broadband, etc., how can anyone convince a jury beyond a reasonable doubt that someone put the bits there THEMSELF without a confession or video of them actually putting the content there?

    People are going to jail because of this shit. Digital evidence is an oxymoron.
    • Re:Bigger questions (Score:2, Interesting)

      by BosHaus ( 629060 )
      If you just have a random file or image of kiddie porn, I don't think that you can prove anything. But if you are looking and see file histories, downloading programs, gigs of data, etc that all point to something illegal, then you can make a case. I would doubt any spyware or zombie would actually go through the trouble of creating the whole path of crime.
      • The problem with your argument is that if one file can be written to your hard drive thanks to a compromised system, any number can be written.

        What's even better is that the hacker can erase all their tracks.

        Bits are bits. You can't very well determine WHY those bits are there. Whether an individual went through the steps to download the bits themselves, over the course of weeks, or they got dumped there in one pass by someone in China over your broadband connection.

        It could happen to ANYONE READING THIS.
        • It is an interesting question, "how did it get there?". I feel confident that I could not be framed convincingly, merely by somebody placing contraband on my PC and making it look like I did it, because if the judge/jury don't ask this question, my defence lawyer would. I fail to see how I could be convicted unless there were additional evidence (such as a trail showing how I got the file, or money transfers showing my purchase, or survailance showing me collecting CD's of kiddie porn from some supplier w

User hostile.