File System Forensic Analysis
by Brian Carrier
Addison-Wesley 2005.
ISBN 0-231-26817-2. $49.99. 569 pages; Index ; EoC bibliographies
Reviewed by Robert Bruen Jan 5, 2006
When I first started in the computer business, the only books were manuals published by vendors. Well, maybe there were a few books for sale, but not very many. This made it difficult to figure out problems, especially when I had experiences such as a co-worker salesman who told me that "We are not in the documentation business." We were working for a computer vendor. I moved on expecting the company would have difficulty within a few years. It did. The point of this story is that the need for technical details has always been important in a technical world. It has been most satisfying to see the publishing industry provide good books to fill the void. There is still a problem, however. As technical books appear and new disciplines are created, new people pop into view. Many are new to the field and need to catch up because they do not know the history.
Computer forensics is one of those rediscovered fields. By and large, forensics done on a computer involves the disk [ed. disk == hard drive]. Yes, volatile memory and hardware memory are important, but the bulk of the work will be pulling out information from one or more disks. In the early days, besides being really small, disk were documented in a so-so manner. If you worked closely with them, you learned. As computers spread to the desktop and the desktop was Microsoft territory, most users did not pay attention to the disk details. Thus the structure, operation and drivers were forgotten. This all changed around 2000, when Law Enforcement realized just how much evidence was on these disks. Computer forensics has now become a important career unto itself. The forensics cases I am aware of tend to use packages, for example EnCase in the commercial space, and some great open source packages. Prosecutors tend to analyze a case quickly because they are busy and the case load only goes up. The need for real expertise has been diminished somewhat, due in part to the lack of sophistication on the criminal end.
While the good forensics books are good, they do not go into the details of disks that Carrier does. He is not focusing on forensics as much as he is focusing on file systems and disk structure. I like this book because he is sticking to the expertise end of the game. Gathering the details of the file systems to be presented was not a trivial task. Mastering them so that they could be explained so well had to have been even more difficult. Naturally Carrier spends time with disk acquisition and investigation as a preface to the real technical work. He also includes information on two packages The Sleuth Kit and Autopsy, two very nice, free packages written by him. I use them in my security class for the forensics section. Criminals are getting much more sophisticated. Today's computer forensics specialist need to be just as sophisticated.
The book completely covers FAT, NTFS, Ext2, Ext3, USF1 and USF2. I highly recommend this book for forensics specialists, but also for anyone who wants a proper look at disks. We can all benefit from Carrier's expertise.