REVIEW: "File System Forensic Analysis", Brian Carrier

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Aug 8, 2005.

  1. BKFSFRAN.RVW 20050608

    "File System Forensic Analysis", Brian Carrier, 2005, 0-321-26817-2,
    %A Brian Carrier
    %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D 2005
    %G 0-321-26817-2
    %I Addison-Wesley Publishing Co.
    %O U$49.99/C$69.99 416-447-5101 800-822-6339
    %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
    %P 569 p.
    %T "File System Forensic Analysis"

    The preface states, correctly, that there is little information for
    the forensic investigator on the topic of file system structures and
    internals that are useful for providing direction on tracing and
    tracking information on the disk. The author also notes that there
    are a number of worthwhile texts that address the general topic of
    investigation. Therefore, the author intends to address the former
    rather than the latter. At the same time, there is an implication in
    the initial section that this work is only the merest introduction to
    the subject of computer forensics.

    Part one is aimed at providing foundational concepts. Chapter one, in
    fact, does provide a quick review of the investigation process, and a
    list of forensic software toolkits. A sort of "Computers 101" is in
    chapter two, with a not-terribly-well structured collection of facts
    about data organization, drive types, and so forth, with varying
    levels of detail. Chapter three addresses different factors and
    problems in hard disk data acquisition, although the inventory is
    neither complete nor fully explained.

    Part two deals with the analysis of drive volumes or partitions, with
    chapter four outlining basic structures. DOS (FAT [File Allocation
    Table] and NTFS) and Apple partition details are discussed in chapter
    five. Chapter six reviews various UNIX partitions. Multi-disk
    systems, such as RAID (Redundant Array of Inexpensive Disks) are
    covered in chapter seven.

    Part three delves into the data structures of the file system itself.
    Chapter eight introduces concepts used in considering file systems.
    Details of the FAT system are in chapters nine and ten. A very
    detailed explanation of the disk and file structures of the NTFS
    system, as well as considerations for analysis, is provided in
    chapters eleven to thirteen. The Linux Ext2 and Ext3 structures are
    discussed in chapters fourteen and fifteen. Chapters sixteen and
    seventeen cover the UFS1 and UFS2 schemes, found primarily in BSD
    (Berkeley Systems Distribution) derived versions.

    This book does provide a wealth of detail, once it gets into the
    specifics of partitions and structures. The introductory material,
    writing, and technical level are quite uneven, which makes it
    difficult to use. Still, those seriously involved with the data
    recovery aspect of digital forensics should consider this work a
    valuable resource.

    copyright Robert M. Slade, 2005 BKFSFRAN.RVW 20050608


    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Aug 8, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. darren butts

    VPN Debug - Lost Carrier

    darren butts, Jul 19, 2004, in forum: Cisco
    darren butts
    Jul 19, 2004
  2. Miles
  3. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Wireless Security End to End", Brian Carter/Russell Shumway

    Rob Slade, doting grandpa of Ryan and Trevor, Nov 24, 2003, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    Nov 24, 2003
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Mac OS X Security", Bruce Potter/Preston Norvell/Brian Wotring

    Rob Slade, doting grandpa of Ryan and Trevor, Feb 6, 2004, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    Feb 6, 2004
  5. No_Problem
    Feb 13, 2007