book

File System Forensic Analysis

Name: File System Forensic Analysis
Author: Brian Carrier
ISBN: 0321268172

by Brian Carrier

March 2005

Beginner to intermediate

600 pages

16h 26m

English

Addison-Wesley Professional

Read now

Unlock full access

About This eBook
Title Page
Copyright Page
Dedication Page
Contents
Foreword
Preface
RoadmapScope of BookResources
Acknowledgments
Part I: Foundations
1. Digital Investigation Foundations
Digital Investigations and EvidenceDigital Crime Scene Investigation ProcessSystem Preservation PhaseEvidence Searching PhaseEvent Reconstruction PhaseGeneral GuidelinesData AnalysisAnalysis TypesEssential and Nonessential DataOverview of ToolkitsEnCase by Guidance SoftwareForensic Toolkit by AccessDataProDiscover by Technology PathwaysSMART by ASR DataThe Sleuth Kit / AutopsySummaryBibliography

2. Computer Foundations
Data OrganizationBinary, Decimal, and HexadecimalData SizesStrings and Character EncodingData StructuresFlag ValuesBooting ProcessCentral Processing Units and Machine CodeBoot Code LocationsHard Disk TechnologyHard Disk Geometry and InternalsATA / IDE InterfaceTypes of Sector AddressesBIOS versus Direct AccessSCSI DrivesSummaryBibliography
3. Hard Disk Data Acquisition
IntroductionGeneral Acquisition ProcedureData Acquisition LayersAcquisition Tool TestingReading the Source DataDirect versus BIOS AccessDead versus Live AcquisitionError HandlingHost Protected AreaDevice Configuration OverlayHardware Write BlockersSoftware Write BlockersWriting the Output DataDestination LocationImage File FormatCompressing the Image FileNetwork-based AcquisitionIntegrity HashesA Case Study Using ddInput SourcesHPAOutput DestinationsError HandlingCryptographic HashesSummaryBibliography
Part II: Volume Analysis
4. Volume Analysis
IntroductionBackgroundVolume ConceptsGeneral Theory of PartitionsUsage of Volumes in UNIXGeneral Theory of Volume AssemblySector AddressingAnalysis BasicsAnalysis TechniquesConsistency ChecksExtracting the Partition ContentsRecovering Deleted PartitionsSummary
5. PC-based Partitions
DOS PartitionsGeneral OverviewData StructuresAnalysis ConsiderationsSummaryApple PartitionsGeneral OverviewData StructuresAnalysis ConsiderationsSummaryRemovable MediaBibliography
6. Server-based Partitions
BSD PartitionsGeneral OverviewData StructuresAnalysis ConsiderationsSummarySun Solaris SlicesGeneral OverviewSparc Data Structuresi386 Data StructuresAnalysis ConsiderationsSummaryGPT PartitionsGeneral OverviewData StructuresAnalysis ConsiderationsSummaryBibliography
7. Multiple Disk Volumes
RAIDRAID LevelsHardware RAIDSoftware RAIDGeneral Analysis CommentsSummaryDisk SpanningOverviewLinux MDLinux LVMMicrosoft Windows LDMBibliography
Part III: File System Analysis
8. File System Analysis
What Is a File System?Data CategoriesEssential and Non-Essential DataAnalysis by CategoryFile System CategoryAnalysis TechniquesContent CategoryGeneral InformationAnalysis TechniquesWiping TechniquesMetadata CategoryGeneral InformationAnalysis TechniquesFile Name CategoryGeneral InformationAnalysis TechniquesWiping TechniquesApplication CategoryFile System JournalsApplication-level Search TechniquesApplication-based File Recovery (Data Carving)File Type SortingSpecific File SystemsSummaryBibliography
9. FAT Concepts and Analysis
IntroductionFile System CategoryAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioContent CategoryAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioMetadata CategoryAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenariosFile Name CategoryAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenariosThe Big PictureFile Allocation ExampleFile Deletion ExampleOther TopicsFile RecoveryDetermining the TypeConsistency CheckSummaryBibliography
10. FAT Data Structures
Boot SectorFAT32 FSINFOFATDirectory EntriesLong File Name Directory EntriesSummaryBibliography
11. NTFS Concepts
IntroductionEverything is a FileMFT ConceptsMFT Entry ContentsMFT Entry AddressesFile System Metadata FilesMFT Entry Attribute ConceptsAttribute HeadersAttribute ContentStandard Attribute TypesOther Attribute ConceptsBase MFT EntriesSparse AttributesCompressed AttributesEncrypted AttributesIndexesB-TreesNTFS Index AttributesAnalysis ToolsSummaryBibliography
12. NTFS Analysis
File System Category$MFT File Overview$MFTMirr File Overview$Boot File Overview$Volume File Overview$AttrDef File OverviewExample ImageAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioContent CategoryClusters$Bitmap File Overview$BadClus File OverviewAllocation AlgorithmsFile System LayoutAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioMetadata Category$Standard_Information Attribute$FILE_NAME Attribute$DATA Attribute$ATTRIBUTE_LIST Attribute$SECURITY_DESCRIPTOR Attribute$Secure FileExample ImageAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioFile Name CategoryDirectory IndexesRoot DirectoryLinks to Files and DirectoriesObject IdentifiersAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioApplication CategoryDisk QuotasLogging—File System JournalingChange JournalThe Big PictureFile Allocation ExampleFile Deletion ExampleOther TopicsFile RecoveryConsistency CheckSummaryBibliography
13. NTFS Data Structures
Basic ConceptsFixup ValuesMFT Entries (File Records)Attribute HeaderStandard File Attributes$STANDARD_INFORMATION Attribute$FILE_NAME Attribute$DATA Attribute$ATTRIBUTE_LIST Attribute$OBJECT_ID Attribute$REPARSE_POINT AttributeIndex Attributes and Data Structures$INDEX_ROOT Attribute$INDEX_ALLOCATION Attribute$BITMAP AttributeIndex Node Header Data StructureGeneric Index Entry Data StructureDirectory Index Entry Data StructureFile System Metadata Files$MFT File$Boot File$AttrDef File$Bitmap File$Volume File$ObjId File$Quota File$LogFile File$UsrJrnl FileSummaryBibliography
14. Ext2 and Ext3 Concepts and Analysis
IntroductionFile System CategoryOverviewAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioContent CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioMetadata CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenarioFile Name CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsAnalysis ScenariosApplication CategoryFile System JournalingAnalysis ScenarioThe Big PictureFile Allocation ExampleFile Deletion ExampleOther TopicsFile RecoveryConsistency CheckSummaryBibliography
15. Ext2 and Ext3 Data Structures
SuperblockGroup Descriptor TablesBlock BitmapInodesExtended AttributesDirectory EntrySymbolic LinkHash TreesJournal Data StructuresSummaryBibliography
16. UFS1 and UFS2 Concepts and Analysis
IntroductionFile System CategoryOverviewAnalysis TechniquesAnalysis ConsiderationsContent CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsMetadata CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsFile Name CategoryOverviewAllocation AlgorithmsAnalysis TechniquesAnalysis ConsiderationsThe Big PictureFile Allocation ExampleFile Deletion ExampleOther TopicsFile RecoveryConsistency CheckSummaryBibliography
17. UFS1 and UFS2 Data Structures
UFS1 SuperblockUFS2 SuperblockCylinder Group SummaryUFS1 Group DescriptorUFS2 Group DescriptorBlock and Fragment BitmapsUFS1 InodesUFS2 InodesUFS2 Extended AttributesDirectory EntriesSummaryBibliography
A. The Sleuth Kit and Autopsy
The Sleuth KitDisk ToolsVolume System ToolsFile System ToolsSearching ToolsAutopsyAnalysis ModesBibliography
Index
Code Snippets

Content preview from File System Forensic Analysis

10. FAT Data Structures

In the previous chapter, we examined the basic concepts of a FAT file system and how to analyze it. Now we are going to get more detailed and examine the data structures that make up FAT. This chapter will ignore the five-category model and instead focus on each individual data structure. This makes it easier to understand FAT because many of the data structures are in more than one category. I assume that you have already read Chapter 9, “FAT Concepts and Analysis,” or that you are reading it in parallel. All the hexdumps and data shown in this chapter correspond to the data that were analyzed in Chapter 9 using tools from The Sleuth Kit (TSK).

Boot Sector

The boot sector is located in the first sector of FAT file system ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Windows Forensics: Understand Analysis Techniques for Your Windows

Publisher Resources

ISBN: 0321268172Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

File System Forensic Analysis

by Brian Carrier