A book for digital sleuths

* 'File System Forensic Analysis'

When I am dead, I hope it is said, 'His sins were scarlet, but his books were read'. -Hilaire Belloc

When I am dead, I hope it is said,

'His sins were scarlet, but his books were read'. -Hilaire Belloc

This week we're taking a look at books that deserve a place on your administrator's bookshelf.

As I said in the teaser at the end of the last issue, today, we're discussing a book that I think you should have but one that I hope you'll never really need.

Brian Carrier's "File System Forensic Analysis" (from publisher Addison-Wesley) is an indispensable tool for the digital investigator and trouble-shooter.

In today's enterprise, regulatory compliance is a driving force in IT budgets. The organization needs to comply with laws that require knowing who, what, where, when and why corporate assets (and personal data) are accessed. Indeed, in many cases the requirement is knowing who might have been able to access a resource, not necessarily who did access it.

When it comes time to prove who did (or didn't) access data and who did (or didn't) have the ability to access data then file system forensics is the tool you might need.

Author Carrier, a well-known writer and speaker on this topic, is a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. He introduces us to the concepts in the book by saying "Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation." This book provides it.

Carrier begins with an overview of investigation and computer foundations and then gives a comprehensive and illustrated overview of contemporary volume and file systems - the information needed to discover hidden evidence, recover deleted data, and validate your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and introduces valuable open source file system analysis tools -including ones he personally developed: The Sleuth Kit and Autopsy Forensic Browser (sounds like something the folks on TV's CSI would use!).

Among the areas covered are:

* Identifying hidden data on a disk's Host Protected Area (HPA).

* Reading source data: Direct vs. BIOS access, dead vs. live acquisition, error handling, and more.

* Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques.

* Analyzing the contents of multiple disk volumes, such as RAID and disk spanning.

* Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques.

* Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more.

As I said, I hope you'll never actually need to use this stuff, because that most likely means a crime, a disaster, or an investigation has occurred. But it does make fascinating reading, and you will learn a tremendous amount about how file systems work.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.