Computer forensics is a relatively new field, and over the years it has been called many things: "computer forensics," "digital forensics," and "media analysis" to name a few. It has only been in the past few years that we have begun to recognize that all of our digital devices leave digital breadcrumbs and that these breadcrumbs are valuable evidence in a wide range of inquiries. While criminal justice professionals were some of the first to take an interest in this digital evidence, the intelligence, information security, and civil law fields have enthusiastically adopted this new source of information.
Digital forensics has joined the mainstream. In 2003, the American Society of Crime Laboratory Directors–Laboratory Accreditation Board (ASCLD–LAB) recognized digital evidence as a full-fledged forensic discipline. Along with this acceptance came increased interest in training and education in this field. The Computer Forensic Educator's Working Group (now known as the Digital Forensic Working Group) was formed to assist educators in developing programs in this field. There are now over three-dozen colleges and universities that have, or are, developing programs in this field. More join their ranks each month.
I have had the pleasure of working with many law enforcement agencies, training organizations, colleges, and universities to develop digital forensic programs. One of the first questions that I am asked is if I can recommend a good textbook for their course or courses. There have been many books written about this field. Most take a targeted approach to a particular investigative approach, such as incident response or criminal investigation. Some tend to be how-to manuals for specific tools. It has been hard to find a book that provides a solid technical and process foundation for the field . . . That is, until now.
This book is the foundational book for file system analysis. It is thorough, complete, and well
organized. Brian Carrier has done what needed to be done for this field. This book provides a
solid understanding of both the structures that make up different file systems and how these
structures work. Carrier has written this book in such a way that the readers can use what they
know about one file system to learn another. This book will be invaluable as a textbook and
as a reference and needs to be on the shelf of every digital forensic practitioner and educator.
It will also provide accessible reading for those who want to understand subjects such as data
recovery.
When I was first approached about writing this Foreword, I was excited! I have known Brian
Carrier for a number of years and I have always been impressed with his wonderful balance
of incredible technical expertise and his ability to clearly explain not just what he knows but,
more importantly, what you need to know. Brian's work on Autopsy and The Sleuth Kit
(TSK) has demonstrated his command of this field—his name is a household name in the
digital forensic community. I have been privileged to work with Brian in his current role at
Purdue University, and he is helping to do for the academic community what he did for the
commercial sector: He set a high standard.
So, it is without reservation that I recommend this book to you. It will provide you with a
solid foundation in digital media.
Mark M. Pollitt
President, Digital Evidence Professional Services, Inc.
Retired Director of the FBI's Regional Computer Forensic Laboratory Program
Preface
One of the biggest challenges that I have faced over the years while developing The Sleuth
Kit (TSK) has been finding good file and volume system (such as partition tables, RAID, and
so on) documentation. It also has been challenging to explain to users why certain files
cannot be recovered or what to do when a corrupt file system is encountered because there
are no good references to recommend. It is easy to find resources that describe file systems at
a high level, but source code is typically needed to learn the details. My goal for this book is
to fill the void and describe how data are stored on disk and describe where and how digital
evidence can be found.
There are two target audiences for this book. One is the experienced investigator that has
learned about digital investigations from real cases and using analysis tools. The other is
someone who is new to the field and is interested in learning about the general theory of an
investigation and where digital evidence may exist but is not yet looking for a book that has a
tutorial on how to use a specific tool.
The value of the material in this book is that it helps to provide an education rather than
training on a specific tool. Consider some of the more formal sciences or engineering
disciplines. All undergraduates are required to take a couple of semesters of physics,
chemistry, or biology. These courses are not required because the students will be using all
the material for the rest of their careers. In fact, software and equipment exist to perform
many of the calculations students are forced to memorize. The point of the classes is to
provide students with insight about how things work so that they are not constrained by their
tools.
The goal of this book is to provide an investigator with an education similar to what
Chemistry 101 is to a chemist in a forensics lab. The majority of digital evidence is found on
a disk, and knowing how and why the evidence exists can help an investigator to better testify
about it. It also will help an investigator find errors and bugs in his analysis tools because he
can conduct sanity checks on the tool output.
The recent trends in digital investigations have shown that more education is needed.
Forensic labs are being accredited for digital evidence, and there are debates about the
required education and certification levels. Numerous universities offer courses and even
Master's degrees in computer forensics. Government
Roadmap
This book is organized into three parts. Part 1 provides the basic foundations, and Parts 2 and
3 provide the technical meat of the book. The book is organized so that we move up the
layers of abstraction in a computer. We start by discussing hard disks and then discuss how
disks are organized into partitions. After we discuss partitions, we discuss the contents of
partitions, which are typically a file system.
Part 1, "Foundations," starts with Chapter 1, "Digital Investigation Foundations," and
discusses the approach I take to a digital investigation. The different phases and guidelines
are presented so that you know where I use the techniques described in this book. This book
does not require that you use the same approach that I do. Chapter 2, "Computer
Foundations," provides the computer foundations and describes data structures, data
encoding, the boot process, and hard disk technology. Chapter 3, "Hard Disk Data
Acquisition," provides the theory and a case study of hard disk acquisition so that we have
data to analyze in Parts 2 and 3.
Part 2, "Volume Analysis," of the book is about the analysis of data structures that partition
and assemble storage volumes. Chapter 4, "Volume Analysis," provides a general overview
of the volume analysis techniques, and Chapter 5, "PC-based Partitions," examines the
common DOS and Apple partitions. Chapter 6, "Server-based Partitions," covers the
partitions found in BSD, Sun Solaris, and Itanium-based systems. Chapter 7, "Multiple Disk
Volumes," covers RAID and volume spanning.
Part 3, "File System Analysis," of the book is about the analysis of data structures in a
volume that are used to store and retrieve files. Chapter 8, "File System Analysis," covers the
general theory of file system analysis and defines terminology for the rest of Part 3. Each file
system has at least two chapters dedicated to it where the first chapter discusses the basic
concepts and investigation techniques and the second chapter includes the data structures and
manual analysis of example disk images. You have a choice of reading the two chapters in
parallel, reading one after the other, or skipping the data structures chapter altogether.
The designs of the file systems are very different, so they are described using a general file
system model. The general model organizes the data in a file system into one of five
categories: file system, content, metadata, file name, and application. This general model is
used to describe each of the file systems so that it is easier to compare them.
Chapters 9, "FAT Concepts and Analysis," and 10, "FAT Data Structures," detail the FAT
file system, and Chapters 11, "NTFS Concepts," 12, "NTFS Analysis," and 13, "NTFS Data
Structures," cover NTFS. Next, we skip to the Unix file systems with Chapters 14, "Ext2 and
Ext3 Concepts and Analysis," and 15, "Ext2 and Ext3 Data Structures," on the Linux Ext2
and Ext3 file systems. Lastly, Chapters 16, "UFS1 and UFS2 Concepts and Analysis," and
17, "UFS1 and UFS2 Data Structures," examine UFS1 and UFS2, which are found in
FreeBSD, NetBSD, OpenBSD, and Sun Solaris.
After Part 3 of this book, you will know where a file existed on disk and the various data
structures that need to be in sync for you to view it. This book does not discuss how to
analyze the file's contents.