Synopses & Reviews
Praise for
Forensic Discovery "Farmer and Venema do for digital archaeology what Indiana Jones did for historical archaeology. Forensic Discovery unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder. I highly recommend reading this book."
--Richard Bejtlich, TaoSecurity
Praise for Real Digital Forensics
" Real Digital Forensics is as practical as a printed book can be. In a very methodical fashion, the authors cover live response (Unix, Windows), network-based forensics following the NSM model (Unix, Windows), forensics duplication, common forensics analysis techniques (such as file recovery and Internet history review), hostile binary analysis (Unix, Windows), creating a forensics toolkit and PDA, flash and USB drive forensics. The book is both comprehensive and in-depth; following the text and trying the investigations using the enclosed DVD definitely presents an effective way to learn forensic techniques."
--Anton Chuvakin, LogLogic
Praise for File System Forensic Analysis
"Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics that retains a level of detail making it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. File System Forensic Analysis is a great technical resource."
--Jose Nazario, Arbor Networks
The Computer Forensics Library
With the ever-increasing number of computer-related crimes, more and more professionals find themselves needing to conduct a forensics examination. But where to start? What if you don't have the time or resources to take a lengthy training course? We've assembled the works of today's leading forensics experts to help you dive into forensics, give you perspective on the big picture of forensic investigations, and arm you to handle the nitty-gritty technicalities of the toughest cases out there.
Forensic Discovery , the definitive guide, presents a thorough introduction to the field of computer forensics. Authors Dan Farmer and Wietse Venema cover everything from file systems to memory andkernel hacks and malware. They expose many myths about forensics that can stand in the way of success. This succinct book will get you started with the realities of forensics.
Real Digital Forensics allows you to dive right in to an investigation and learn by doing. Authors Keith J. Jones, Richard Bejtlich, and Curtis W. Rose walk you through six detailed, highly realistic investigations and provide a DVD with all the data you need to follow along and practice. Once you understand the big picture of computer forensics, this book will show you what a Unix or Windows investigation really looks like.
File System Forensic Analysis completes the set and provides the information you need to investigate a computer's file system. Most digital evidence is stored within the computer's file system, so many investigations will inevitably lead there. But understanding how the file system works is one of the most technically challenging concepts for digital investigators. With this book, expert Brian Carrier closes out the set by providing details about file system analysis available nowhere else.
Synopsis
The Definitive Guide to File System Analysis: Key Concepts and Hands-on Techniques Most digital evidence is stored within the computer's file system, but understanding how file systems work is one of the most technically challenging concepts for a digital investigator because there exists little documentation. Now, security expert Brian Carrier has written the definitive reference for everyone who wants to understand and be able to testify about how file system analysis is performed.
Carrier begins with an overview of investigation and computer foundations and then gives an authoritative, comprehensive, and illustrated overview of contemporary volume and file systems: Crucial information for discovering hidden evidence, recovering deleted data, and validating your tools. Along the way, he describes data structures, analyzes example disk images, provides advanced investigation scenarios, and uses today's most valuable open source file system analysis toolsincluding tools he personally developed. Coverage includes
-
Preserving the digital crime scene and duplicating hard disks for "dead analysis"
-
Identifying hidden data on a disk's Host Protected Area (HPA)
-
Reading source data: Direct versus BIOS access, dead versus live acquisition, error handling, and more
-
Analyzing DOS, Apple, and GPT partitions; BSD disk labels; and Sun Volume Table of Contents using key concepts, data structures, and specific techniques
-
Analyzing the contents of multiple disk volumes, such as RAID and disk spanning
-
Analyzing FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems using key concepts, data structures, and specific techniques
-
Finding evidence: File metadata, recovery of deleted files, data hiding locations, and more
-
Using The Sleuth Kit (TSK), Autopsy Forensic Browser, and related open source tools
When it comes to file system analysis, no other book offers this much detail or expertise. Whether you're a digital forensics specialist, incident response team member, law enforcement officer, corporate security specialist, or auditor, this book will become an indispensable resource for forensic investigations, no matter what analysis tools you use.
Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in Computer Science and Digital Forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.
Brian Carrier's http://www.digital-evidence.org contains book updates and up-to-date URLs from the book's references.
© Copyright Pearson Education. All rights reserved.
Synopsis
About the Author
Keith J. Jones leads the computer forensics and electronic evidence discovery practices at Red Cliff Consulting. Formerly Foundstone's director of incident response and computer forensics, his book
The Anti-Hacker Tool Kit (McGraw-Hill Osborne, 2002) is the definitive guide to securing critical applications.
Richard Bejtlich is a former Air Force intelligence officer, and is founder of TaoSecurity, a network security monitoring consultancy. He wrote the Tao of Network Security Monitoring (Addison-Wesley, 2005) and Extrusion Detection (Addison-Wesley, 2006).
Curtis W. Rose, a former counterintelligence special agent, is an executive vice president at Red Cliff Consulting where he leads research and development efforts and special projects, and where he provides support to criminal investigations and civil litigation. He was a contributing author or technical editor for several security books, including The Anti-Hacker Tool Kit, Network Security: The Complete Reference (McGraw-Hill Osborne, 2002), and Incident Response: Investigating Computer Crime, Second Edition (McGraw-Hill Osborne, 2002).
Dan Farmer is author of a variety of security programs and papers. He is currently chief technical officer of Elemental Security, a computer security software company. Together he and Wietse Venema, have written many of the world's leading information security and forensics packages, including the SATAN network security scanner and the Coroner's Toolkit.
Wietse Venema has written some of the world's most widely used software, including TCP Wrapper and the Postfix mail system. He is currently a research staff member at IBM Research. Together, he and Dan Farmer have written many of the world's leading information security and forensics packages, including the SATAN network security scanner and the Coroner's Toolkit.
Brian Carrier has authored several leading computer forensic tools, including The Sleuth Kit (formerly The @stake Sleuth Kit) and the Autopsy Forensic Browser. He has authored several peer-reviewed conference and journal papers and has created publicly available testing images for forensic tools. Currently pursuing a Ph.D. in computer science and digital forensics at Purdue University, he is also a research assistant at the Center for Education and Research in Information Assurance and Security (CERIAS) there. He formerly served as a research scientist at @stake and as the lead for the @stake Response Team and Digital Forensic Labs. Carrier has taught forensics, incident response, and file systems at SANS, FIRST, the @stake Academy, and SEARCH.
Brian Carrier's Web site, http://www.digital-evidence.org, contains book updates and up-to-date URLs from the book's references.
Table of Contents
Foreword.
Preface.
Acknowledgments.
I. FOUNDATIONS.
1. Digital Investigation Foundations.
Digital Investigations and Evidence.
Digital Crime Scene Investigation Process.
Data Analysis.
Overview of Toolkits.
Summary.
Bibliography.
2. Computer Foundations.
Data Organization.
Booting Process.
Hard Disk Technology.
Summary.
Bibiography.
3. Hard Disk Data Acquisition.
Introduction.
Reading the Source Data.
Writing the Output Data.
A Case Study Using dd.
Summary.
Bibliography.
II. VOLUME ANALYSIS.
4. Volume Analysis.
Introduction.
Background.
Analysis Basics.
Summary.
5. PC-based Partitions.
DOS Partitions.
Analysis Considerations.
Apple Partitions.
Removable Media.
Bibliography 109
6. Server-based Partitions.
BSD Partitions.
Sun Solaris Slices.
GPT Partitions.
Summary 145
Bibliography 145
7. Multiple Disk Volumes.
RAID.
Disk Spanning.
Bibliography.
III. FILE SYSTEM ANALYSIS.
8. File System Analysis.
What Is a File System?.
File System Category.
Content Category.
Metadata Category.
File Name Category.
Application Category.
Application-level Search Techniques.
Specific File Systems.
Summary.
Bibliography.
9. FAT Concepts and Analysis.
Introduction.
File System Category.
Content Category.
Metadata Category.
File Name Category.
The Big Picture.
Other Topics.
Summary.
Bibliography.
10. FAT Data Structures.
Boot Sector.
FAT32 FSINFO.
FAT.
Directory Entries.
Long File Name Directory Entries.
Summary.
Bibliography.
11. NTFS Concepts.
Introduction.
Everything is a File.
MFT Concepts.
MFT Entry Attribute Concepts.
Other Attribute Concepts.
Indexes.
Analysis Tools.
Summary.
Bibliography.
12. NTFS Analysis.
File System Category.
Content Category.
Metadata Category.
File Name Category.
Application Category.
The Big Picture.
Other Topics.
Summary.
Bibliography.
13. NTFS Data Structures.
Basic Concepts.
Standard File Attributes.
Index Attributes and Data Structures.
File System Metadata Files.
Summary.
Bibliography.
14. Ext2 and Ext3 Concepts and Analysis.
Introduction.
File System Category.
Content Category.
Metadata Category.
File Name Category.
Application Category.
The Big Picture.
Other Topics.
Summary.
Bibliography.
15. Ext2 and Ext3 Data Structures.
Superblock.
Group Descriptor Tables.
Block Bitmap.
Inodes.
Extended Attributes.
Directory Entry.
Symbolic Link.
Hash Trees.
Journal Data Structures.
Summary.
Bibliography.
16. UFS1 and UFS2 Concepts and Analysis.
Introduction.
File System Category.
Content Category.
Metadata Category.
File Name Category.
The Big Picture.
Other Topics.
Summary.
Bibliography.
17. UFS1 and UFS2 Data Structures.
UFS1 Superblock.
UFS2 Superblock.
Cylinder Group Summary.
UFS1 Group Descriptor.
UFS2 Group Descriptor.
Block and Fragment Bitmaps.
UFS1 Inodes.
UFS2 Inodes.
UFS2 Extended Attributes.
Directory Entries.
Summary.
Bibliography.
Appendix A. The Sleuth Kit and Autopsy.
The Sleuth Kit.
Autopsy.
Bibliography.
Index.