File System Forensic Analysis by Addison-Wesley Professional Title: File System Forensic Analysis

Purchase Item

Manufacturer: Addison-Wesley Professional
List Price: $59.99
Our Price: $33.80
Customer Reviews:
File System Forensic Analysis by Addison-Wesley Professional

Great resource

Great resource on file systems and file system data structures, although I wish it covered Apple's HFS+.
File System Forensic Analysis by Addison-Wesley Professional

The bible for File System Forensics

Great Book. Great job Brian. A must have in your bookshelf if you are serious about computer forensics.
It only lacks two things to be perfect: a reiserfs and a HFS+ sections.

Only an error. GPT partition schema isn't used only in big servers. New Intel Macintoshes use it by default for their boot drive.
File System Forensic Analysis by Addison-Wesley Professional

super

Thanks a lot, we are very happy to have this book in our library!
File System Forensic Analysis by Addison-Wesley Professional

Accept no substitutes -- THE book to read on file systems

I decided to read and review three digital forensics books in order to gauge their strengths and weaknesses: "File System Forensic Analysis" (FSFA) by Brian Carrier, "Windows Forensics" (WF) by Chad Steel, and "EnCase Computer Forensics" (ECF) by Steve Bunting and William Wei. All three books contain the word "forensics" in the title, but they are very different. If you want authoritative and deeply technical guidance on understanding file systems, read FSFA. If you want to focus on understanding Windows from an investigator's standpoint, read WA. If you want to know more about EnCase (and are willing to tolerate or ignore information about forensics itself), read ECF.

In the spirit of full disclosure I should mention I am co-author of a forensics book ("Real Digital Forensics") and Brian Carrier cites my book "The Tao of Network Security Monitoring" on p 10. I tried to not let those facts sway my reviews.

FSFA has received lengthy and glowing reviews, so I will keep my comments brief. Of the three books I cited earlier, FSFA was the only one which really grabbed my attention. I am a network-centric security practitioner, but Brian Carrier's organization, thoughtfulness, and delivery really hooked me. I very much appreciate authors who define a framework and explain potentially complicated topics within that framework.

For example, Brian is very keen to promote the scientific method. His emphasis on hypotheses and looking for evidence to refute them made me take a second look at my own practices. Brian differentiates between "essential" and "nonessential" data, where the former must be accurate in order for a user to access data and the latter not necessarily needing to be accurate. Again, this is a great way to think about digital evidence in any form. Investigation is grouped into preservation, search, and event reconstruction phases. Finally, Brian's separation of data structures into five categories (file system, content, metadata, file name, and application) facilitates comparisons of file systems in the third part of FSFA.

Besides being well-organized, FSFA does an excellent job covering material not addressed elsewhere. Server partitions, RAID, and LVM are examples. It is important to understand what is NOT present in FSFA, however. Brian very clearly stops at the application level of data, saving that for other books. I think this is a great idea, since it lets FSFA concentrate on its core topics (file systems) and saves the data on those file systems for other books. At the risk of self-promoting, I think FSFA is a powerful companion to "Real Digital Forensics" (RDF), since we provide sample file system images in dd format suitable for analysis using FSFA techniques. RDF also cares more about content than structure, which is where FSFA stops.

Anyone who even pretends to be a host-centric forensics practitioner must read FSFA. I expect it has the power to save you on the stand should you encounter intense questioning from a defense attorney.
File System Forensic Analysis by Addison-Wesley Professional

The best work on the topic

Carrier's book has proven invaluable to this digital forensics trainee, and I expect many of the old hands in the field will be keeping it on hand as well. If you're serious about computer forensics, you need a copy.