Monday, June 26, 2006

Book: File System Forensic Analysis

File System Forensics by Brian Carrier. ISBN: 0321268172.


To my way of thinking, this is a really good book about file systems, that just happens to use forensics as a unifying theme and framework under which to study the file systems. The book provides the most detailed coverage of file systems I've seen, short of reading the source code. I used it as a textbook in an advanced operating systems class, but it is not really a textbook, per se.

The author begins with an introduction to the concepts behind digital forensic investigations. He continues with a ground-up introduction to disk drive technology and how disks are used in computer systems. The introductory material concludes with a generic framework for discussing the components and characteristics of file systems.

With all the groundwork laid, the meat of the book consists of detailed discussions of FAT, NTFS, Ext, and UFS file systems. Each file system is presented at a high level first, followed by a detailed description of the structures on disk. The high level information is presented with pictures and via output from the author's file system toolkit (The Sleuth Kit). The details are presented with tables of structure members without resorting to C code, which makes it easier to see the trees rather than the forest, especially for non-programmers.

I found the information about the Microsoft file systems (FAT and NTFS) especially useful, since there isn't much real documentation on those file systems available, and a lot of what is available seems like rumors spread at recess in a schoolyard.

In conclusion, this is a really good, perhaps even the best, book on file systems, even if you're not into forensics. If you're looking for serious details about file systems or forensic analysis of file systems, this is your book.

Enjoy,
Charles.


No comments: