File System Forensic Analysis
This book is about the low-level details of file and volume systems. There already exists digital forensic books that are breadth-based and give you a good overview of the field and the basic concepts. This book complements those books and gives you more details of file and volume systems. I started this book because there was a large void with respect to documents and books describing file systems. While developing The Sleuth Kit, I frequently had to use source code and trial and error to determine how the data were laid out. The lack of public documents made it difficult to explain, for example, why file recovery is not the same for all file systems and that each NTFS file has at least three sets of timestamps. It also makes it difficult for an investigator to testify how her analysis tool works and where it found the evidence. There are two target audiences for this book. One is the experienced investigator who has learned about digital investigations from real cases and using analysis tools. The other is someone who is new to the field and is interested in learning about the general theory of an investigation and where digital evidence may exist but is not yet looking for a book that has a tutorial on how to use a specific tool. The approach of this book is to describe the basic concepts and theory of a volume and file system and then apply it to an investigation. For each file system, this book covers analysis techniques and special considerations that the investigator should make. Scenarios are given to reinforce how the information can be used in an actual case. In addition, the data structures associated with volume and file systems are given, and disk images are analyzed by hand so that you can see where the various data are located. If you are not interested in parsing data structures, you can skip the data structure chapters. Only non-commercial tools are used so that you can download them for free and duplicate the results on your systems.