File System Forensic Analysis

File System Forensic Analysis

Part I: Foundations

Chapter 1. Digital Investigation Foundations
   - Digital Investigations and Evidence
   - Digital Crime Scene Investigation Process
   - Data Analysis
   - Overview of Toolkits
   - Summary
   - Bibliography

Chapter 2. Computer Foundations
   - Data Organization
   - Booting Process
   - Hard Disk Technology
   - Summary
   - Bibliography

Chapter 3. Hard Disk Data Acquisition
   - Introduction
   - Reading the Source Data
   - Writing the Output Data
   - A Case Study Using dd
   - Summary
   - Bibliography

Part II: Volume Analysis

Chapter 4. Volume Analysis
   - Introduction
   - Background
   - Analysis Basics
   - Summary

Chapter 5. PC-based Partitions
   - DOS Partitions
   - Analysis Considerations
   - Apple Partitions
   - Removable Media
   - Bibliography

Chapter 6. Server-based Partitions
   - BSD Partitions
   - Sun Solaris Slices
   - GPT Partitions
   - Summary
   - Bibliography

Chapter 7. Multiple Disk Volumes
   - RAID
   - Disk Spanning
   - Bibliography

Part III: File System Analysis

Chapter 8. File System Analysis
   - What is a File System?
   - File System Category
   - Content Category
   - Metadata Category
   - File Name Category
   - Application Category
   - Application-level Search Techniques
   - Specific File Systems
   - Summary
   - Bibliography

Chapter 9. FAT Concepts and Analysis
   - Introduction
   - File System Category
   - Content Category
   - Metadata Category
   - File Name Category
   - The Big Picture
   - Other Topics
   - Summary
   - Bibliography

Chapter 10. FAT Data Structures
   - Boot Sector
   - FAT32 FSINFO
   - FAT
   - Directory Entries
   - Long File Name Directory Entries
   - Summary
   - Bibliography

Chapter 11. NTFS Concepts
   - Introduction
   - Everything is a File
   - MFT Concepts
   - MFT Entry Attribute Concepts
   - Other Attribute Concepts
   - Indexes
   - Analysis Tools
   - Summary
   - Bibliography

Chapter 12. NTFS Analysis
   - File System Category
   - Content Category
   - Metadata Category
   - File Name Category
   - Application Category
   - The Big Picture
   - Other Topics
   - Summary
   - Bibliography

Chapter 13. NTFS Data Structures
   - Basic Concepts
   - Standard File Attributes
   - Index Attributes and Data Structures
   - File System Metadata Files
   - Summary
   - Bibliography

Chapter 14. Ext2 and Ext3 Concepts and Analysis
   - Introduction
   - File System Category
   - Content Category
   - Metadata Category
   - File Name Category
   - Application Category
   - The Big Picture
   - Other Topics
   - Summary
   - Bibliography

Chapter 15. Ext2 and Ext3 Data Structures
   - Superblock
   - Group Descriptor Tables
   - Block Bitmap
   - Inodes
   - Extended Attributes
   - Directory Entry
   - Symbolic Link
   - Hash Trees
   - Journal Data Structures
   - Summary
   - Bibliography

Chapter 16. UFS1 and UFS2 Concepts and Analysis
   - Introduction
   - File System Category
   - Content Category
   - Metadata Category
   - File Name Category
   - The Big Picture
   - Other Topics
   - Summary
   - Bibliography

Chapter 17. UFS1 and UFS2 Data Structures
   - UFS1 Superblock
   - UFS2 Superblock
   - Cylinder Group Summary
   - UFS1 Group Descriptor
   - UFS2 Group Descriptor
   - Block and Fragment Bitmaps
   - UFS1 Inodes
   - UFS2 Inodes
   - UFS2 Extended Attributes
   - Directory Entries
   - Summary
   - Bibliography

Appendix A. The Sleuth Kit and Autopsy
   - The Sleuth Kit
   - Autopsy
   - Bibliography

This book is organized into three parts. Part 1 provides the basic foundations, and Parts 2 and 3 provide the technical meat of the book. The book is organized so that we move up the layers of abstraction in a computer. We start by discussing hard disks and then discuss how disks are organized into partitions. After we discuss partitions, we discuss the contents of partitions, which are typically a file system.

Part 1, "Foundations," starts with Chapter 1, "Digital Investigation Foundations," and discusses the approach I take to a digital investigation. The different phases and guidelines are presented so that you know where I use the techniques described in this book. This book does not require that you use the same approach that I do. Chapter 2, "Computer Foundations," provides the computer foundations and describes data structures, data encoding, the boot process, and hard disk technology. Chapter 3, "Hard Disk Data Acquisition," provides the theory and a case study of hard disk acquisition so that we have data to analyze in Parts 2 and 3.

Part 2, "Volume Analysis," of the book is about the analysis of data structures that partition and assemble storage volumes. Chapter 4, "Volume Analysis," provides a general overview of the volume analysis techniques, and Chapter 5, "PC-based Partitions," examines the common DOS and Apple partitions. Chapter 6, "Server-based Partitions," covers the partitions found in BSD, Sun Solaris, and Itanium-based systems. Chapter 7, "Multiple Disk Volumes," covers RAID and volume spanning.

Part 3, "File System Analysis," of the book is about the analysis of data structures in a volume that are used to store and retrieve files. Chapter 8, "File System Analysis," covers the general theory of file system analysis and defines terminology for the rest of Part 3. Each file system has at least two chapters dedicated to it where the first chapter discusses the basic concepts and investigation techniques and the second chapter includes the data structures and manual analysis of example disk images. You have a choice of reading the two chapters in parallel, reading one after the other, or skipping the data structures chapter altogether.

The designs of the file systems are very different, so they are described using a general file system model. The general model organizes the data in a file system into one of five categories: file system, content, metadata, file name, and application. This general model is used to describe each of the file systems so that it is easier to compare them.

Chapters 9, "FAT Concepts and Analysis," and 10, "FAT Data Structures," detail the FAT file system, and Chapters 11, "NTFS Concepts," 12, "NTFS Analysis," and 13, "NTFS Data Structures," cover NTFS. Next, we skip to the Unix file systems with Chapters 14, "Ext2 and Ext3 Concepts and Analysis," and 15, "Ext2 and Ext3 Data Structures," on the Linux Ext2 and Ext3 file systems. Lastly, Chapters 16, "UFS1 and UFS2 Concepts and Analysis," and 17, "UFS1 and UFS2 Data Structures," examine UFS1 and UFS2, which are found in FreeBSD, NetBSD, OpenBSD, and Sun Solaris.

After Part 3 of this book, you will know where a file existed on disk and the various data structures that need to be in sync for you to view it. This book does not discuss how to analyze the file's contents.