Oakleafbooks Online Library -- A Global Books Research Catalogue
And a Bookstore - We deliver Worldwide

You must enter a search term!
Browse Subject Headings
File System Forensics
File System Forensics
Click to enlarge
Author(s): Toolan, Fergus
ISBN No.: 9781394289790
Pages: 496
Year: 202503
Format: Trade Cloth (Hard Cover)
Price: $ 205.52
Dispatch delay: Dispatched between 7 to 15 days
Status: Available
Qty: Add to Cart

Preface xvii Acknowledgements xxi Part I Preliminaries 1 1 Introduction 3 1.1 What is Digital Forensics? 4 1.2 File System Forensics 5 1.3 Digital Forensic Principles 5 1.4 Digital Forensic Methodology 7 1.4.1 Preparation 8 1.4.


2 Localisation/Preservation 8 1.4.3 Acquisition 8 1.4.4 Processing 9 1.4.5 Analysis 9 1.4.


6 Reporting 9 1.4.7 Quality Assurance 10 1.4.8 Evidence Return 10 1.5 About This Book 10 1.5.1 Who Should Read This Book? 11 1.


6 Book Structure 12 1.7 Summary 13 Exercises 13 Bibliography 14 2 Linux as a Forensic Platform 17 2.1 Open-Source Software 17 2.1.1 Advantages of Open-Source Software 19 2.1.2 Open Source ≠ Free 20 2.2 Open-Source Software in Digital Forensics 20 2.


3 What is Linux? 21 2.3.1 The Anatomy of the Linux OS 22 2.3.2 Linux Distributions 27 2.3.3 A (very) Brief History of Linux 28 2.4 Using Linux 29 2.


4.1 User Accounts 30 2.4.2 Basic Linux Commands 32 2.4.2.1 Navigating the File System 32 2.4.


2.2 Getting Help 34 2.4.2.3 Viewing/Editing Text Files 34 2.4.2.4 Managing Directories 35 2.


4.2.5 Redirection and Pipes 35 2.5 Linux as a Forensic Platform 36 2.5.1 Commands for Digital Forensics 36 2.5.1.


1 Hashing 36 2.5.1.2 Hex Viewers 38 2.5.1.3 Archiving/Compression 39 2.5.


1.4 The file Command 40 2.5.1.5 The strings Command 40 2.5.1.6 Text Searching with (e)grep 41 2.


6 Summary 42 Exercises/Discussion Topics 42 Bibliography 43 3 Mathematical Preliminaries 45 3.1 Bits and Bytes 45 3.2 Number Systems 48 3.2.1 Notational Conventions 48 3.2.2 Decimal 48 3.2.


3 Binary 49 3.2.4 Hexadecimal 50 3.2.5 Number Conversions 51 3.2.6 Number Conversion with Bash 51 3.2.


7 Negative Numbers 53 3.2.8 Floating-Point Numbers 53 3.3 Representing Text 56 3.3.1 Ascii 56 3.3.2 Iso- 8859 57 3.


3.3 Unicode 59 3.3.4 Utf- 8 60 3.3.5 Utf- 16 61 3.4 Representing Time 62 3.4.


1 Unix Time 63 3.4.2 The Linux date Command 64 3.5 Endianness and Raw Data 64 3.6 Summary 66 Exercises 67 Bibliography 68 4 Disks, Partitions and File Systems 69 4.1 Disk Storage 70 4.1.1 Traditional Rotational Hard Drives 71 4.


1.1.1 Optical Media 72 4.1.2 Flash Drives 73 4.1.3 Solid-State Drives 73 4.2 Partitions 74 4.


2.1 Creating Partitions/File Systems on Linux 74 4.2.1.1 Mounting File Systems on Linux 77 4.2.2 Master Boot Record 78 4.2.


3 GUID Partition Table 80 4.3 File Systems 83 4.3.1 File System Concepts 83 4.3.2 Comparison of File Systems 86 4.4 Acquisition of File System Data 88 4.4.


1 Logical vs Physical Acquisition 88 4.4.2 Acquisition Under Linux 88 4.4.2.1 The dd Family 89 4.4.2.


2 Expert Witness Format (EWF) 90 4.4.2.3 guymager 91 4.5 Analysis of File Systems 92 4.5.1 The Sleuth Kit 92 4.5.


1.1 Determine the Partition Layout 93 4.5.1.2 Determine the File System Type 93 4.5.1.3 List the Files 94 4.


5.1.4 Recover File Metadata 95 4.5.1.5 Recover File Content 95 4.5.1.


6 Other TSK Commands 95 4.5.2 Data Carving 96 4.6 Summary 97 Exercises 97 Bibliography 98 Part II Windows File Systems 99 5 The FAT File System 101 5.1 On-Disk Structures 101 5.1.1 Layout 102 5.1.


2 Volume Boot Record 102 5.1.3 File System Information (FSINFO) 102 5.1.4 File Allocation Table 104 5.1.5 Directory Entries 105 5.1.


6 FAT Date and Time 108 5.1.7 Mapping Clusters to Sectors 109 5.2 Analysis of FAT 32 109 5.2.1 Creating FAT32 File Systems 109 5.2.2 Supplied FAT32 Image Files 110 5.


2.3 FAT32 Manual Analysis 110 5.2.3.1 Process the VBR 111 5.2.3.2 Process the Root Directory 112 5.


2.3.3 Process Sub-directories 113 5.2.3.4 Recover Metadata/Content 113 5.3 FAT32 Advanced Analysis 115 5.3.


1 Deleted Files 116 5.3.2 The Volume Label 117 5.4 Summary 117 Exercises 118 Bibliography 118 6 The ExFAT File System 121 6.1 On-Disk Structures 121 6.1.1 Volume Boot Record 122 6.1.


2 File Allocation Table 123 6.1.3 Directory Entries 125 6.1.3.1 Allocation Bitmap (Type: 0x81) 127 6.1.3.


2 Up-Case Table (Type: 0x82) 128 6.1.3.3 Volume Label (Type: 0x83) 128 6.1.3.4 File (Type: 0x85) 129 6.1.


3.5 Volume GUID (Type: 0xA0) 130 6.1.3.6 Stream Extension (Type: 0xC0) 130 6.1.3.7 Filename Extension 131 6.


1.3.8 Other Directory Entries 132 6.2 Analysis of ExFAT 132 6.2.1 Creating ExFAT File Systems 132 6.2.2 Supplied ExFAT Image Files 132 6.


2.3 ExFAT Manual Analysis 132 6.2.3.1 Step 1: Process the VBR 133 6.2.3.2 Step 2: Process the Root Directory 133 6.


2.3.3 Step 3: Process Subdirectories 136 6.2.3.4 Step 4: Recover Metadata 137 6.2.3.


5 Step 5: Recover Content 137 6.3 ExFAT Advanced Analysis 139 6.3.1 Long File Names 139 6.3.2 Deleted Files 140 6.3.3 Fragmented Files and Large Directories 141 6.


4 Summary 142 Exercises 143 Bibliography 143 7 The NTFS File System 145 7.1 On-Disk Structures 146 7.1.1 $Boot 146 7.1.2 Indexes 147 7.1.3 Fixup Arrays 149 7.


1.4 Time in NTFS 150 7.1.5 Master File Table 151 7.1.6 MFT Record Structure 152 7.1.6.


1 MFT Record Header 152 7.1.6.2 Browsing Attributes 155 7.1.6.3 $STANDARD_INFORMATION (0x10) 155 7.1.


6.4 $ATTRIBUTE_LIST (0x20) 156 7.1.6.5 $FILENAME (0x30) 156 7.1.6.6 $OBJECT_ID (0x40) 157 7.


1.6.7 $SECURITY_DESCRIPTOR (0x50) 159 7.1.6.8 $VOLUME_NAME (0x60) 162 7.1.6.


9 $VOLUME_INFORMATION (0x70) 162 7.1.6.10 $DATA (0x80) 163 7.1.6.11 $INDEX_ROOT (0x90) 163 7.1.


6.12 $INDEX_ALLOCATION (0xA0) 165 7.1.6.13 $BITMAP (0xB0) 165 7.1.6.14 $REPARSE_POINT (0xC0) 166 7.


1.6.15 $EA_INFORMATION (0xD0) and $EA (0xE0) 167 7.2 Analysis of NTFS 167 7.2.1 Creating NTFS File Systems 168 7.2.2 Supplied NTFS Image Files 168 7.


2.3 NTFS Manual Analysis 168 7.2.3.1 Process $Boot 169 7.2.3.2 Recover $MFT 171 7.


2.3.3 Process Directories 173 7.2.3.4 Recover File Metadata 177 7.2.3.


5 Recover File Content 182 7.3 NTFS Advanced Analysis 185 7.3.1 Further File System Information 185 7.3.2 Deleted Files 186 7.3.3 Fragmented Files 187 7.


3.4 Alternate Data Streams 190 7.3.5 Large MFT Records 191 7.4 Summary 194 Exercises 194 Bibliography 195 Part III Linux File Systems 197 8 The EXT2 File System 199 8.1 On-Disk Structures 200 8.1.1 The Superblock 201 8.


1.2 The Block Group Descriptor Table 204 8.1.3 The Inode Table 205 8.1.3.1 Mode/Permissions 207 8.1.


3.2 Inode Flags 208 8.1.3.3 Block Pointers 208 8.1.4 The Data and Inode Bitmaps 209 8.1.


5 Locating an Inode 209 8.2 Analysis of ext 2 210 8.2.1 Creating ext2 File Systems 210 8.2.2 Supplied ext2 Image Files 210 8.2.3 Ext2 Manual Analysis 211 8.


2.3.1 Process the Superblock 211 8.2.3.2 Map the Block Groups 213 8.2.3.


3 Process Root Directory Inode 216 8.2.3.4 Process the Root Directory 217 8.2.3.5 Process Directories 219 8.2.


3.6 Process Files 219 8.3 Ext2 Advanced Analysis 222 8.3.1 Fragmented Files 222 8.3.2 Links 223 8.3.


3 Deleted Files 225 8.4 Summary 226 Exercises 226 Bibliography 227 9 The EXT3/EXT4 File Systems 229 9.1 Supplied Image Files 229 9.2 The ext3 File System 229 9.2.1 The Ext Journal 230 9.2.2 HTree Directory Indexing 237 9.


3 The Ext4 File System 241 9.3.1 Large Inodes 241 9.3.1.1 Timestamps 241 9.3.2 Ext4 Data Storage 244 9.


3.2.1 Extent-Base.


To be able to view the table of contents for this publication then please subscribe by clicking the button below...
To be able to view the full description for this publication then please subscribe by clicking the button below...
Browse Subject Headings