Roadmap
This book is organized into three parts. Part 1 provides the basic foundations, and Parts 2 and 3 provide the technical meat of the book. The book is organized so that we move up the layers of abstraction in a computer. We start by discussing hard disks and then discuss how disks are organized into partitions. After we discuss partitions, we discuss the contents of partitions, which are typically a file system.
Part 1, “Foundations,” starts with Chapter 1, “Digital Investigation Foundations,” and discusses the approach I take to a digital investigation. The different phases and guidelines are presented so that you know where I use the techniques described in this book. This book does not require that you use the same approach that I do. Chapter 2, “Computer Foundations,” provides the computer foundations and describes data structures, data encoding, the boot process, and hard disk technology. Chapter 3, “Hard Disk Data Acquisition,” provides the theory and a case study of hard disk acquisition so that we have data to analyse in Parts 2 and 3. Part 2, “Volume Analysis,” of the book is about the analysis of data structures that partition and assemble storage volumes. Chapter 4, “Volume Analysis,” provides a general overview of the volume analysis techniques, and Chapter 5, “PC-based Partitions,” examines the common DOS and Apple partitions. Chapter 6, “Server-based Partitions,” covers the partitions found in BSD, Sun Solaris, and Itanium-based systems. Chapter 7, “Multiple Disk Volumes,” covers RAID and volume spanning. Part 3, “File System Analysis,” of the book is about the analysis of data structures in a volume that are used to store and retrieve files. Chapter 8, “File System Analysis,” covers the general theory of file system analysis and defines terminology for the rest of Part 3. Each file system has at least two chapters dedicated to it where the first chapter discusses the basic concepts and investigation techniques and the second chapter includes the data structures and manual analysis of example disk images. You have a choice of reading the two chapters in parallel, reading one after the other, or skipping the data structures chapter altogether.
The designs of the file systems are very different, so they are described using a general file system model. The general model organizes the data in a file system into one of five categories: file system, content, metadata, file name, and application. This general model is used to describe each of the file systems so that it is easier to compare them. Chapters 9, “FAT Concepts and Analysis,” and 10, “FAT Data Structures,” detail the FAT file system, and Chapters 11, “NTFS Concepts,” 12, “NTFS Analysis,” and 13, “NTFS Data Structures,” cover NTFS. Next, we skip to the Unix file systems with Chapters 14, “Ext2 and Ext3 Concepts and Analysis,” and 15, “Ext2 and Ext3 Data Structures,” on the Linux Ext2 and Ext3 file systems. Lastly, Chapters 16, “UFS1 and UFS2 Concepts and Analysis,” and 17, “UFS1 and UFS2 Data Structures,” examine UFS1 and UFS2, which are found in FreeBSD, NetBSD, OpenBSD, and Sun Solaris. After Part 3 of this book, you will know where a file existed on disk and the various data structures that need to be in sync for you to view it. This book does not discuss how to analyse the file’s contents.
Scope of Book
Now that you know what is included in this book, I will tell you what is not in this book. This book stops at the file system level and does not look at the Application level. Therefore, we do not look at how to analyse various file formats. We also do not look at what files a specific OS or application creates. If you are interested in a step-by-step guide to investigating a Windows ’98 computer that has been used to download suspect files, then you will be disappointed with this book. If you want a guide to investigating a compromised Linux server, then you may learn a few tricks in this book, but it is not what you are looking for. Those topics fall into the application analysis realm and require
another book to do them justice. If you are interested in having more than just a step-by step guide, then this book is probably for you.
nice