{"product_id":"file-system-forensics-isbn-9781394289790","title":"File System Forensics","description":"\u003cp\u003e\u003cb\u003eComprehensive forensic reference explaining how file systems function and how forensic tools might work on particular file systems\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003e\u003ci\u003eFile System Forensics\u003c\/i\u003e delivers comprehensive knowledge of how file systems function and, more importantly, how digital forensic tools might function in relation to specific file systems. It provides a step-by-step approach for file content and metadata recovery to allow the reader to manually recreate and validate results from file system forensic tools. \u003c\/p\u003e\u003cp\u003eThe book includes a supporting website that shares all of the data (i.e. sample file systems) used for demonstration in the text and provides teaching resources such as instructor guides, extra material, and more. \u003c\/p\u003e\u003cp\u003eWritten by a highly qualified associate professor and consultant in the field, \u003ci\u003eFile System Forensics\u003c\/i\u003e includes information on: \u003c\/p\u003e\u003cul\u003e\n\u003cli\u003eThe necessary concepts required to understand file system forensics for anyone with basic computing experience\u003c\/li\u003e\n\u003cli\u003eFile systems specific to Windows, Linux, and macOS, with coverage of FAT, ExFAT, and NTFS\u003c\/li\u003e\n\u003cli\u003eAdvanced topics such as deleted file recovery, fragmented file recovery, searching for particular files, links, checkpoints, snapshots, and RAID\u003c\/li\u003e\n\u003cli\u003eIssues facing file system forensics today and various issues that might evolve in the field in the coming years\u003c\/li\u003e\n\u003c\/ul\u003e \u003cp\u003e\u003ci\u003eFile System Forensics\u003c\/i\u003e is an essential, up-to-date reference on the subject for graduate and senior undergraduate students in digital forensics, as well as digital forensic analysts and other law enforcement professionals. \u003c\/p\u003e\u003cp\u003ePreface xvii \u003c\/p\u003e \u003cp\u003eAcknowledgements xxi \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I Preliminaries 1\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003e1 Introduction 3\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e1.1 What is Digital Forensics? 4 \u003c\/p\u003e \u003cp\u003e1.2 File System Forensics 5 \u003c\/p\u003e \u003cp\u003e1.3 Digital Forensic Principles 5 \u003c\/p\u003e \u003cp\u003e1.4 Digital Forensic Methodology 7 \u003c\/p\u003e \u003cp\u003e1.4.1 Preparation 8 \u003c\/p\u003e \u003cp\u003e1.4.2 Localisation\/Preservation 8 \u003c\/p\u003e \u003cp\u003e1.4.3 Acquisition 8 \u003c\/p\u003e \u003cp\u003e1.4.4 Processing 9 \u003c\/p\u003e \u003cp\u003e1.4.5 Analysis 9 \u003c\/p\u003e \u003cp\u003e1.4.6 Reporting 9 \u003c\/p\u003e \u003cp\u003e1.4.7 Quality Assurance 10 \u003c\/p\u003e \u003cp\u003e1.4.8 Evidence Return 10 \u003c\/p\u003e \u003cp\u003e1.5 About This Book 10 \u003c\/p\u003e \u003cp\u003e1.5.1 Who Should Read This Book? 11 \u003c\/p\u003e \u003cp\u003e1.6 Book Structure 12 \u003c\/p\u003e \u003cp\u003e1.7 Summary 13 \u003c\/p\u003e \u003cp\u003eExercises 13 \u003c\/p\u003e \u003cp\u003eBibliography 14 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e2 Linux as a Forensic Platform 17\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e2.1 Open-Source Software 17 \u003c\/p\u003e \u003cp\u003e2.1.1 Advantages of Open-Source Software 19 \u003c\/p\u003e \u003cp\u003e2.1.2 Open Source ≠ Free 20 \u003c\/p\u003e \u003cp\u003e2.2 Open-Source Software in Digital Forensics 20 \u003c\/p\u003e \u003cp\u003e2.3 What is Linux? 21 \u003c\/p\u003e \u003cp\u003e2.3.1 The Anatomy of the Linux OS 22 \u003c\/p\u003e \u003cp\u003e2.3.2 Linux Distributions 27 \u003c\/p\u003e \u003cp\u003e2.3.3 A (very) Brief History of Linux 28 \u003c\/p\u003e \u003cp\u003e2.4 Using Linux 29 \u003c\/p\u003e \u003cp\u003e2.4.1 User Accounts 30 \u003c\/p\u003e \u003cp\u003e2.4.2 Basic Linux Commands 32 \u003c\/p\u003e \u003cp\u003e2.4.2.1 Navigating the File System 32 \u003c\/p\u003e \u003cp\u003e2.4.2.2 Getting Help 34 \u003c\/p\u003e \u003cp\u003e2.4.2.3 Viewing\/Editing Text Files 34 \u003c\/p\u003e \u003cp\u003e2.4.2.4 Managing Directories 35 \u003c\/p\u003e \u003cp\u003e2.4.2.5 Redirection and Pipes 35 \u003c\/p\u003e \u003cp\u003e2.5 Linux as a Forensic Platform 36 \u003c\/p\u003e \u003cp\u003e2.5.1 Commands for Digital Forensics 36 \u003c\/p\u003e \u003cp\u003e2.5.1.1 Hashing 36 \u003c\/p\u003e \u003cp\u003e2.5.1.2 Hex Viewers 38 \u003c\/p\u003e \u003cp\u003e2.5.1.3 Archiving\/Compression 39 \u003c\/p\u003e \u003cp\u003e2.5.1.4 The file Command 40 \u003c\/p\u003e \u003cp\u003e2.5.1.5 The strings Command 40 \u003c\/p\u003e \u003cp\u003e2.5.1.6 Text Searching with (e)grep 41 \u003c\/p\u003e \u003cp\u003e2.6 Summary 42 \u003c\/p\u003e \u003cp\u003eExercises\/Discussion Topics 42 \u003c\/p\u003e \u003cp\u003eBibliography 43 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e3 Mathematical Preliminaries 45\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e3.1 Bits and Bytes 45 \u003c\/p\u003e \u003cp\u003e3.2 Number Systems 48 \u003c\/p\u003e \u003cp\u003e3.2.1 Notational Conventions 48 \u003c\/p\u003e \u003cp\u003e3.2.2 Decimal 48 \u003c\/p\u003e \u003cp\u003e3.2.3 Binary 49 \u003c\/p\u003e \u003cp\u003e3.2.4 Hexadecimal 50 \u003c\/p\u003e \u003cp\u003e3.2.5 Number Conversions 51 \u003c\/p\u003e \u003cp\u003e3.2.6 Number Conversion with Bash 51 \u003c\/p\u003e \u003cp\u003e3.2.7 Negative Numbers 53 \u003c\/p\u003e \u003cp\u003e3.2.8 Floating-Point Numbers 53 \u003c\/p\u003e \u003cp\u003e3.3 Representing Text 56 \u003c\/p\u003e \u003cp\u003e3.3.1 Ascii 56 \u003c\/p\u003e \u003cp\u003e3.3.2 Iso- 8859 57 \u003c\/p\u003e \u003cp\u003e3.3.3 Unicode 59 \u003c\/p\u003e \u003cp\u003e3.3.4 Utf- 8 60 \u003c\/p\u003e \u003cp\u003e3.3.5 Utf- 16 61 \u003c\/p\u003e \u003cp\u003e3.4 Representing Time 62 \u003c\/p\u003e \u003cp\u003e3.4.1 Unix Time 63 \u003c\/p\u003e \u003cp\u003e3.4.2 The Linux date Command 64 \u003c\/p\u003e \u003cp\u003e3.5 Endianness and Raw Data 64 \u003c\/p\u003e \u003cp\u003e3.6 Summary 66 \u003c\/p\u003e \u003cp\u003eExercises 67 \u003c\/p\u003e \u003cp\u003eBibliography 68 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e4 Disks, Partitions and File Systems 69\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e4.1 Disk Storage 70 \u003c\/p\u003e \u003cp\u003e4.1.1 Traditional Rotational Hard Drives 71 \u003c\/p\u003e \u003cp\u003e4.1.1.1 Optical Media 72 \u003c\/p\u003e \u003cp\u003e4.1.2 Flash Drives 73 \u003c\/p\u003e \u003cp\u003e4.1.3 Solid-State Drives 73 \u003c\/p\u003e \u003cp\u003e4.2 Partitions 74 \u003c\/p\u003e \u003cp\u003e4.2.1 Creating Partitions\/File Systems on Linux 74 \u003c\/p\u003e \u003cp\u003e4.2.1.1 Mounting File Systems on Linux 77 \u003c\/p\u003e \u003cp\u003e4.2.2 Master Boot Record 78 \u003c\/p\u003e \u003cp\u003e4.2.3 GUID Partition Table 80 \u003c\/p\u003e \u003cp\u003e4.3 File Systems 83 \u003c\/p\u003e \u003cp\u003e4.3.1 File System Concepts 83 \u003c\/p\u003e \u003cp\u003e4.3.2 Comparison of File Systems 86 \u003c\/p\u003e \u003cp\u003e4.4 Acquisition of File System Data 88 \u003c\/p\u003e \u003cp\u003e4.4.1 Logical vs Physical Acquisition 88 \u003c\/p\u003e \u003cp\u003e4.4.2 Acquisition Under Linux 88 \u003c\/p\u003e \u003cp\u003e4.4.2.1 The dd Family 89 \u003c\/p\u003e \u003cp\u003e4.4.2.2 Expert Witness Format (EWF) 90 \u003c\/p\u003e \u003cp\u003e4.4.2.3 guymager 91 \u003c\/p\u003e \u003cp\u003e4.5 Analysis of File Systems 92 \u003c\/p\u003e \u003cp\u003e4.5.1 The Sleuth Kit 92 \u003c\/p\u003e \u003cp\u003e4.5.1.1 Determine the Partition Layout 93 \u003c\/p\u003e \u003cp\u003e4.5.1.2 Determine the File System Type 93 \u003c\/p\u003e \u003cp\u003e4.5.1.3 List the Files 94 \u003c\/p\u003e \u003cp\u003e4.5.1.4 Recover File Metadata 95 \u003c\/p\u003e \u003cp\u003e4.5.1.5 Recover File Content 95 \u003c\/p\u003e \u003cp\u003e4.5.1.6 Other TSK Commands 95 \u003c\/p\u003e \u003cp\u003e4.5.2 Data Carving 96 \u003c\/p\u003e \u003cp\u003e4.6 Summary 97 \u003c\/p\u003e \u003cp\u003eExercises 97 \u003c\/p\u003e \u003cp\u003eBibliography 98 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II Windows File Systems 99\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003e5 The FAT File System 101\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e5.1 On-Disk Structures 101 \u003c\/p\u003e \u003cp\u003e5.1.1 Layout 102 \u003c\/p\u003e \u003cp\u003e5.1.2 Volume Boot Record 102 \u003c\/p\u003e \u003cp\u003e5.1.3 File System Information (FSINFO) 102 \u003c\/p\u003e \u003cp\u003e5.1.4 File Allocation Table 104 \u003c\/p\u003e \u003cp\u003e5.1.5 Directory Entries 105 \u003c\/p\u003e \u003cp\u003e5.1.6 FAT Date and Time 108 \u003c\/p\u003e \u003cp\u003e5.1.7 Mapping Clusters to Sectors 109 \u003c\/p\u003e \u003cp\u003e5.2 Analysis of FAT 32 109 \u003c\/p\u003e \u003cp\u003e5.2.1 Creating FAT32 File Systems 109 \u003c\/p\u003e \u003cp\u003e5.2.2 Supplied FAT32 Image Files 110 \u003c\/p\u003e \u003cp\u003e5.2.3 FAT32 Manual Analysis 110 \u003c\/p\u003e \u003cp\u003e5.2.3.1 Process the VBR 111 \u003c\/p\u003e \u003cp\u003e5.2.3.2 Process the Root Directory 112 \u003c\/p\u003e \u003cp\u003e5.2.3.3 Process Sub-directories 113 \u003c\/p\u003e \u003cp\u003e5.2.3.4 Recover Metadata\/Content 113 \u003c\/p\u003e \u003cp\u003e5.3 FAT32 Advanced Analysis 115 \u003c\/p\u003e \u003cp\u003e5.3.1 Deleted Files 116 \u003c\/p\u003e \u003cp\u003e5.3.2 The Volume Label 117 \u003c\/p\u003e \u003cp\u003e5.4 Summary 117 \u003c\/p\u003e \u003cp\u003eExercises 118 \u003c\/p\u003e \u003cp\u003eBibliography 118 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e6 The ExFAT File System 121\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e6.1 On-Disk Structures 121 \u003c\/p\u003e \u003cp\u003e6.1.1 Volume Boot Record 122 \u003c\/p\u003e \u003cp\u003e6.1.2 File Allocation Table 123 \u003c\/p\u003e \u003cp\u003e6.1.3 Directory Entries 125 \u003c\/p\u003e \u003cp\u003e6.1.3.1 Allocation Bitmap (Type: 0x81) 127 \u003c\/p\u003e \u003cp\u003e6.1.3.2 Up-Case Table (Type: 0x82) 128 \u003c\/p\u003e \u003cp\u003e6.1.3.3 Volume Label (Type: 0x83) 128 \u003c\/p\u003e \u003cp\u003e6.1.3.4 File (Type: 0x85) 129 \u003c\/p\u003e \u003cp\u003e6.1.3.5 Volume GUID (Type: 0xA0) 130 \u003c\/p\u003e \u003cp\u003e6.1.3.6 Stream Extension (Type: 0xC0) 130 \u003c\/p\u003e \u003cp\u003e6.1.3.7 Filename Extension 131 \u003c\/p\u003e \u003cp\u003e6.1.3.8 Other Directory Entries 132 \u003c\/p\u003e \u003cp\u003e6.2 Analysis of ExFAT 132 \u003c\/p\u003e \u003cp\u003e6.2.1 Creating ExFAT File Systems 132 \u003c\/p\u003e \u003cp\u003e6.2.2 Supplied ExFAT Image Files 132 \u003c\/p\u003e \u003cp\u003e6.2.3 ExFAT Manual Analysis 132 \u003c\/p\u003e \u003cp\u003e6.2.3.1 Step 1: Process the VBR 133 \u003c\/p\u003e \u003cp\u003e6.2.3.2 Step 2: Process the Root Directory 133 \u003c\/p\u003e \u003cp\u003e6.2.3.3 Step 3: Process Subdirectories 136 \u003c\/p\u003e \u003cp\u003e6.2.3.4 Step 4: Recover Metadata 137 \u003c\/p\u003e \u003cp\u003e6.2.3.5 Step 5: Recover Content 137 \u003c\/p\u003e \u003cp\u003e6.3 ExFAT Advanced Analysis 139 \u003c\/p\u003e \u003cp\u003e6.3.1 Long File Names 139 \u003c\/p\u003e \u003cp\u003e6.3.2 Deleted Files 140 \u003c\/p\u003e \u003cp\u003e6.3.3 Fragmented Files and Large Directories 141 \u003c\/p\u003e \u003cp\u003e6.4 Summary 142 \u003c\/p\u003e \u003cp\u003eExercises 143 \u003c\/p\u003e \u003cp\u003eBibliography 143 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e7 The NTFS File System 145\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e7.1 On-Disk Structures 146 \u003c\/p\u003e \u003cp\u003e7.1.1 $Boot 146 \u003c\/p\u003e \u003cp\u003e7.1.2 Indexes 147 \u003c\/p\u003e \u003cp\u003e7.1.3 Fixup Arrays 149 \u003c\/p\u003e \u003cp\u003e7.1.4 Time in NTFS 150 \u003c\/p\u003e \u003cp\u003e7.1.5 Master File Table 151 \u003c\/p\u003e \u003cp\u003e7.1.6 MFT Record Structure 152 \u003c\/p\u003e \u003cp\u003e7.1.6.1 MFT Record Header 152 \u003c\/p\u003e \u003cp\u003e7.1.6.2 Browsing Attributes 155 \u003c\/p\u003e \u003cp\u003e7.1.6.3 $STANDARD_INFORMATION (0x10) 155 \u003c\/p\u003e \u003cp\u003e7.1.6.4 $ATTRIBUTE_LIST (0x20) 156 \u003c\/p\u003e \u003cp\u003e7.1.6.5 $FILENAME (0x30) 156 \u003c\/p\u003e \u003cp\u003e7.1.6.6 $OBJECT_ID (0x40) 157 \u003c\/p\u003e \u003cp\u003e7.1.6.7 $SECURITY_DESCRIPTOR (0x50) 159 \u003c\/p\u003e \u003cp\u003e7.1.6.8 $VOLUME_NAME (0x60) 162 \u003c\/p\u003e \u003cp\u003e7.1.6.9 $VOLUME_INFORMATION (0x70) 162 \u003c\/p\u003e \u003cp\u003e7.1.6.10 $DATA (0x80) 163 \u003c\/p\u003e \u003cp\u003e7.1.6.11 $INDEX_ROOT (0x90) 163 \u003c\/p\u003e \u003cp\u003e7.1.6.12 $INDEX_ALLOCATION (0xA0) 165 \u003c\/p\u003e \u003cp\u003e7.1.6.13 $BITMAP (0xB0) 165 \u003c\/p\u003e \u003cp\u003e7.1.6.14 $REPARSE_POINT (0xC0) 166 \u003c\/p\u003e \u003cp\u003e7.1.6.15 $EA_INFORMATION (0xD0) and $EA (0xE0) 167 \u003c\/p\u003e \u003cp\u003e7.2 Analysis of NTFS 167 \u003c\/p\u003e \u003cp\u003e7.2.1 Creating NTFS File Systems 168 \u003c\/p\u003e \u003cp\u003e7.2.2 Supplied NTFS Image Files 168 \u003c\/p\u003e \u003cp\u003e7.2.3 NTFS Manual Analysis 168 \u003c\/p\u003e \u003cp\u003e7.2.3.1 Process $Boot 169 \u003c\/p\u003e \u003cp\u003e7.2.3.2 Recover $MFT 171 \u003c\/p\u003e \u003cp\u003e7.2.3.3 Process Directories 173 \u003c\/p\u003e \u003cp\u003e7.2.3.4 Recover File Metadata 177 \u003c\/p\u003e \u003cp\u003e7.2.3.5 Recover File Content 182 \u003c\/p\u003e \u003cp\u003e7.3 NTFS Advanced Analysis 185 \u003c\/p\u003e \u003cp\u003e7.3.1 Further File System Information 185 \u003c\/p\u003e \u003cp\u003e7.3.2 Deleted Files 186 \u003c\/p\u003e \u003cp\u003e7.3.3 Fragmented Files 187 \u003c\/p\u003e \u003cp\u003e7.3.4 Alternate Data Streams 190 \u003c\/p\u003e \u003cp\u003e7.3.5 Large MFT Records 191 \u003c\/p\u003e \u003cp\u003e7.4 Summary 194 \u003c\/p\u003e \u003cp\u003eExercises 194 \u003c\/p\u003e \u003cp\u003eBibliography 195 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Linux File Systems 197\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003e8 The EXT2 File System 199\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e8.1 On-Disk Structures 200 \u003c\/p\u003e \u003cp\u003e8.1.1 The Superblock 201 \u003c\/p\u003e \u003cp\u003e8.1.2 The Block Group Descriptor Table 204 \u003c\/p\u003e \u003cp\u003e8.1.3 The Inode Table 205 \u003c\/p\u003e \u003cp\u003e8.1.3.1 Mode\/Permissions 207 \u003c\/p\u003e \u003cp\u003e8.1.3.2 Inode Flags 208 \u003c\/p\u003e \u003cp\u003e8.1.3.3 Block Pointers 208 \u003c\/p\u003e \u003cp\u003e8.1.4 The Data and Inode Bitmaps 209 \u003c\/p\u003e \u003cp\u003e8.1.5 Locating an Inode 209 \u003c\/p\u003e \u003cp\u003e8.2 Analysis of ext 2 210 \u003c\/p\u003e \u003cp\u003e8.2.1 Creating ext2 File Systems 210 \u003c\/p\u003e \u003cp\u003e8.2.2 Supplied ext2 Image Files 210 \u003c\/p\u003e \u003cp\u003e8.2.3 Ext2 Manual Analysis 211 \u003c\/p\u003e \u003cp\u003e8.2.3.1 Process the Superblock 211 \u003c\/p\u003e \u003cp\u003e8.2.3.2 Map the Block Groups 213 \u003c\/p\u003e \u003cp\u003e8.2.3.3 Process Root Directory Inode 216 \u003c\/p\u003e \u003cp\u003e8.2.3.4 Process the Root Directory 217 \u003c\/p\u003e \u003cp\u003e8.2.3.5 Process Directories 219 \u003c\/p\u003e \u003cp\u003e8.2.3.6 Process Files 219 \u003c\/p\u003e \u003cp\u003e8.3 Ext2 Advanced Analysis 222 \u003c\/p\u003e \u003cp\u003e8.3.1 Fragmented Files 222 \u003c\/p\u003e \u003cp\u003e8.3.2 Links 223 \u003c\/p\u003e \u003cp\u003e8.3.3 Deleted Files 225 \u003c\/p\u003e \u003cp\u003e8.4 Summary 226 \u003c\/p\u003e \u003cp\u003eExercises 226 \u003c\/p\u003e \u003cp\u003eBibliography 227 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e9 The EXT3\/EXT4 File Systems 229\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e9.1 Supplied Image Files 229 \u003c\/p\u003e \u003cp\u003e9.2 The ext3 File System 229 \u003c\/p\u003e \u003cp\u003e9.2.1 The Ext Journal 230 \u003c\/p\u003e \u003cp\u003e9.2.2 HTree Directory Indexing 237 \u003c\/p\u003e \u003cp\u003e9.3 The Ext4 File System 241 \u003c\/p\u003e \u003cp\u003e9.3.1 Large Inodes 241 \u003c\/p\u003e \u003cp\u003e9.3.1.1 Timestamps 241 \u003c\/p\u003e \u003cp\u003e9.3.2 Ext4 Data Storage 244 \u003c\/p\u003e \u003cp\u003e9.3.2.1 Extent-Based Storage 244 \u003c\/p\u003e \u003cp\u003e9.3.2.2 Inline Storage 248 \u003c\/p\u003e \u003cp\u003e9.3.2.3 Symbolic Links 248 \u003c\/p\u003e \u003cp\u003e9.3.3 File Deletion in Ext 4 249 \u003c\/p\u003e \u003cp\u003e9.3.4 Extended Attributes 252 \u003c\/p\u003e \u003cp\u003e9.3.5 Ext4 Block Group Descriptors 255 \u003c\/p\u003e \u003cp\u003e9.3.6 Flexible Block Groups 255 \u003c\/p\u003e \u003cp\u003e9.4 Summary 258 \u003c\/p\u003e \u003cp\u003eExercises 259 \u003c\/p\u003e \u003cp\u003eBibliography 260 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e10 The XFS File System 263\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e10.1 On-Disk Structures 264 \u003c\/p\u003e \u003cp\u003e10.1.1 Allocation Groups 264 \u003c\/p\u003e \u003cp\u003e10.1.2 Addressing 266 \u003c\/p\u003e \u003cp\u003e10.1.2.1 Inode Addressing 266 \u003c\/p\u003e \u003cp\u003e10.1.3 XFS B+ Trees 267 \u003c\/p\u003e \u003cp\u003e10.1.4 The Superblock 268 \u003c\/p\u003e \u003cp\u003e10.1.4.1 Locating Superblocks 268 \u003c\/p\u003e \u003cp\u003e10.1.5 XFS Signatures 271 \u003c\/p\u003e \u003cp\u003e10.1.6 XFS Inodes 271 \u003c\/p\u003e \u003cp\u003e10.1.7 Directories 273 \u003c\/p\u003e \u003cp\u003e10.1.8 Extents 274 \u003c\/p\u003e \u003cp\u003e10.1.9 Time in XFS 275 \u003c\/p\u003e \u003cp\u003e10.2 Analysis of XFS 275 \u003c\/p\u003e \u003cp\u003e10.2.1 Creating XFS File Systems 275 \u003c\/p\u003e \u003cp\u003e10.2.2 Supplied XFS Image Files 275 \u003c\/p\u003e \u003cp\u003e10.2.3 XFS Manual Analysis 276 \u003c\/p\u003e \u003cp\u003e10.2.3.1 Process the Superblock 276 \u003c\/p\u003e \u003cp\u003e10.2.3.2 Locate the Root Directory 277 \u003c\/p\u003e \u003cp\u003e10.2.3.3 Process the Root Directory 279 \u003c\/p\u003e \u003cp\u003e10.2.3.4 Process the Subdirectories 281 \u003c\/p\u003e \u003cp\u003e10.2.3.5 Recover File Content\/Metadata 281 \u003c\/p\u003e \u003cp\u003e10.3 XFS Advanced Analysis 282 \u003c\/p\u003e \u003cp\u003e10.3.1 AG Free Space Management 283 \u003c\/p\u003e \u003cp\u003e10.3.1.1 AG Free List 285 \u003c\/p\u003e \u003cp\u003e10.3.2 AG Inode Management 286 \u003c\/p\u003e \u003cp\u003e10.3.3 Deleted Files 289 \u003c\/p\u003e \u003cp\u003e10.3.4 Extended Attributes 290 \u003c\/p\u003e \u003cp\u003e10.3.5 Links 291 \u003c\/p\u003e \u003cp\u003e10.3.6 The XFS Journal 292 \u003c\/p\u003e \u003cp\u003e10.4 Summary 300 \u003c\/p\u003e \u003cp\u003eExercises 301 \u003c\/p\u003e \u003cp\u003eBibliography 301 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e11 The Btrfs File System 303\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e11.1 On-Disk Structures 304 \u003c\/p\u003e \u003cp\u003e11.1.1 The Superblock 305 \u003c\/p\u003e \u003cp\u003e11.1.2 Btrfs Trees 305 \u003c\/p\u003e \u003cp\u003e11.1.3 Btrfs Tree Structure 307 \u003c\/p\u003e \u003cp\u003e11.1.3.1 Node Header Structure 307 \u003c\/p\u003e \u003cp\u003e11.1.3.2 Internal Node Structure 309 \u003c\/p\u003e \u003cp\u003e11.1.4 Btrfs Keys 309 \u003c\/p\u003e \u003cp\u003e11.1.5 Btrfs Items 310 \u003c\/p\u003e \u003cp\u003e11.1.6 Time in Btrfs 315 \u003c\/p\u003e \u003cp\u003e11.1.7 Logical and Physical Addressing 315 \u003c\/p\u003e \u003cp\u003e11.2 Analysis of Btrfs 317 \u003c\/p\u003e \u003cp\u003e11.2.1 Creating Btrfs File Systems 317 \u003c\/p\u003e \u003cp\u003e11.2.2 Supplied Btrfs Image Files 318 \u003c\/p\u003e \u003cp\u003e11.2.3 Btrfs Analysis Methodology 318 \u003c\/p\u003e \u003cp\u003e11.2.4 Manual Analysis of a Single Device File System 320 \u003c\/p\u003e \u003cp\u003e11.2.4.1 Process the Superblock 320 \u003c\/p\u003e \u003cp\u003e11.2.4.2 Process the CHUNK_ARRAY 321 \u003c\/p\u003e \u003cp\u003e11.2.4.3 Locate the CHUNK_TREE 322 \u003c\/p\u003e \u003cp\u003e11.2.4.4 Process the CHUNK_TREE 323 \u003c\/p\u003e \u003cp\u003e11.2.4.5 Locate the Root Tree 326 \u003c\/p\u003e \u003cp\u003e11.2.4.6 Locate the FS_TREE 327 \u003c\/p\u003e \u003cp\u003e11.2.4.7 Processing the FS_TREE 328 \u003c\/p\u003e \u003cp\u003e11.2.4.8 Process Directories 329 \u003c\/p\u003e \u003cp\u003e11.2.4.9 Recovering Metadata 335 \u003c\/p\u003e \u003cp\u003e11.2.4.10 Recovering File Contents 336 \u003c\/p\u003e \u003cp\u003e11.3 Btrfs Advanced Analysis 338 \u003c\/p\u003e \u003cp\u003e11.3.1 File Deletion 338 \u003c\/p\u003e \u003cp\u003e11.3.2 Analysis of Internal Nodes 342 \u003c\/p\u003e \u003cp\u003e11.3.3 Multiple Device Configuration 343 \u003c\/p\u003e \u003cp\u003e11.3.4 Subvolumes and Snapshots 346 \u003c\/p\u003e \u003cp\u003e11.4 Summary 350 \u003c\/p\u003e \u003cp\u003eExercises 350 \u003c\/p\u003e \u003cp\u003eBibliography 351 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart IV Apple File Systems 353\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003e12 The HFS+ File System 355\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e12.1 On-Disk Structures 355 \u003c\/p\u003e \u003cp\u003e12.1.1 Forks 357 \u003c\/p\u003e \u003cp\u003e12.1.2 Time in HFS+ 357 \u003c\/p\u003e \u003cp\u003e12.1.3 Volume Header 358 \u003c\/p\u003e \u003cp\u003e12.1.4 B-Trees 358 \u003c\/p\u003e \u003cp\u003e12.1.5 Catalog File 362 \u003c\/p\u003e \u003cp\u003e12.1.6 HFS+ Permissions 363 \u003c\/p\u003e \u003cp\u003e12.1.7 Text Encoding 365 \u003c\/p\u003e \u003cp\u003e12.1.8 Extents Overflow File 365 \u003c\/p\u003e \u003cp\u003e12.1.9 Allocation File 366 \u003c\/p\u003e \u003cp\u003e12.1.10 HFS+ Journal 367 \u003c\/p\u003e \u003cp\u003e12.2 Analysis of HFS+ 369 \u003c\/p\u003e \u003cp\u003e12.2.1 Creating HFS+ File Systems 369 \u003c\/p\u003e \u003cp\u003e12.2.2 Supplied HFS+ Image Files 370 \u003c\/p\u003e \u003cp\u003e12.2.3 HFS+ Manual Analysis 370 \u003c\/p\u003e \u003cp\u003e12.2.3.1 Process the Volume Header 370 \u003c\/p\u003e \u003cp\u003e12.2.3.2 Locate the Catalog File 371 \u003c\/p\u003e \u003cp\u003e12.2.3.3 Process the Catalog B-Tree 373 \u003c\/p\u003e \u003cp\u003e12.2.3.4 Gather Metadata 377 \u003c\/p\u003e \u003cp\u003e12.2.3.5 Recover File Content 377 \u003c\/p\u003e \u003cp\u003e12.3 HFS+ Advanced Analysis 380 \u003c\/p\u003e \u003cp\u003e12.3.1 Deleted Files 380 \u003c\/p\u003e \u003cp\u003e12.3.2 Index Nodes 381 \u003c\/p\u003e \u003cp\u003e12.3.3 Fragmented Files 383 \u003c\/p\u003e \u003cp\u003e12.3.4 Links 387 \u003c\/p\u003e \u003cp\u003e12.4 Summary 390 \u003c\/p\u003e \u003cp\u003eExercises 391 \u003c\/p\u003e \u003cp\u003eBibliography 391 \u003c\/p\u003e \u003cp\u003e\u003cb\u003e13 The APFS File System 393\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e13.1 On-Disk Structures 394 \u003c\/p\u003e \u003cp\u003e13.1.1 Time in APFS 394 \u003c\/p\u003e \u003cp\u003e13.1.2 Objects 394 \u003c\/p\u003e \u003cp\u003e13.1.3 B-Trees 396 \u003c\/p\u003e \u003cp\u003e13.1.4 Containers and Volumes 399 \u003c\/p\u003e \u003cp\u003e13.1.5 Container Superblock 400 \u003c\/p\u003e \u003cp\u003e13.1.6 Volume Superblock 402 \u003c\/p\u003e \u003cp\u003e13.1.7 Object Maps 404 \u003c\/p\u003e \u003cp\u003e13.1.8 File-Related Structures 405 \u003c\/p\u003e \u003cp\u003e13.1.8.1 File System Keys 406 \u003c\/p\u003e \u003cp\u003e13.1.8.2 Inode 407 \u003c\/p\u003e \u003cp\u003e13.1.8.3 Directory Record 408 \u003c\/p\u003e \u003cp\u003e13.1.8.4 Extent 410 \u003c\/p\u003e \u003cp\u003e13.1.9 Checkpoints 410 \u003c\/p\u003e \u003cp\u003e13.1.10 Other APFS Structures 412 \u003c\/p\u003e \u003cp\u003e13.2 Analysis of APFS 412 \u003c\/p\u003e \u003cp\u003e13.2.1 Creating APFS File Systems 412 \u003c\/p\u003e \u003cp\u003e13.2.2 Supplied APFS Image Files 413 \u003c\/p\u003e \u003cp\u003e13.2.3 APFS Manual Analysis 413 \u003c\/p\u003e \u003cp\u003e13.2.3.1 Process the Container Superblock 414 \u003c\/p\u003e \u003cp\u003e13.2.3.2 Process the Container Object Map 415 \u003c\/p\u003e \u003cp\u003e13.2.3.3 Process the Volume Superblock 418 \u003c\/p\u003e \u003cp\u003e13.2.3.4 Process the Volume Object Map 418 \u003c\/p\u003e \u003cp\u003e13.2.3.5 Process the File System Tree 419 \u003c\/p\u003e \u003cp\u003e13.3 APFS Advanced Analysis 425 \u003c\/p\u003e \u003cp\u003e13.3.1 Deleted Files 425 \u003c\/p\u003e \u003cp\u003e13.3.2 Checkpoint Recovery 426 \u003c\/p\u003e \u003cp\u003e13.3.3 Multi-Level B-Trees 427 \u003c\/p\u003e \u003cp\u003e13.3.4 Multiple Volumes 429 \u003c\/p\u003e \u003cp\u003e13.3.5 Extended Attributes 430 \u003c\/p\u003e \u003cp\u003e13.3.6 Links 431 \u003c\/p\u003e \u003cp\u003e13.4 Summary 433 \u003c\/p\u003e \u003cp\u003eExercises 433 \u003c\/p\u003e \u003cp\u003eBibliography 434 \u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart V The Future 435\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e\u003cb\u003e14 Future Challenges in Digital Forensics 437\u003c\/b\u003e \u003c\/p\u003e \u003cp\u003e14.1 Challenges in Digital Forensics 437 \u003c\/p\u003e \u003cp\u003e14.1.1 Data Volume 438 \u003c\/p\u003e \u003cp\u003e14.1.2 Multi-Source Correlation 439 \u003c\/p\u003e \u003cp\u003e14.1.3 New File Systems 440 \u003c\/p\u003e \u003cp\u003e14.1.4 Encryption 440 \u003c\/p\u003e \u003cp\u003e14.1.5 Cloud Storage 441 \u003c\/p\u003e \u003cp\u003e14.1.6 Lack of Resources 441 \u003c\/p\u003e \u003cp\u003e14.1.6.1 Human Resources 441 \u003c\/p\u003e \u003cp\u003e14.1.6.2 Software Resources 442 \u003c\/p\u003e \u003cp\u003e14.1.6.3 Hardware Resources 442 \u003c\/p\u003e \u003cp\u003e14.1.7 Tool Validation\/Datasets 443 \u003c\/p\u003e \u003cp\u003e14.1.8 Lack of Standardisation 444 \u003c\/p\u003e \u003cp\u003e14.1.9 Legal\/Scientific Challenges 444 \u003c\/p\u003e \u003cp\u003e14.1.10 Presentation of Evidence 445 \u003c\/p\u003e \u003cp\u003e14.1.11 Human Error\/Bias 446 \u003c\/p\u003e \u003cp\u003e14.2 Where Do We Go from Here? 447 \u003c\/p\u003e \u003cp\u003e14.2.1 Training\/Education 448 \u003c\/p\u003e \u003cp\u003e14.2.2 Free Open-Source Software (FOSS) 448 \u003c\/p\u003e \u003cp\u003e14.2.3 Triage 449 \u003c\/p\u003e \u003cp\u003e14.2.4 Artificial Intelligence (AI) 449 \u003c\/p\u003e \u003cp\u003e14.2.5 Live Data Forensics 450 \u003c\/p\u003e \u003cp\u003e14.2.6 Legal Solutions 451 \u003c\/p\u003e \u003cp\u003e14.2.7 Data Set Development\/Tool Testing 452 \u003c\/p\u003e \u003cp\u003e14.2.8 Standardisation 452 \u003c\/p\u003e \u003cp\u003e14.2.9 Information Sharing 453 \u003c\/p\u003e \u003cp\u003e14.2.10 Virtualisation 453 \u003c\/p\u003e \u003cp\u003e14.3 Summary 454 \u003c\/p\u003e \u003cp\u003eBibliography 454 \u003c\/p\u003e \u003cp\u003eIndex 457\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eFergus Toolan, PhD,\u003c\/b\u003e is an Associate Professor in the Norwegian Police University College. He has published over 30 peer-reviewed papers and supervised a number of master’s and PhD students throughout his career. Additionally, Dr. Toolan has provided consultancy services to a number of police services and other governmental organizations. He has taught a range of courses from introductory programming to advanced databases, and from computer hardware to discrete mathematics.   \u003c\/p\u003e\u003cp\u003e\u003cb\u003eComprehensive forensic reference explaining how file systems function and how forensic tools might work on particular file systems\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003e\u003ci\u003eFile System Forensics\u003c\/i\u003e delivers comprehensive knowledge of how file systems function and, more importantly, how digital forensic tools might function in relation to specific file systems. It provides a step-by-step approach for file content and metadata recovery to allow the reader to manually recreate and validate results from file system forensic tools. \u003c\/p\u003e\u003cp\u003eThe book includes a supporting website that shares all of the data (i.e. sample file systems) used for demonstration in the text and provides teaching resources such as instructor guides, extra material, and more. \u003c\/p\u003e\u003cp\u003eWritten by a highly qualified associate professor and consultant in the field, \u003ci\u003eFile System Forensics\u003c\/i\u003e includes information on: \u003c\/p\u003e\u003cul\u003e\n\u003cli\u003eThe necessary concepts required to understand file system forensics for anyone with basic computing experience\u003c\/li\u003e\n\u003cli\u003eFile systems specific to Windows, Linux, and macOS, with coverage of FAT, ExFAT, and NTFS\u003c\/li\u003e\n\u003cli\u003eAdvanced topics such as deleted file recovery, fragmented file recovery, searching for particular files, links, checkpoints, snapshots, and RAID\u003c\/li\u003e\n\u003cli\u003eIssues facing file system forensics today and various issues that might evolve in the field in the coming years\u003c\/li\u003e\n\u003c\/ul\u003e \u003cp\u003e\u003ci\u003eFile System Forensics\u003c\/i\u003e is an essential, up-to-date reference on the subject for graduate and senior undergraduate students in digital forensics, as well as digital forensic analysts and other law enforcement professionals.\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47989207433445,"sku":"NP9781394289790","price":140.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781394289790.jpg?v=1761783210","url":"https:\/\/k12savings.com\/products\/file-system-forensics-isbn-9781394289790","provider":"K12savings","version":"1.0","type":"link"}