Home
 
Conferences
Dig Inv Basics
History Model Basics
 
Dig Inv Papers
Dig Inv Tools
File Systems Book
Forensics Tool Testing
Open Source Forensics

FSFA Online Bibliography

One of the problems with referencing the work of others using URLs is that the work may move and the link becomes dead. The purpose of this page is to maintain the references that are used in the book. If you find that any of these become dead, please let me know (fsfa at digital-evidence dot org).

Part 1
Foundations

 Part 2
Volume Analysis		 Part 3
File System Analysis
Ch 0: Preface Ch 4: Volume Analysis Ch 8: File System Analysis
Ch 1: Investigation Ch 5: PC Partitions Ch 9 & 10: FAT
Ch 2: Computer Ch 6: Server Partitions Ch 11, 12, & 13: NTFS
Ch 3: Acquisition Ch 7: Multiple Disk Ch 14 & 15: ExtX
    Ch 16 & 17: UFS

back

Preface

Casey, Eoghan. Digital Evidence and Computer Crime. 2nd ed. London: Academic Press, 2004. Available at: http://www.corpus-delicti.com/fs_bookstore/decc/.

Kruse,Warren and Jay Heiser. Computer Forensics. Boston: Addison Wesley, 2002. Available at: http://www.aw-bc.com/catalog/academic/product/0,1144,0201707195,00.html.

Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response and Computer Forensics. Emeryville: McGraw Hill/Osborne, 2003. Available at: http://www.incidentresponsebook.com/index.html.

Chapter 1 - Investigation Foundations

AccessData. The Forensic Toolkit (FTK). Available at: http://www.accessdata.com

ASR Data. SMART. Available at: http://www.asrdata.com.

Brenner, Susan, Brian Carrier, and Jef Henninger. "The Trojan Defense in Cybercrime Cases," Santa Clara Computer and High Technology Law Journal, 21(1), (2004).

Bejtlich, Richard. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison Wesley, 2005. Available at: http://www.taosecurity.com/books.html

Carrier, Brian. "Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers." International Journal of Digital Evidence, (Winter 2003), www.ijde.org.

Carrier, Brian. Open Source Digital Forensics Site. Available at: http://www.opensourceforensics.org.

Carrier, Brian. Open Source Digital Forensic Tools: The Legal Argument, (Fall 2003). http://www.digital-evidence.org

Carrier, Brian. The Sleuth Kit (TSK) & Autopsy. Available at: http://www.sleuthkit.org.

Carrier, Brian, and Eugene H. Spafford. "Getting Physical with the Digital Investigation Process" International Journal of Digital Evidence, (Fall 2003), http://www.ijde.org.

Casey, Eoghan. Digital Evidence and Computer Crime. 2nd ed. London: Academic Press, 2004. www.corpus-delicti.com

Clifford, Ralph, ed. Cybercrime: The Investigation, Prosecution, and Defense of a Computer-Related Crime. Durham: Carolina Academic Press, 2001.

George, Esther. "UK Computer Misuse Act-The Trojan Virus Defense," Journal of Digital Investigation, 1(2).

Guidance Software. EnCase. Available at: http://www.encase.com

The Honeynet Project. Know Your Enemy. 2nd ed. Boston: Addison-Wesley. 2004. http://www.honeynet.org

Houghton Mifflin Company. The American Heritage Dictionary. 4th ed. Boston: Houghton Mifflin, 2000.

Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response and Computer Forensics. 2nd ed. Emeryville: Osborne, 2003.

NIST. National Software Reference Library (NSRL). Available at: http://www.nsrl.nist.gov.

Schneier, Bruce. Applied Cryptography. 2nd ed. New York:Wiley Publishing, 1995.

Siedsma, Christine. Electronic Evidence Information Site. Available at: http://www.e-evidence.info.

Technology Pathways. ProDiscover. Available at: http://www.techpathways.com

Tunnissen, Jacco. Computer Forensics, Cybercrime and Steganography Site. Available at: http://www.forensics.nl.

VMWare. VMWare Tool. Available at: http://www.vmware.com.

Chapter 2 - Computer Foundations

ASCII Table. http://www.asciitable.com/.

PC Guide. Hard Disk Drives. http://www.pcguide.com/.

Sammes, Tony, and Brian Jenkinson. Forensic Computing: A Practitioner's Guide. New York: Springer-Verlag, 2000.

T13. "Information Technology-AT Attachment Interface for Disk Drives," X3T10, 791D Revision 4c, (1994), http://www.t13.org/project/d0791r4c-ATA-1.pdf.

T13. "Information Technology-AT Attachment with Packet Interface-6 (ATA/ ATAPI-6)," 1410D Revision 3b, (February 26, 2002), http://www.t13.org/docs2002/d1410r3b.pdf.

T13. "Information Technology-AT Attachment with Packet Interface Extension (ATA/ATAPI-4)," 1153D Revision 18, (August 19, 1998), http://www.t13.org/project/d1153r18-ATA-ATAPI-4.pdf.

T13. "Information Technology-AT Attachment-3 Interface (ATA-3)," X3T13, 2008D Revision 7b, (January 27, 1997), http://www.t13.org/project/d2008r7b-ATA-3.pdf.

Unicode. www.unicode.org.

Chapter 3 - Hard Disk Data Acquisition

Carrier, Brian. diskstat. www.sleuthkit.org.

cryptcat. http://sf.net/projects/cryptcat.

Expert Witness Image Format. http://www.asrdata.com/SMART/whitepaper.html

Garloff, Kurt. dd_rescue. http://www.garloff.de/kurt/linux/ddrescue.

Garner, George. dd. http://users.erols.com/gmgarner/forensics/.

Hobbit. netcat. http://www.securityfocus.com/tools/137

ICS. The Image MASSter Solo 2. http://www.icsforensic.com

Mares, Dan. hpa. http://www.dmares.com/maresware/gk.htm#HPA.

MyKey Technology. DRIVEID. http://www.mykeytech.com.

MyKey Technology, Inc. "Technical White Paper: No Write Design Notes," (2003), http://mykeytech.com/nowritepaper1.html.

NIST. Computer Forensic Tool Testing. http://www.cftt.nist.gov.

Sanderson, Paul. BXDR. http://www.sandersonforensics.co.uk/BXDR.htm.

Skoudis, Ed, and Lenny Zeltser.Malware: Fighting Malicous Code. Upper Saddle River: Prentice Hall, 2004.

Syring, Karl. UnxUtils. http://unxutils.sourceforge.net.

Technology Pathways, Inc. "ProDiscover Image File Format," (2003), http://www.techpathways.com/uploads/ProDiscoverImageFileFormatv4.pdf.

U.S. DCCI. dccidd. http://www.dc3.mil. Also available by sending email to dcci at dc3 dot mil.

U.S. DCFL. dcfldd. http://dcfldd.sourceforge.net/.

U.S. Department of Justice. "Test Results for Disc Imaging Tools: SafeBack 2.18," NCJ 200032, (June 2003), https://www.ncjrs.org/pdffiles1/nij/20032.pdf.

Chapter 4 - Volume Analysis

Brzitwa, Michail. gpart. http://www.stud.uni-hannover.de/user/76201/gpart/.

Grenier, Christophe. TestDisk. http://www.cgsecurity.org/testdisk.html.

Chapter 5 - PC-Based Partitions

Agile Risk Management. "Linux Forensics-Week 1 (Multiple Session CDRs)," (March 19, 2004), http://www.agilerm.net/linux1.html.

Apple. "File Manager Reference," (March 1, 2004), http://developer.apple.com/...

Apple. "Inside Macintosh: Devices," (July 3, 1996), http://developer.apple.com/....

Brouwer, Andries."Minimal Partition Table Specification," (September 16, 1999), http://www.win.tue.nl/~aeb/partitions/partition_tables.html

Brouwer, Andries. "Partition Types," (December 12, 2004), http://www.win.tue.nl/~aeb/partitions/partition_types.html.

Carrier, Brian. "Extended Partition Test,"Digital Forensic Tool Testing Images, (July 2003), http://dftt.sourceforge.net/test1/index.html.

CDRoller. Reading Data CD, http://www.cdroller.com/htm/readdata.html.

ECMA."Volume and File Structure of CDROM for Information Interchange," ISO Spec, (September 1998), http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-119.pdf.

Landis, Hale."How it Works:Master Boot Record," (May 6, 2002), http://www.ata-atapi.com/hiwmbr.htm.

Landis, Hale."How it Works: Partition Types," (December 12, 2004), http://www.ata-atapi.com/hiwtab.htm.

Microsoft. "Basic Disks and Volumes Technical Reference," Windows Server 2003 Technical Reference, (n.d.), http://www.microsoft.com.

Microsoft."Managing GPT Disks in Itanium-based Computers," Windows XP Professional Resource Kit Documentation, (2004), http://www.microsoft.com.

Microsoft."MS-DOS Partitioning Summary," Microsoft Knowledge Base Article 69912, (December 20, 2004), http://support.microsoft.com/kb/69912/EN-US/.

Stevens, Curtis, and Stan Merkin. "El Torito: Bootable CD-ROM Format Specification 1.0," (January 25, 1999), http://www.phoenix.com/resources/specs-cdrom.pdf.

Chapter 6 - Server-Based Partitions

FreeBSD Documentation Project. "FreeBSD Handbook," (2005), http://www.freebsd.org

Holland, Nick, ed. "OpenBSD Installation Guide," (January 2005), http://www.openbsd.org/faq/faq4.html.

Intel. Extensible Firmware Interface.Version 1.10, (December 1, 2002), http://developer.intel.com/technology/efi/.

Marshall Kirk McKusick, Keith Bostic,Michael Karels, John Quaterman. The Design and Implementation of the 4.4 BSD Operating System, Boston: Addison Wesley, 1996.

Marshall Kirk McKusick, George V. Neville-Neil. The Design and Implementation of the FreeBSD Operating System, Boston: Addison Wesley, 2005.

Mauro, Jim, and Richard McDougall. Solaris Internals: Core Kernel Architecture. Upper Saddle River: Sun Microsystems Press, 2001.

Microsoft. "Disk Sectors on GPT Disks,"Windows XP Professional Resource Kit Documentation, (2004), www.microsoft.com/....

Sun. "Solaris 9 System Administration Guide: Basic Administration. Chapter 31," (May 2002), http://docs.sun.com/app/docs/doc/806-4073/6jd67r9fn?a=view.

Sun. "System Administration Guide: Basic Administration. Chapter 32:Managing Disks," (April 2003), http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/ SYSADV1/p117.html.

Winsor, Janice. Solaris System Administrator's Guide. 3rd edition. Palo Alto: Sun Microsystems Press, 2000.

Chapter 7 - Multiple Disk Volumes

Lewis, A.J. "The LVM HOWTO," The Linux Documentation Project, (2002-2004), http://tldp.org/HOWTO/LVM-HOWTO/.

Linux-NTFS LDM Documentation.http://linux-ntfs.sourceforge.net/ldm/index.html.

Linux-NTFS. ldminfo tool. http://linux-ntfs.sourceforge.net/status.html#ldmtools.

Microsoft. dmdiag.exe tool. http://www.microsoft.com/....

Microsoft. "Description of Disk Groups in Windows Disk Management,"Microsoft Knowledge Base Article 222189, (November 21, 2003),http://support.microsoft.com/kb/222189.

Microsoft.Microsoft Windows XP Professional Resource Kit Documentation, (2004), http://www.microsoft.com/....

Ostergaard, Jakob. "The Software-RAID HOWTO," The Linux Documentation Project," (June 3, 2004), http://www.tldp.org/HOWTO/Software-RAID-HOWTO.html.

Patterson, David A., Garth Gibson, and Randy H. Katz. "A Case for Redundant Arrays of Inexpensive Disks (RAID)," ACM SIGMOD International Conference on Management of Data, (June 1988).

PC Guide. "Redundant Arrays of Inexpensive Disks," (April 17, 2001), http://www.pcguide.com/ref/hdd/perf/raid/index.htm.

Solomon, David, and Mark Russinovich. Inside Microsoft Windows 2000. 3rd ed. Redmond:Microsoft Press, 2000.

Sourceforge.net. "LDM Documentation," Linux NTFS Project, (2002), http://linux-ntfs.sourceforge.net/ldm/index.html.

Chapter 8 - File System Analysis

Apple. "Technical Note TN1150-HFS Plus Volume Format," (March 2004), http://developer.apple.com/technotes/tn/tn1150.html.

Buchholz, Florian. "The Structure of the Reiser File System," (August 17, 2003), http://www.cerias.purdue.edu/homes/florian/reiser/reiserfs.php.

Carrier, Brian. "Digital Forensic Tool Testing Images," (2004), http://dftt.sourceforge.net.

Casey, Eoghan. "Practical Approaches to Recovering Encrypted Digital Evidence," International Journal of Digital Evidence, vol. 1, issue 3,(2002), http://www.ijde.org.

Farmer, Dan and Wietse Venema. The Coroner's Toolkit. Available at: http://www.porcupine.org/forensics/tct.html.

file. Available at: ftp://ftp.astron.com/pub/file/

IBM. "Journaled File System Technology for Linux," (2004), http://www.ibm.com/developerworks/oss/jfs/.

Kornblum, Jesse. foremost. Available at: http://foremost.sourceforge.net.

Kruse,Warren. "Computer Forensics Primer," CSI 30th Annual Computer Security Conference, (November 3, 2003), http://i.cmpnet.com/csiannual/classes/j1.pdf.

Kurz, Gerson. "ReiserFS Docs," (2003), http://p-nand-q.com/download/rfstool/reiserfs_docs.html.

NTI Dictionary. "File Slack Defined," (January 6 2004), http://www.forensics-intl.com/def6.html.

Reiser, Hans. "Reiser4," (2003), http://www.namesys.com.

Wolfe, Hank. "Penetrating Encrypted Evidence," (2004). Journal of Digital Investigation, vol. 1, issue 2.

Chapters 9 & 10 - FAT

Bates, Jim. "File Deletion in MS FAT Systems," (September 23, 2002), http://www.computer-investigations.com/arts/tech02.html.

Brouwer, Andries. "The FAT File System," (September 20, 2002), http://www.win.tue.nl/~aeb/linux/fs/fat/fat.html.

Carrier, Brian. "FAT Undelete Test #1,"Digital Forensic Tool Testing, (February 2004), http://dftt.sourceforge.net/test6/.

Carrier, Brian. "FAT Volume Label Test #1,"Digital Forensic Tool Testing, (August 2004), http://dftt.sourceforge.net/test9/.

Casey, Eoghan. Tool Review-WinHex. Journal of Digital Investigation, vol. 1, issue 2, 2004.

Landis, Hale,"How It Works: DOS Floppy Disk Boot Sector," (May 6, 2002), http://www.ata-atapi.com/hiwdos.htm.

Microsoft. "FAT: General Overview of On-Disk Format," FAT32 File System Specification,Version 1.03, (December 6, 2000), http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx.

Microsoft."How to Cause ScanDisk for Windows to Retest Bad Clusters,"Microsoft Knowledge Base Article-127055, (December 16, 2004), http://support.microsoft.com/default.aspx?scid=kb;en-us;127055.

Microsoft."How to Fix Cross-linked Files,"Microsoft Knowledge Base Article-83140, (May 10, 2003), http://support.microsoft.com/default.aspx?scid=kb;en-us;83140.

Microsoft."MS-DOS FORMAT Does Not Preserve Clusters Marked Bad," Knowledge Base Article-103548, (May 6, 2003), http://support.microsoft.com/default.aspx?scid=kb;en-us;103548.

Microsoft. "Description of NTFS Date and Time Stamps for Files and Folders,"Microsoft Knowledge Base Article 299648, (July 3, 2003), http://support.microsoft.com/default.aspx?scid=kb;en-us;299648.

Microsoft. "Detailed Explanation of FAT Boot Sector,"Microsoft Knowledge Base Article Q140418, (December 6, 2003), http://support.microsoft.com/kb/q140418/.

Microsoft. "Encodings and Code Pages,"Global Development and Computing Portal, http://www.microsoft.com/globaldev/getWR/steps/wrg_codepage.mspx.

Microsoft. "Windows 2000 Server Operations Guide (Part 1)," http://www.microsoft.com/....

Microsoft. "ScanDisk May Not Fix the Media Descriptor Byte," Knowledge Base Article- 158869, (July 28, 2001), http://support.microsoft.com/default.aspx?scid=kb;en-us;158869.

MSDN Library. "Last Access Date," http://msdn.microsoft.com/library/en-us/win9x/lfn_5mg5.asp?frame=true.

Wilson, Craig. "Volume Serial Numbers " Format Verification Date/Time,"Digital Detective White Paper, (October 2003), http://www.digital-detective.co.uk/documents/Volume%20Serial%20Numbers.pdf

Chapters 11, 12, & 13 - NTFS

Carrier, Brian. "NTFS Keyword Search Test #1," Digital Forensic Tool Testing, (October 2003), http://dftt.sourceforge.net/test3.

Carrier, Brian. "NTFS Undelete (and leap year) Test #1,"Digital Forensic Tool Testing, (February 2004), http://dftt.sourceforge.net/test7/.

Cooperstein, Jeffrey, and Richter, Jeffrey. "Keeping an Eye on Your NTFS Drives: The Windows 2000 Change Journal Explained,"Microsoft Systems Journal, (September 1999), http://www.microsoft.com/msj/0999/journal/journal.aspx.

Cooperstein, Jeffrey, and Richter, Jeffrey. "Keeping an Eye on Your NTFS Drives, Part II: Building a Change Journal Application,"Microsoft Systems Journal, (October 1999), http://www.microsoft.com/msj/1099/journal2/journal2.aspx.

Digital Detective. Decode. http://www.digital-detective.co.uk.

Linux NTFS Project. NTFS Documentation, (1996-2004), http://linux-ntfs.sourceforge.net/ntfs/index.html.

Microsoft. "Analysis of Reported Vulnerability in the Windows 2000 Encrypting File System (EFS)," (1999), http://www.microsoft.com/technet/security/news/analefs.mspx.

Microsoft. "Description of NTFS Date and Time Stamps for Files and Folders,"Microsoft Knowledge Base Article 299648, (2003), http://support.microsoft.com/default.aspx?scid=kb;en-us;299648.

Microsoft. "INFO: Understanding Encrypted Directories," Knowledge Base Article 248723, (2003), http://support.microsoft.com/default.aspx?scid=kb;en-us;248723&sd=tech.

Microsoft. "Overview of FAT, HPFS, and NTFS File Systems," Knowledge Base Article 100108, (2003), http://support.microsoft.com/default.aspx?scid=kb;EN-US;100108.

Microsoft. "Recovering NTFS Boot Sector on NTFS Partitions," Knowledge Base Article 153973, (2003), http://support.microsoft.com/default.aspx?scid=kb;EN-US;q153973.

Microsoft. "Windows NT 4.0 and Windows 2000 OEM Support Tools," (February 2, 2000), http://www.microsoft.com/....

Microsoft. "Windows Server 2003 Technical Reference," Storage Technologies Collection Section, www.microsoft.com/....

Microsoft. "Windows XP Professional Resource Kit Documentation," Chapter 13-File Systems, www.microsoft.com/....

Microsoft MSDN Library. "Change Journals," (2004), www.microsoft.com/....

Microsoft MSDN Library. "FILETIME," (2004), http://msdn.microsoft.com/library/en-us/sysinfo/base/filetime_str.asp.

Microsoft TechNet. "Encrypting File System in Windows XP and Windows Server 2003," (2002), www.microsoft.com/....

Russinovich,Mark. "Inside Encrypting File System," Part 1,Windows and .Net Magazine Network, (June 1999), http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=5387.

Russinovich,Mark. "Inside Encrypting File System," Part 2,Windows and .Net Magazine Network, (July 1999), http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=5592.

Russinovich,Mark. "Inside Win2K NTFS," Part 1,Windows and .Net Magazine Network, (November 2000), http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=15719.

Russinovich,Mark. "Inside Win2K NTFS," Part 2,Windows and .Net Magazine Network, (Winter 2000), http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=15900.

Russinovich,Mark. "NTFSInfo," (1997), http://www.sysinternals.com/ntw2k/source/ntfsinfo.shtml

Solomon, David, and Mark Russinovich. Inside Windows 2000. 3rd ed. Redmond: Microsoft Press, 2000.

Chapters 14 & 15 - ExtX

Card, Remy, Theodore Ts'o, and Stephen Tweedie. "Design and Implementation of the Second Extended Filesystem." In Proceedings of the First Dutch International Symposium on Linux, ed. Frank B. Brokken et al, Amsterdam, (December 1994), http://web.mit.edu/tytso/www/linux/ext2intro.html.

Carrier, Brian. "EXT3FS Keyword Search Test #1,"Digital (November 2003), http://dftt.sourceforge.net/test4/.

Crane, Aaron. "Linux Ext2fs Undeletion mini-HOWTO." Project, (February 1999), http://en.tldp.org/HOWTO/

Dubeau, Louis-Dominique. "Analysis of the Ext2fs Structure." Resource Center, (1994), http://www.nondot.org/sabre/

Red Hat, Inc. Ext3 Users Mailing List, https://listman.listinfo/ext3-users/.

Heavner, Scott D. Linux Disk Editor, http://lde.sourceforge.

Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Security. 3rd ed. Sebastopol: O'Reilly, 2003.

Gleditsch, Arne Georg, and Per Kristian Gjermshus. Linux http://lxr.linux.no/source/.

grugq. "Defeating Forensic Analysis on Unix," Phrack, http://www.phrack.org/show.php?p=59"a=6.

Honeynet Project. "The Forensic Challenge," (January 2001), http://www.honeynet.org/challenge/index.html.

McKusick,Marshall, Keith Bostic,Michael Karels, and John Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Boston: Addison-Wesley, 1996.

Phillips, Daniel. "A Directory Index for Ext2." 2001. Proceedings of the Usenix Fifth Annual Linux Showcase and Conference.

Poirier, Dave. "Second Extended File System: Internal Layout," (2002), http://www.nongnu.org/ext2-doc/.

Ts'o, Theodore. "E2fsprogs," Sourceforge, http://e2fsprogs.sourceforge.net/.

Ts'o, Theodore, and Stephen Tweedie. "Planned Extensions to the Linux Ext2/Ext3 Filesystem." 2002. Proceedings of the 2002 Usenix Technical Conference FREENIX Track.

Tweedie, Stephen. "EXT3, Journaling Filesystem," Sourceforge, (July 20, 2000), http://olstrans.sourceforge.net/release/OLS2000-ext3/OLS2000-ext3.html.

Chapters 16 & 17 - UFS

FreeBSD Source Code, (2004), http://fxr.watson.org/fxr/source/.

Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix and Internet Security. 3rd ed. Sebastopol: O'Reilly, 2003.

Mauro, Jim, and Richard McDougall. Solaris Internals: Core Kernel Architecture. Upper Saddle River: Sun Microsystems Press, 2001.

McKusick,Marshall K. September 2003. "Enhancements to the Fast File System to

Support Multi-Terabyte Storage Systems." Proceedings of USENIX BSDCON '03 Conference.

McKusick,Marshall, Keith Bostic,Michael Karels, and John Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Boston: Addison-Wesley, 1996.

McKusick,Marshall K.,William N. Joy, Samuel J. Leffler, and Robert S. Fabry. August 1984. "A Fast File System for Unix."ACM Transactions on Computer Systems 2(3): 181-197.

McKusick,Marshall, and George Neville-Neil. The Design and Implementation of the FreeBSD Operating System. Boston: Addison-Wesley, 2004.

OpenBSD Source Code, (2004), http://fxr.watson.org/fxr/source/?v=OPENBSD.

Smith, Keith A. and Margo Seltzer. 1996. "A Comparison of FFS Disk Allocation Algorithms." Proceedings of the 1996 Usenix Annual Technical Conference.

back

Copyright © 2005-2009 by Brian Carrier