Difference between pages "Bibliography" and "File Systems"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Feature Extraction and Data Fusion)
 
 
Line 1: Line 1:
=Disk Disposal and Data Recovery=
+
= Conventional File Systems =
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
+
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
+
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
+
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
+
  
<bibtex>
+
; [[Ext2]], [[Ext3]]
@Article{garfinkel:remembrance,
+
: Ext2 was introduced with [[Linux]]. Ext3 is a journaled version of Ext2 which allows for speedy disk recovery after a crash.
  author =      "Simson Garfinkel and Abhi Shelat",
+
  author_a =      "Simson L. Garfinkel and Abhi Shelat",
+
  title =        "Remembrance of Data Passed",
+
  journal =      "{IEEE} Security and Privacy Magazine",
+
  publisher =    "IEEE",
+
  year      =        "2002",
+
  month    = Jan,
+
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
+
}
+
</bibtex>
+
  
=Evidence Gathering=
+
; [[FAT]]
 +
: Originally used by [[MS-DOS]]. Includes [[FAT12]] (for floppy disks), [[FAT16]] and [[FAT32]].
  
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
+
; [[Ffs|FFS]]
 +
: The '''Fast File System''' used by some BSD versions of [[UNIX]] and from which [[UFS]] was derived supporting faster disk access and [[symbolic link]]s like ffs.
  
=Fake Information=
+
; [[HFS]]
 +
: Used by [[Apple]] systems, it has been succeed by [[HFS+]].
  
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
+
; [[JFS]]
 +
: IBM's Journaled File System introduced with their flavor of UNIX (AIX)
  
=Feature Extraction and Data Fusion=
+
; [[NTFS]]
Computer Location Determination Through Geoparsing and Geocoding of
+
: The '''New Technology File System''', introduced by [[Microsoft]] with [[Windows NT]] 4.0. Now used on [[Windows XP]].
Extracted Features
+
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
+
  
@inproceedings{garfinkel:cda,
+
; [[reiserfs]]
  title="Forensic feature extraction and cross-drive analysis",
+
: A journaling filesystem for Linux.
  author="Simson Garfinkel",
+
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
+
  address = "Lafayette, Indiana",
+
  journal="Digital Investigation",
+
  year=2006,
+
  month=Aug,
+
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
+
  location="Lafayette, Indiana"
+
}
+
  
=File Carving=
+
; [[Ufs|UFS]]
 +
: The '''Unix File System''', introduced with [[UNIX]].
  
* [http://citeseer.ist.psu.edu/shanmugasundaram03automatic.html  Automatic Reassembly of Document Fragments via Context Based Statistical Models], Kulesh Shanmugasundaram and Nasir Memon.  
+
; [[XFS]]
 +
: [[SGI]]’s high performance journaling filesystem that originated on their [[IRIX]] (flavor of [[UNIX]]) platform. XFS supports variable blocking sizes, is extent based, and makes extensive use of [[Btree]]s to facilitate both performance and scalability. Additionally, support is also provided for real-time environments.
  
 +
= Cryptographic File Systems =
  
=Text Mining=
+
'''Cryptographic file systems,''' also known as encrypted file systems, encrypt information before it is stored on the media. Some of these file systems store encrypted files directly. Others are better thought of as device drivers, which are then used to store some of the file systems discussed above.
  
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
+
; [[File Vault]]
 +
: A clever user interface to [[Apple]]'s encrypted disk images. Uses the ".sparseimage" extension on disk files.
  
=Signed Evidence=
+
; [[CFS]]
<bibtex>
+
: Matt Blaze's '''Cryptographic File System''' for [[Unix]].
@article{duerr-2004,
+
: [http://www.crypto.com/papers/cfskey.pdf Key Management in an Encrypting File System], Matt Blaze, USENIX Summer 1994 Technical Conference, Boston, MA, June 1994.
  title="Information Assurance Applied to Authentication of Digital Evidence",
+
: [http://www.crypto.com/papers/cfs.pdf A Cryptographic File System for Unix], Matt Blaze, Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
+
  year=2004,
+
  journal="Forensic Science Communications",
+
  volume=6,
+
  number=4,
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
+
}
+
</bibtex>
+
  
 +
; [[Windows Encrypted File System |EFS]]
 +
: EFS is the Encrypted File System built into versions of Microsoft Windows.
  
<bibtex>
+
; [[NCryptfs]]
@article{OppligerR03,
+
: [http://www.fsl.cs.sunysb.edu/docs/ncryptfs/ncryptfs.pdf NCryptfs: A Secure and Convenient Cryptographic File System], Charles P. Wright, Michael C. Martino, and Erez Zadok, Stony Brook University, USENIX 2003 Annual Technical Conference.
  author    = {Rolf Oppliger and Ruedi Rytz},
+
  title    = {Digital Evidence: Dream and Reality},
+
  journal  = {IEEE Security {\&} Privacy},
+
  volume    = {1},
+
  number    = {5},
+
  year      = {2003},
+
  pages    = {44-48},
+
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
+
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
+
}
+
</bibtex>
+
  
=Theory=
+
; [[TCFS]]
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
+
: '''Transparent Cryptographic File System'''.
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
+
: http://www.tcfs.it/
 +
: http://www.tcfs.it/docs/tcfs.ps
  
=Other Papers=
+
; [[SFS]]
 +
: '''Secure File System'''.
 +
: http://atrey.karlin.mff.cuni.cz/~rebel/sfs/
  
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
+
See also [[Full Disk Encryption]], which are disk- or applicance-based cryptographic file systems.
 +
 
 +
 
 +
== CD and DVD File Systems ==
 +
Optical media use different file systems than hard disks or flash media, primarily because of the write-once nature of most optical discs. Even rewritable discs use different file systems because of the way that rewritable media is managed. So while you will never find NTFS or FAT32 on an optical disc, you will find the systems listed below.
 +
 
 +
; [[HFS]] and [[HFS+]]
 +
; These file systems are defined by Apple and only limited support is available for them outside of the Macintosh world.  These are the identical implementations for hard disk file systems on MacOS operating systems.
 +
 
 +
; [[ISO 9660]]
 +
: This is the most basic file system and the foundation for a number of extensions which have been made to it.  It was originally defined in 1989 and was an outgrowth of the previous HSG (High Sierra Group) definition of a file system for CDs.
 +
 
 +
; [[Joliet]]
 +
: This is a Microsoft defined extension to ISO 9660 to support Unicode and 64-character file names.  It was introduced with Windows 95.  It has gained some support for Linux and MacOS file systems but remains something that is used primarily in the Windows environment.
 +
 
 +
; [[Red Book]]
 +
: The original definition of audio CDs was distributed with a red cover, hence the term "Red Book". This is not properly a file system as it does not define files, file names or any metadata.  It is the definition by which music discs are created.
 +
 
 +
; [[Rock Ridge]]
 +
: Rock Ridge is a set of extensions based on the System Use Sharing Protocol or SUSP definition.  It is a method by which POSIX file attributes, including very long file names, can be applied to optical media.  Today it is only really supported by Linux and other Unix-derived operating systems.
 +
 
 +
; [[UDF]]
 +
: UDF is the acronym for Universal Disk Format which was defined by the Optical Storage Technology Association as an implementable subset of ISO 13346.  It is part of the definition for DVD Video and DVD Audio discs as well as being used by a number of drag-and-drop disc writing programs.  It is supported for reading by Windows 98 and later versions and is supported beginning with OS 9 on the Macintosh.  Both Windows Vista and Windows 7 can write discs using this as either a "mastered" format with a static, read-only file system or as a "live" file system which can be updated on both write-once and rewritable media.
 +
 
 +
= Distributed File Systems =
 +
 
 +
'''Distributed file systems,''' also known as network file systems, allow any number of remote clients to access one or more servers which store the files. The client nodes do not have direct access to the underlying block storage on the server(s), which are transparent to the clients and may include facilities for replication or fault tolerance.
 +
 
 +
; [[Hadoop Distributed File System|HDFS]]
 +
: The GoogleFS clone, built from a cluster of data nodes.
 +
 
 +
; [[Network File System|NFS]]
 +
: Originally from Sun, it is the standard in UNIX-based networks.
 +
 
 +
= External Links =
 +
 
 +
* http://en.wikipedia.org/wiki/File_system
 +
* http://en.wikipedia.org/wiki/List_of_file_systems
 +
* http://en.wikipedia.org/wiki/Comparison_of_file_systems
 +
 
 +
[[Category:Disk encryption]]

Revision as of 18:58, 29 December 2010

Conventional File Systems

Ext2, Ext3
Ext2 was introduced with Linux. Ext3 is a journaled version of Ext2 which allows for speedy disk recovery after a crash.
FAT
Originally used by MS-DOS. Includes FAT12 (for floppy disks), FAT16 and FAT32.
FFS
The Fast File System used by some BSD versions of UNIX and from which UFS was derived supporting faster disk access and symbolic links like ffs.
HFS
Used by Apple systems, it has been succeed by HFS+.
JFS
IBM's Journaled File System introduced with their flavor of UNIX (AIX)
NTFS
The New Technology File System, introduced by Microsoft with Windows NT 4.0. Now used on Windows XP.
reiserfs
A journaling filesystem for Linux.
UFS
The Unix File System, introduced with UNIX.
XFS
SGI’s high performance journaling filesystem that originated on their IRIX (flavor of UNIX) platform. XFS supports variable blocking sizes, is extent based, and makes extensive use of Btrees to facilitate both performance and scalability. Additionally, support is also provided for real-time environments.

Cryptographic File Systems

Cryptographic file systems, also known as encrypted file systems, encrypt information before it is stored on the media. Some of these file systems store encrypted files directly. Others are better thought of as device drivers, which are then used to store some of the file systems discussed above.

File Vault
A clever user interface to Apple's encrypted disk images. Uses the ".sparseimage" extension on disk files.
CFS
Matt Blaze's Cryptographic File System for Unix.
Key Management in an Encrypting File System, Matt Blaze, USENIX Summer 1994 Technical Conference, Boston, MA, June 1994.
A Cryptographic File System for Unix, Matt Blaze, Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
EFS
EFS is the Encrypted File System built into versions of Microsoft Windows.
NCryptfs
NCryptfs: A Secure and Convenient Cryptographic File System, Charles P. Wright, Michael C. Martino, and Erez Zadok, Stony Brook University, USENIX 2003 Annual Technical Conference.
TCFS
Transparent Cryptographic File System.
http://www.tcfs.it/
http://www.tcfs.it/docs/tcfs.ps
SFS
Secure File System.
http://atrey.karlin.mff.cuni.cz/~rebel/sfs/

See also Full Disk Encryption, which are disk- or applicance-based cryptographic file systems.


CD and DVD File Systems

Optical media use different file systems than hard disks or flash media, primarily because of the write-once nature of most optical discs. Even rewritable discs use different file systems because of the way that rewritable media is managed. So while you will never find NTFS or FAT32 on an optical disc, you will find the systems listed below.

HFS and HFS+
These file systems are defined by Apple and only limited support is available for them outside of the Macintosh world. These are the identical implementations for hard disk file systems on MacOS operating systems.
ISO 9660
This is the most basic file system and the foundation for a number of extensions which have been made to it. It was originally defined in 1989 and was an outgrowth of the previous HSG (High Sierra Group) definition of a file system for CDs.
Joliet
This is a Microsoft defined extension to ISO 9660 to support Unicode and 64-character file names. It was introduced with Windows 95. It has gained some support for Linux and MacOS file systems but remains something that is used primarily in the Windows environment.
Red Book
The original definition of audio CDs was distributed with a red cover, hence the term "Red Book". This is not properly a file system as it does not define files, file names or any metadata. It is the definition by which music discs are created.
Rock Ridge
Rock Ridge is a set of extensions based on the System Use Sharing Protocol or SUSP definition. It is a method by which POSIX file attributes, including very long file names, can be applied to optical media. Today it is only really supported by Linux and other Unix-derived operating systems.
UDF
UDF is the acronym for Universal Disk Format which was defined by the Optical Storage Technology Association as an implementable subset of ISO 13346. It is part of the definition for DVD Video and DVD Audio discs as well as being used by a number of drag-and-drop disc writing programs. It is supported for reading by Windows 98 and later versions and is supported beginning with OS 9 on the Macintosh. Both Windows Vista and Windows 7 can write discs using this as either a "mastered" format with a static, read-only file system or as a "live" file system which can be updated on both write-once and rewritable media.

Distributed File Systems

Distributed file systems, also known as network file systems, allow any number of remote clients to access one or more servers which store the files. The client nodes do not have direct access to the underlying block storage on the server(s), which are transparent to the clients and may include facilities for replication or fault tolerance.

HDFS
The GoogleFS clone, built from a cluster of data nodes.
NFS
Originally from Sun, it is the standard in UNIX-based networks.

External Links