This page contains a list of reading material in the fields of DFIR, Malware Analysis and Networking which provide a helpful avenue for learning more about these profession at varying levels.
It is very important to keep up-to-date with the latest information in the field of DFIR and the many books available on the market are a great way to expand your knowledge. This list includes books I consider to be essential reading material and are provided in alphabetical order, categorised by their topic as follows:
DIGITAL FORENSICS AND INCIDENT RESPONSE
Android Forensics: Investigation, Analysis and Mobile Security for Google Android
A digital forensic book focused primarily on the Android Operating System. ‘Android Forensics‘ provides readers a good insight into Android development and how the hardware operates at at low-level. In addition, this book also covers the file system structures used by Android, along with how the data is stored and how it can be recovered using forensic techniques. A fantastic resource for anyone wanting to learn more about the fundamentals of Android forensics.
(The) Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Andrew Case, Jamie Levy, Michael Hale Ligh and Aaron Walters
The definitive resource for any digital forensic practitioner wanting to learn more about the fascinating area of memory forensics. ‘The Art of Memory Forensics’ provides an in-depth look at volatile data acquisition and threat hunting in Windows, Linux and Mac system memory. Also included is a very useful reference demonstrating the use of the Volatility memory analysis tool.
(The) Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics
A digital forensic book aimed primarily at beginners, ‘The Basics of Digital Forensics‘ provides readers with a very helpful explanation of the key concepts and tools associated with forensic analysis. Highly recommended for those who are new to the field of DFIR.
Digital Forensics with Open Source Tools
Cory Altheide and Harlan Carvey
This book offers a fantastic look into the field of digital forensic analysis through the use of open-source tools. The book includes how to set-up an examination system using Linux, as well as how to perform many of the typical forensic functions using open-source tools, rather than commercial ones. I highly recommend this book to any practitioner desiring to learn more about digital forensics on the command-line.
File System Forensic Analysis
Considered to be the ‘holy grail’ of digital forensics books by many experts in the industry, ‘File System Forensic Analysis‘ is a must have for every examiner, both beginner and experienced alike. This book provides a very in-depth look into the data structures and concepts of the file systems present across different systems, as well as exploring the forensic tools known as The Sleuth Kit and Autopsy.
iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices
Andrew Hoog and Katie Strzempka
A digital forensic book primarily focused on the iPhone device and associated iOS Operating System. Similarly to the Android Forensic book, ‘iPhone and iOS Forensics‘ explains the underlying file system and how a users data is stored on an iPhone. In addition, the book explores the challenges associated with the acquisition of these devices and the tools/methods used to analyse the extracted data. Great resource for practitioners wanting to learn more about the fundamentals of iOS Forensics.
Placing the Suspect Behind the Keyboard: Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects
A very fascinating book focusing on the investigative element behind the casework involved in the field of digital forensics. ‘Placing the Suspect Behind the Keyboard‘ offers a unique insight into the best practices for conducting an investigation and how to use forensic techniques to build a strong case for said investigation. In addition, this book provides a great list of case studies that will prove invaluable to any digital forensic investigator.
Practical Forensic Imaging: Securing Digital Evidence with Linux Tools
An excellent book written for digital forensic practitioners who prefer to utilise Linux tools to get the job done. ‘Practical Forensic Imaging‘ provides a great overview of Linux as a forensic acquisition platform and explores the many forensic tools and techniques available on the command-line. I highly recommend this book to every digital forensic practitioner as it offers a great insight into the capabilities of Linux in the forensic setting, while also explaining some of the lesser known aspects and challenges associated with forensic acquisition.
Practical Mobile Forensics – Second Edition
Satish Bommisetty, Heather Mahalik and Rohit Tamma
Another great book covering the wide topic of mobile forensic investigation. ‘Practical Mobile Forensics‘ provides a detailed and hands-on guide to learning about iOS, Android and Windows Phone forensics. The book walks through the mobile evidence acquisition process across the three aforementioned device types, as well as breaking down the file system structures associated with each one. Highly recommended for practitioners looking for an up-to-date, comprehensive overview of mobile forensics.
Python Digital Forensics Cookbook: Effective Python recipes for digital investigations
Chaplin Bryce and Preston Miller
This unique book explores the use of the Python scripting language in digital forensic investigations. The book covers the basic usage of Python and explores the forensic libraries used to interact with and process a variety of information from Windows-based artifacts, mobile devices and networks. Very useful for any practitioner looking to learn how to utilise Python in a forensic environment.
Real Digital Forensics: Computer Security and Incident Response
Richard Betjtlich, Keith J. Jones and Curtis W. Rose
Real Digital Forensics is focused mainly on the Incident Response side of forensic investigation. This book includes a DVD containing detailed scenarios for the reader to work through consisting of binary memory dumps and log files. This is a highly useful resource for practitioners wishing to learn more about Incident Response and the effective methods used to respond to such incidents and interpret the data gathered from both Windows and Unix environments.
Seeking the Truth from Mobile Evidence: Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations
This book is focused on all aspects of mobile forensic investigation and provides a great framework for both beginners and experienced practitioners to learn more about the field. The book covers the legal process involved with mobile evidence, SIM card forensics as well as acquiring, triaging and analysing information from a wide variety of mobile devices. In addition, the book explores more advanced techniques such as JTAG and Chip-Off forensics using the various hardware available on the market.
Richard Hipp, Heather Mahalik, Paul Sanderson, Brett Shavers and Eric Zimmerman
An excellent book covering the in-depth forensic analysis of evidentiary data stored in an SQLite database. Understanding how this database works is very important and something every forensic examiner should be familiar with as SQLite is used across many mobile devices and applications. The book covers the basics of the SQLite format, record recovery, SQLite journals, SQLite commands/functions and much more.
Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8
A fantastic book covering the in-depth forensic analysis of the Windows Operating System. It is vital to understand Windows from a forensic perspective and this book provides an excellent walkthrough of the key concepts of Windows including; registry analysis, timeline analysis, common artifacts, etc.
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Another great book written by Harlan Carvey covering the forensic analysis of the Windows Operating System, this time focusing on investigations involving the Windows Registry. As a large source of evidentiary information, it is vital that an examiner understand the forensic value of the Registry. This book covers the structure of the hives and keys that comprise the Registry, as well as tools used to extract and analyse the information they store.
MALWARE ANALYSIS AND REVERSE ENGINEERING
Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Steven Adair, Blake Hartstein, Michael Hale Ligh and Matthew Richard
A fantastic book offering a large collection of tutorials designed to aid professionals in learning more about the area of malware analysis whether that be part of a forensic investigation, incident response or general reverse engineering. The book explores the varying classifications of malware, sandbox techniques, disassembly, as well as static and dynamic analysis. ‘The Malware Analysts Cookbook’ even touches on the topic of memory forensics and how these tools and techniques can be used to combat malicious software. I highly recommend this book and DVD to anyone wanting a practical hands-on approach to learning malware analysis.
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Andrew Honig and Michael Sikorski
The definitive book for learning about the field of malware analysis. This book explores the in-depth functionality behind malware and provides readers with an excellent overview of the basic and more advanced techniques used to analyse them. The book also features specialised labs at each chapter to help readers put their knowledge into practice as they progress. Highly recommended for practitioners wanting to learn more about disassembly and the tools commonly used for analysis.
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools and Obfuscation
Elias Bachaalany, Bruce Dang and Alexandre Gazet
This book is primarily focused on reverse engineering and provides a great framework for understanding more about computer architecture and assembly language. Practical Reverse Engineering explores the features and registers associated with the common architecture types, as well as providing practical exercises to aid in understanding how they work.
TCP/IP Illustrated, Volume 1: The Protocols
W. Richard Stevens
A great book for anyone looking to start learning about networking and the TCP/IP suite of protocols. Although some of the concepts talked about in this book are outdated by today’s standards, it provides very clear, concise and easy-to-understand information about networking protocols still in use today, which form a good framework to build on.
Practical Packet Analysis: Using Wireshark to Solve Real-World Problems
This book is primarily focused on network packet analysis, which can prove very useful for those in an Incident Response role, or wanting to branch into network forensics. The book shows off the many features of Wireshark in the capture and analysis of network packets, in addition to explaining the low-level and high-level protocols used in networking today.