Further Reading: Digital Forensics for Defenders

Curated resources for going deeper into DFIR. Each entry has a tier tag (Tier 1 = verified canonical standards/primary docs; Tier 2 = attributed, widely used works), a 1–2-sentence annotation, the learning path it best serves, and a [path] tag. Forensics rewards hands-on practice more than almost any other security topic — the talks and labs at the end are where the skill is actually built.

Standards & primary documents (start here)

  • NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response. (Tier 1.) The chapter's foundational standard: the forensic process, acquisition, and how forensics fits the incident-response lifecycle. Free from NIST. Read this first; it is the spine of the chapter. [soc] [grc]

  • IETF RFC 3227, Guidelines for Evidence Collection and Archiving. (Tier 1.) The original, concise statement of the order of volatility and basic evidence-handling principles. Short and durable; the source every "collect memory first" rule traces back to. [soc]

  • NIST Special Publication 800-61, Computer Security Incident Handling Guide. (Tier 1.) The incident-response lifecycle (Chapter 24) within which forensics operates — essential context for when in an incident you preserve and investigate. [soc] [grc]

  • NIST Special Publication 800-101 Rev. 1, Guidelines on Mobile Device Forensics. (Tier 1.) Extends the acquisition and analysis principles to mobile devices, whose volatility and encryption make them their own discipline. [soc]

  • CISA Advisories and the MITRE ATT&CK Indicator Removal (T1070) technique. (Tier 1.) ATT&CK catalogs the anti-forensic techniques (log clearing, timestomping) defenders detect; CISA advisories often include forensic indicators and artifacts for specific campaigns. [soc]

Books

  • Brian Carrier, File System Forensic Analysis (Addison-Wesley). (Tier 1/2.) The definitive deep treatment of how filesystems store data and where evidence (including deleted files, slack, and the $MFT) actually lives. The reference for understanding why bit-for-bit imaging matters and how to read NTFS internals. Dense but authoritative. [soc] [engineer]

  • Cory Altheide & Harlan Carvey, Digital Forensics with Open Source Tools (Syngress). (Tier 2.) A practical bridge from theory to doing, using freely available tools — a good companion to Carrier for readers who want to practice acquisition and analysis without commercial suites. [soc]

  • Harlan Carvey, Windows Forensic Analysis / Windows Registry Forensics (Syngress). (Tier 2.) The go-to references for Windows artifacts — registry, event logs, and the rich trail Windows leaves. Directly deepens §25.4. [soc]

  • Sherri Davidoff & Jonathan Ham, Network Forensics: Tracking Hackers through Cyberspace (Prentice Hall). (Tier 2.) Extends forensics to the network layer — flow data, packet captures, and the off-host evidence that defeats anti-forensics. Pairs naturally with Chapter 10. [soc] [engineer]

  • Jason T. Luttgens, Matthew Pepe & Kevin Mandia, Incident Response & Computer Forensics (McGraw-Hill). (Tier 2.) A widely used practitioner text integrating IR and forensics end-to-end, with strong coverage of scoping and investigation methodology that mirrors this chapter's case studies. [soc] [grc]

Free online resources

  • SANS Digital Forensics & Incident Response (DFIR) blog, posters, and cheat sheets. (Tier 1/2.) The SANS "Windows Forensic Analysis" and "Hunt Evil" posters are excellent one-page artifact references (event IDs, registry keys, $MFT fields) — print them and keep them at your desk. Free. [soc]

  • Eric Zimmerman's forensic tools and documentation. (Tier 2.) A widely respected free toolset for Windows artifact parsing ($MFT, registry, Prefetch, event logs). The accompanying write-ups teach what each artifact means, which is the real lesson. [soc]

  • The Volatility Foundation documentation (memory forensics). (Tier 2.) The reference framework for analyzing the RAM captures the order of volatility tells you to collect first. Their documentation is a practical education in what lives in memory and why it matters. [soc]

  • NIST Computer Forensics Tool Testing (CFTT) project. (Tier 1.) NIST's program validating forensic tools (including write blockers) — the evidence behind "use validated tools," and useful when you must defend your tooling choices. [grc] [soc]

Talks & hands-on labs (build the skill)

  • DFIR-focused conference talks (SANS DFIR Summit, BSides, DEF CON forensics villages). (Tier 2.) Recorded talks walk through real (sanitized) investigations end-to-end — the closest thing to apprenticeship available online. Search for "super timeline," "anti-forensics," and "intrusion analysis." [soc]

  • Capture-the-flag forensics challenges and intentionally-vulnerable images. (Tier 2.) Practice acquisition, artifact analysis, and timeline-building on disk and memory images designed for learning. Doing one full investigation teaches more than reading three chapters. (Authorization rule: only on images/systems provided for practice or that you own.) [soc]

  • Building a home lab (a write-blocked acquisition + a memory capture of a VM you own). (Tier 2.) The single best exercise: image a virtual disk you control, hash it, capture its memory, and build a small timeline from its event logs. You will internalize the order of volatility and the hashing check far better than any reading. [soc] [engineer]

Suggested reading order

  1. NIST SP 800-86 and RFC 3227 — the process and the order of volatility (the non-negotiable foundations).
  2. Carrier, File System Forensic Analysis (selected chapters) — why imaging and $MFT analysis work.
  3. Carvey, Windows Forensic Analysis + the SANS posters — the artifacts of §25.4, in depth.
  4. Luttgens/Pepe/Mandia, Incident Response & Computer Forensics — scoping and methodology tying it together.
  5. A hands-on lab or CTF — do one full investigation; this is where it becomes a skill, not a topic.

Path note: SOC/IR analysts should treat this entire list as core. Engineers focus on Carrier (filesystem internals) and the network-forensics and lab items — your job is to build the logging, retention, and host-visibility that make all of this possible. GRC readers should read SP 800-86, SP 800-61, and the CFTT/admissibility material — the parts that govern legal soundness and the notification decisions forensics feeds.