Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.

Bibliography

Purpose. The annotated reading list, standards catalog, documentation index, and tool registry behind this book — every entry tagged with what it gives you and which chapters it supports, so you can go from "I need to defend this finding" to the right source in seconds.

This appendix is a reading-and-citing reference. Its operational siblings are Appendix C — Tool Reference (how to run the tools), Appendix H — Command-Line Reference (exact syntax), and Appendix E — Legal Frameworks Reference (the law in depth). When you need a term, see the Glossary.

How to use this appendix

  • Learning-path tags mark who each source serves most: 💾 Data Recovery · 🔍 Forensic Examiner · 🛡️ Incident Response · 📜 Legal/eDiscovery.
  • "Supports" names the primary chapter(s) an entry backs, linked by relative path; extra chapters are listed by number.
  • Editions and versions matter in forensics. A citation without an edition/version is not defensible. Record the exact edition you read and the exact tool version you ran (see Citing sources and tool versions in a report below, and Chapter 26 — The Forensic Report).
  • Links rot; standards supersede. Where a URL is given, treat it as a starting point and record your accessed date. Confirm a standard is the current revision before you cite it in court.

Legal Note. Under Daubert, the literature and published standards you cite are part of what makes your method "generally accepted" and "reliably applied." A report that grounds its method in Carrier, Casey, NIST SP 800-86, ISO/IEC 27037, and SWGDE is far harder to impeach than one that grounds it in "what I usually do." See Chapter 27 — Expert Testimony.

The core shelf (start here)

Source Why it is foundational Supports
Carrier, File System Forensic Analysis (2005) The byte-level account of volumes and file systems — the "why" under every recovery and timestamp claim Ch. 4, 6, 7, 16, 17; App. G
Casey, Digital Evidence and Computer Crime (3rd ed., 2011) The scientific-method, integrity, and admissibility principles of the whole discipline Ch. 5, 25–28
Nelson, Phillips & Steuart, Guide to Computer Forensics and Investigations (Cengage) The classroom-standard walk through the end-to-end process Ch. 5, 14, 26, 36
Ligh, Case, Levy & Walters, The Art of Memory Forensics (2014) The definitive treatment of RAM analysis with Volatility Ch. 22, 32
NIST SP 800-86 (2006) The free, standards-level statement of collection → examination → analysis → reporting Ch. 5, 15, 22, 23
ISO/IEC 27037:2012 The international standard for identification, collection, acquisition, preservation Ch. 5, 14

Books

Grouped by where they earn their place on your shelf. One line each: what it offers, then the chapter it most supports.

Foundations and the forensic process

Windows, macOS, and Linux artifacts

Memory, malware, and incident response

Network and cloud

Mobile

Media, documents, and synthetic media

Cryptocurrency

Tools, certification, and career

Recovery vs. Forensics. Notice the asymmetry on this shelf: the forensics literature is deep and academic; the data-recovery craft (head swaps, RAID rebuilds, controller-level NAND work) is taught largely through vendor docs, training, and community forums (see Online resources and communities). Carrier and Nikkel still anchor the recovery side, because the principle — image first, work on the copy — is identical.


Papers and standards

The published method behind your method. Cite the revision and the year; verify it is current before relying on it.

Standards-to-phase quick map

Standard / document Scope it governs Supports (chapters)
NIST SP 800-86 (2006) Integrating forensics into IR: collection → examination → analysis → reporting 5, 15, 22, 23
ISO/IEC 27037:2012 Identification, collection, acquisition, preservation of digital evidence 5, 14
ISO/IEC 27041:2015 Assurance/suitability of the investigation method 5, 26
ISO/IEC 27042:2015 Analysis and interpretation of digital evidence 21, 26
ISO/IEC 27043:2015 Incident-investigation principles and processes 5, 15
ISO/IEC 17025:2017 General competence of testing/calibration labs (accreditation) 27, 37
SWGDE Best Practices (series) Computer/mobile/imaging/memory examination practice 5, 14, 26, 28
NIST SP 800-101 Rev. 1 (2014) Mobile device forensics 11, 24
NIST SP 800-88 Rev. 1 (2014) Media sanitization (the inverse of recovery; wiping detection) 9, 30
RFC 3227 (2002) Evidence collection and archiving; order of volatility 5, 15
ACPO Good Practice Guide (v5) The four UK principles of digital evidence handling 5, 14

Standards and best practices (annotated)

Research papers and whitepapers (annotated)

  • 🔍 G. Palmer, "A Road Map for Digital Forensic Research" (DFRWS, 2001). The paper that named the field's process model — historically the source of the "examination vs. analysis" distinction. Supports Ch. 1 — Two Disciplines.
  • 🔍 B. Carrier & E. Spafford, "Getting Physical with the Digital Investigation Process" (2003) and "An Event-Based Digital Forensic Investigation Framework" (2004). The conceptual backbone of timeline reasoning and event reconstruction. Supports Ch. 21 — Timeline Analysis.
  • 🔍 S. Garfinkel et al., "Bringing science to digital forensics with standardized forensic corpora" (DFRWS, Digital Investigation 6:S2–S11, 2009). The rationale and design of shareable test data — the origin story of Digital Corpora. Supports Appendix J — Practice Images and Lab Setup (and every lab).
  • 🔍 S. Garfinkel, "Digital forensics research: The next 10 years" (Digital Investigation 7:S64–S73, 2010). The "coming crisis" paper on scale, encryption, and cloud — still the best framing for Ch. 35 and Ch. 40. Supports Ch. 40 — The Career.
  • 🔍🛡️ A. Davis (Mandiant), "Leveraging the Application Compatibility Cache in Forensic Investigations" (2012). The whitepaper that put ShimCache on the map — and the source of the warning that its timestamp is a file's modified time, not an execution time. Supports Ch. 16 — Windows Forensics.
  • 📜 Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993); Frye v. United States, 293 F. 1013 (D.C. Cir. 1923); Kumho Tire v. Carmichael, 526 U.S. 137 (1999). The admissibility trilogy for expert/technical evidence; read with Federal Rules of Evidence 702, 901, 902(13)–(14), 1001–1003 (FRE 902(14) self-authenticates copies by hash). Supports Ch. 25 — The Legal Framework (also Ch. 27; Appendix E).

Tool Tip. The single most useful habit from this section: before any acquisition, bookmark the CFReDS "Hacking Case" and the CFTT page for your write-blocker. The first gives you a free image to keep your skills sharp; the second is the citation you will paste into a report a year from now.


Documentation

Primary, format- and tool-level references — the place to look when you must explain why a parser produced a value down to the byte.

  • 🔍 The Sleuth Kit (TSK) documentation (sleuthkit.org/sleuthkit/docs.php).** Authoritative reference for fls, icat, istat, mmls, blkls, and the TSK body-file format. Supports Ch. 6 — Logical Recovery (also Ch. 7, 16; Appendix H).
  • 🔍 Autopsy user documentation (sleuthkit.org/autopsy/docs).** Module-by-module guide to the GUI most readers start with. Supports Ch. 36 — The Forensic Toolkit.
  • 🔍🛡️ Volatility 3 documentation (volatility3.readthedocs.io) and the Volatility command/plugin reference.** The current API and plugin docs for memory analysis. Supports Ch. 22 — Memory Forensics (also Ch. 32).
  • 🔍 Joachim Metz's libyal documentation (github.com/libyal — libregf, libevtx, libscca, liblnk, libfwsi, libfwps, libfsntfs, libfsapfs, libewf, libvshadow, libbde, libfvde, libluksde).** Free, exhaustive, byte-level specs for the registry, .evtx, Prefetch, LNK, shell items, NTFS/APFS, E01, shadow copies, and full-disk encryption containers. Supports Ch. 16 — Windows Forensics (also Ch. 17, 29; Appendix G).
  • 🔍 Plaso / log2timeline documentation (plaso.readthedocs.io).** The reference for super-timeline parsers, filters, and output formats. Supports Ch. 21 — Timeline Analysis.
  • 🔍 ExifTool documentation (Phil Harvey, exiftool.org).** The encyclopedic reference for image/video/document metadata tags, including maker notes and GPS. Supports Ch. 20 — Photo, Video, and Document Forensics (also Appendix H).
  • 🛡️ Wireshark User's Guide and Display Filter Reference (wireshark.org/docs).** The authority for capture/display filters and protocol dissectors. Supports Ch. 23 — Network Forensics.
  • 🔍🛡️ Eric Zimmerman tools + KAPE documentation (ericzimmerman.github.io; KAPE via Kroll).** Per-tool guides for the EZ suite (RECmd, PECmd, AmcacheParser, LECmd, SBECmd, EvtxECmd, Timeline Explorer) and KAPE Targets/Modules. Supports Ch. 15 — Live Response and Triage (also Ch. 16, 21).
  • 🔍 SQLite file format documentation (sqlite.org/fileformat2.html) and the WAL doc.** Why browser, chat, and mobile-app data lives in .db/-wal/-shm files — and where deleted rows hide. Supports Ch. 18 — Browser and Internet Forensics (also Ch. 19, 24).
  • 🔍 Microsoft Learn — Windows security audit events, NTFS, and BitLocker reference. The authoritative source for what each event ID/logon type means and how BitLocker keys are protected. Supports Ch. 16 — Windows Forensics (also Ch. 29).
  • 🔍 Apple Platform Security Guide and APFS reference. The vendor account of FileVault, the Secure Enclave, and APFS snapshots/containers. Supports Ch. 17 — macOS and Linux Forensics (also Ch. 29).
  • 💾🔍 GNU coreutils, ddrescue, and CGSecurity (TestDisk/PhotoRec) manuals. The reference for imaging, gentle recovery of failing media, and partition/file repair. Supports Ch. 8 — Hard Drive Recovery (also Ch. 5, 6, 7, 14; Appendix H).
  • 🛡️ YARA documentation (virustotal.github.io/yara).** The rule-syntax reference for pattern-matching malware and indicators across files and memory. Supports Ch. 32 — Malware Forensics.
  • 🔍 Vendor user guides — Magnet AXIOM, FTK, EnCase, X-Ways, Cellebrite Physical Analyzer. Product-specific procedure and validation notes; keep the manual for the version you licensed. Supports Ch. 36 — The Forensic Toolkit (also Ch. 24; Appendix C).

Tools

Where to get and cite the software in this book; how to operate it is in Appendix C and Appendix H. "License" is summarized — verify terms before use in paid casework.

Open-source and free

Tool What it is Home / author License Supports
The Sleuth Kit + Autopsy File-system analysis, deleted-file recovery, GUI case mgmt sleuthkit.org (Carrier / Basis Tech) Open source Ch. 6, 7, 16, 36
Volatility 2 / 3 Memory analysis framework volatilityfoundation.org Open source Ch. 22, 32
Plaso / log2timeline Super-timeline generation github.com/log2timeline/plaso Apache 2.0 Ch. 21
Eric Zimmerman tools (EZ) Windows artifact parsers + Timeline Explorer ericzimmerman.github.io Free Ch. 16, 21
KAPE Targeted live collection + module runner Kroll (kroll.com) Free for any use Ch. 15
RegRipper Registry triage via plugins github.com/keydet89 (Carvey) Open source Ch. 16
ExifTool Metadata read/write for media + docs exiftool.org (Harvey) Perl Artistic/GPL Ch. 20
Wireshark / tshark / tcpdump Packet capture and analysis wireshark.org; tcpdump.org GPLv2 / BSD Ch. 23
GNU ddrescue Gentle, resumable imaging of failing media gnu.org/software/ddrescue GPLv3 Ch. 8, 14
dc3dd / dcfldd Forensic dd with hashing + logging sourceforge (DC3) GPL Ch. 5, 14
Guymager Fast GUI imager (E01/AFF/raw) guymager.sourceforge.io GPL Ch. 14
ewftools (libewf) Create/verify Expert Witness (E01) images github.com/libyal/libewf LGPL Ch. 14
TestDisk / PhotoRec Partition repair / signature carving cgsecurity.org GPLv2 Ch. 6, 7
foremost / scalpel Header-footer file carvers AFOSI / G. Richard Public domain / GPL Ch. 7
bulk_extractor Stream-scan for emails, URLs, CCNs, etc. github.com/simsong (Garfinkel) Open source Ch. 7, 18, 33
hashdeep / md5deep Recursive, auditable hashing github.com/jessek/hashdeep Public domain Ch. 5, 14
YARA Pattern-matching rules engine virustotal.github.io/yara BSD-3 Ch. 32
CyberChef Browser-based data transforms/decoding gchq.github.io/CyberChef (GCHQ) Apache 2.0 Ch. 18, 32, 33
Velociraptor Endpoint hunting/collection at scale github.com/Velocidex (Rapid7) AGPL Ch. 15, 23
Hayabusa / Chainsaw Fast EVTX threat triage Yamato-Security / WithSecure AGPL / GPL Ch. 16
FTK Imager Free imaging + preview (raw/E01) Exterro (exterro.com) Free (proprietary) Ch. 14, 36
SIFT Workstation Free Ubuntu DFIR distribution sans.org/tools/sift-workstation Free Ch. 37
CAINE / Tsurugi / Paladin Bootable forensic Linux distros caine-live.net; tsurugi-linux.org; sumuri.com Free Ch. 37

Commercial (cite vendor + version + license seat)

Tool What it is Vendor Supports
Magnet AXIOM / AXIOM Cyber All-in-one acquisition + analysis Magnet Forensics Ch. 31, 36
FTK Examination suite + distributed processing Exterro Ch. 36
EnCase Forensic Examination suite; EnScript automation OpenText Ch. 36
X-Ways Forensics Lightweight, deep low-level examiner X-Ways Software Ch. 16, 36
Cellebrite UFED / Physical Analyzer / Inspector Mobile + computer acquisition/parsing Cellebrite Ch. 24
Oxygen Forensic Detective / Belkasoft X Mobile + cloud + app artifacts Oxygen; Belkasoft Ch. 24, 31
R-Studio / UFS Explorer / DMDE RAID-aware data recovery r-tt.com; ufsexplorer.com; dmde.com Ch. 6, 10
PC-3000 Controller-level/firmware drive recovery ACE Lab Ch. 8, 9
Chainalysis Reactor / TRM / Elliptic Blockchain analytics + attribution Chainalysis; TRM Labs; Elliptic Ch. 33

Limitation. A tool's output is only as defensible as your record of which build produced it. Volatility 2 vs. 3, two Autopsy point releases, or a firmware bump in a write-blocker can change results. Pin and log versions — see below.

Citing sources and tool versions in a report

Capture the exact versions you ran. Paste these into your report's "Standards & References" section (Ch. 26).

# Linux/macOS: record OS + tool versions (flags vary by tool — see Appendix H).
uname -a
tsk_version                          # The Sleuth Kit
fls -V ; icat -V
ewfacquire -V 2>&1 | head -1         # libewf
ddrescue --version | head -1
dc3dd --version 2>&1 | head -1
foremost -V ; scalpel -V
exiftool -ver
tshark -v | head -1 ; tcpdump --version
bulk_extractor -V ; hashdeep -V
yara --version
vol.py --info 2>/dev/null | head -1  # Volatility 2
vol -h 2>/dev/null | head -1         # Volatility 3
log2timeline.py --version
# Windows: version + binary hash for EZ Tools, FTK Imager, etc.
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber
Get-ChildItem .\*.exe | ForEach-Object {
    [PSCustomObject]@{
        Tool    = $_.Name
        Version = $_.VersionInfo.ProductVersion
        SHA256  = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
    }
} | Format-Table -AutoSize
vol -h | Select-Object -First 1       # Volatility 3, if installed

A small helper to fold a citation (and, for a tool, its real version + binary hash) into your case file's references manifest — pairs with Appendix B:

# refs_manifest.py — build a defensible "Standards & References" manifest.
# Illustrative (never executed here); the version flag varies per tool.
import json, subprocess, hashlib, datetime
from pathlib import Path

def sha256(path: Path) -> str:
    h = hashlib.sha256()
    with open(path, "rb") as f:
        for chunk in iter(lambda: f.read(1 << 20), b""):
            h.update(chunk)
    return h.hexdigest()

def add_reference(manifest, *, kind, citation, supports="",
                  tool_path=None, version_arg="--version"):
    entry = {
        "kind": kind,                # book | standard | paper | tool | url | case_law
        "citation": citation,        # full, edition-specific reference text
        "supports": supports,        # case task / chapter(s) it backs
        "recorded": datetime.datetime.now().astimezone().isoformat(),
    }
    if tool_path:                    # capture the binary you ACTUALLY ran
        p = Path(tool_path)
        try:
            entry["tool_version"] = subprocess.run(
                [str(p), version_arg], capture_output=True, text=True
            ).stdout.strip()
        except Exception as e:       # noqa: BLE001 — record the failure, don't crash
            entry["tool_version"] = f"<unavailable: {e}>"
        entry["tool_sha256"] = sha256(p) if p.is_file() else "<not a file>"
    manifest.append(entry)
    return entry

if __name__ == "__main__":
    refs = []
    add_reference(refs, kind="standard",
                  citation="NIST SP 800-86 (2006), Guide to Integrating "
                           "Forensic Techniques into Incident Response.",
                  supports="Acquisition + analysis methodology (Ch. 5)")
    add_reference(refs, kind="tool",
                  citation="ExifTool by Phil Harvey, exiftool.org",
                  supports="EXIF/GPS analysis (Ch. 20)",
                  tool_path="/usr/bin/exiftool", version_arg="-ver")
    Path("references.json").write_text(json.dumps(refs, indent=2))

Report-section and citation-format templates to keep your references consistent:

STANDARDS & REFERENCES   (Forensic Report §; see Ch. 26)
---------------------------------------------------------
Methodology conforms to:
  - NIST SP 800-86 (2006) — collection, examination, analysis, reporting.
  - ISO/IEC 27037:2012 — identification, collection, acquisition, preservation.
  - SWGDE Best Practices for Computer Forensic Examination (cite version/date).

Tools used (name | version | SHA-256 of binary):
  - The Sleuth Kit / icat | 4.12.x | <hash>
  - Autopsy               | 4.21.x | <hash>
  - Volatility 3          | 2.x.x  | <hash>

Validation:
  - Write blocker (make/model, firmware) validated per NIST CFTT, <date>.

Cited literature:
  - Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
  - Casey, E. (2011). Digital Evidence and Computer Crime (3rd ed.). Academic Press.
CITATION FORMAT (use consistently throughout the case file)
-----------------------------------------------------------
Book      : Author(s) (Year). Title (edition). Publisher. [ISBN]
Chapter   : Author (Year). "Chapter." In Editor (ed.), Book. Publisher, pp. x-y.
Paper     : Author(s) (Year). "Title." Venue vol(no), pages. DOI/URL.
Standard  : Body Number:Year, Title.            e.g. ISO/IEC 27037:2012
NIST SP   : Authors (Year). Title (SP 800-NN[ rNN]). NIST. URL.
Tool      : Project (Version). Author/Vendor. URL. Accessed YYYY-MM-DD.
Web/URL   : Author/Org (Year). "Title." Site. URL. Accessed YYYY-MM-DD.
Case law  : Party v. Party, Vol Reporter Page (Court Year).

Online resources and communities

The living edge of the field — where new artifacts get documented and questions get answered. Treat blog posts as leads to verify against primary docs and standards, not as citable authority on their own.

The DFIR community

  • 🔍🛡️ SANS DFIR (sans.org/digital-forensics-incident-response). Blog, the indispensable one-page artifact posters**, webcasts, and the annual DFIR Summit. Supports Ch. 16 — Windows Forensics (and broadly).
  • 🔍 This Week in 4n6 (thisweekin4n6.com, Phill Moore).** The weekly roundup of new posts, tool releases, and research — the single best way to stay current. Supports Ch. 40 — The Career.
  • 🔍🛡️ AboutDFIR (aboutdfir.com) and Forensic Focus (forensicfocus.com).** Curated resources, tool/cert directories, articles, jobs, and a long-running practitioner forum. Supports Ch. 39 — Certifications (also Ch. 40).
  • 🔍 DFIR Review (dfir.pubpub.org).** Peer-reviewed DFIR research — when you need something more citable than a blog. Supports Ch. 27 — Expert Testimony.
  • 🔍 13cubed (Richard Davis), YouTube + training. Short, rigorous, free walk-throughs of Amcache, ShimCache, memory, and more. Supports Ch. 16 (also Ch. 22).
  • 🔍 ForensicArtifacts (github.com/ForensicArtifacts/artifacts).** Machine-readable artifact definitions consumed by Plaso, KAPE, and Velociraptor. Supports Ch. 17 — macOS and Linux Forensics (also Ch. 16).
  • 🔍🛡️ Reddit r/computerforensics; the DFIR Discord/Slack communities. Active Q&A and tooling chatter for when you are stuck at the bench. Supports Ch. 36 — The Forensic Toolkit.

Datasets, practice images, and tool testing

  • 🔍 Digital Corpora (digitalcorpora.org). Garfinkel's freely usable corpora — govdocs1, the M57-Patents scenario, and NPS test disk images — the backbone of realistic, legal practice. Supports Appendix J — Practice Images and Lab Setup (and every lab).
  • 🔍 NIST CFReDS — Computer Forensic Reference Data Sets (cfreds.nist.gov).** Reference images including the classic "Hacking Case," built to exercise tools against a known ground truth. Supports Appendix J — Practice Images and Lab Setup.
  • 🔍📜 NIST CFTT — Computer Forensic Tool Testing (cftt.nist.gov).** Independent, citable test reports for write-blockers, imagers, and mobile tools. Supports Ch. 14 — Forensic Acquisition (also Ch. 5, 27, 36).
  • 🔍 NIST NSRL — National Software Reference Library (nsrl.nist.gov).** The Reference Data Set (RDS) of known-file hashes — used to filter out OS/application files (known-good) and flag known-bad. Supports Ch. 7 — File Carving (also Ch. 16, 20).
  • 🔍 DFRWS (dfrws.org).** The research conference plus its annual forensic/carving challenges and released datasets. Supports Ch. 21 — Timeline Analysis (also Ch. 7).
  • 🔍 DFIR.training (dfir.training, Brett Shavers) and Magnet Weekly / Belkasoft CTFs. Aggregated tools, test images, jobs, and recurring capture-the-flag exercises to sharpen on. Supports Ch. 38 — The Capstone Investigation.
  • 🔍 DCode (Digital Detective) and CyberChef "From/To" recipes. Quick, reliable timestamp and encoding conversion when you are decoding an artifact by hand. Supports Ch. 21 — Timeline Analysis.

Standards bodies and portals

  • 📜 NIST (nist.gov / csrc.nist.gov), ISO (iso.org), SWGDE (swgde.org), and IETF RFC Editor (rfc-editor.org).** The primary homes of the standards cited above — always confirm the current revision here. Supports Appendix E — Legal Frameworks Reference (and Ch. 5).

Data-recovery community

  • 💾 r/datarecovery and the HDDGuru forums (hddguru.com).** Where bench recovery is actually taught — donor-drive matching, head swaps, firmware, and "is this DIY-safe or send-it-out?" judgment. Supports Ch. 8 — Hard Drive Recovery (also Ch. 13).
  • 💾 Vendor knowledge bases — ACE Lab (PC-3000), R-Studio, UFS Explorer, DMDE. Drive-family notes, RAID-parameter guidance, and case write-ups from the recovery tool makers. Supports Ch. 10 — RAID Recovery (also Ch. 8, 9).

Ethics Note. Community generosity is real, but so is your duty of confidentiality. When you post a question, scrub it — no client names, no case identifiers, no original evidence. Ask about the technique, never about the case. See Chapter 28 — Ethics.


Citing this book

The DataField Project (2026). Data Recovery and Digital Forensics:
Finding What's Lost, Proving What Happened. Licensed CC-BY-SA-4.0.

When you reuse a figure, table, or passage, the CC-BY-SA-4.0 license requires attribution and share-alike. See LICENSE.md.

Keeping this list alive

This is a snapshot, and DFIR moves fast. Tool versions change weekly; standards are revised; URLs rot. The durable layer is the named authors and standards bodies — Carrier, Casey, Ligh, NIST, ISO, SWGDE — who will still anchor the field after this edition. Build your own running bibliography as you work (the refs_manifest.py pattern above), and let This Week in 4n6 and the SANS DFIR posters keep the moving parts current.


See also: Appendix C — Tool Reference · Appendix E — Legal Frameworks Reference · Appendix H — Command-Line Reference · Appendix J — Practice Images and Lab Setup · Glossary · Appendices index.