Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.
Bibliography
Purpose. The annotated reading list, standards catalog, documentation index, and tool registry behind this book — every entry tagged with what it gives you and which chapters it supports, so you can go from "I need to defend this finding" to the right source in seconds.
This appendix is a reading-and-citing reference. Its operational siblings are Appendix C — Tool Reference (how to run the tools), Appendix H — Command-Line Reference (exact syntax), and Appendix E — Legal Frameworks Reference (the law in depth). When you need a term, see the Glossary.
How to use this appendix
- Learning-path tags mark who each source serves most: 💾 Data Recovery · 🔍 Forensic Examiner · 🛡️ Incident Response · 📜 Legal/eDiscovery.
- "Supports" names the primary chapter(s) an entry backs, linked by relative path; extra chapters are listed by number.
- Editions and versions matter in forensics. A citation without an edition/version is not defensible. Record the exact edition you read and the exact tool version you ran (see Citing sources and tool versions in a report below, and Chapter 26 — The Forensic Report).
- Links rot; standards supersede. Where a URL is given, treat it as a starting point and record your accessed date. Confirm a standard is the current revision before you cite it in court.
Legal Note. Under Daubert, the literature and published standards you cite are part of what makes your method "generally accepted" and "reliably applied." A report that grounds its method in Carrier, Casey, NIST SP 800-86, ISO/IEC 27037, and SWGDE is far harder to impeach than one that grounds it in "what I usually do." See Chapter 27 — Expert Testimony.
The core shelf (start here)
| Source | Why it is foundational | Supports |
|---|---|---|
| Carrier, File System Forensic Analysis (2005) | The byte-level account of volumes and file systems — the "why" under every recovery and timestamp claim | Ch. 4, 6, 7, 16, 17; App. G |
| Casey, Digital Evidence and Computer Crime (3rd ed., 2011) | The scientific-method, integrity, and admissibility principles of the whole discipline | Ch. 5, 25–28 |
| Nelson, Phillips & Steuart, Guide to Computer Forensics and Investigations (Cengage) | The classroom-standard walk through the end-to-end process | Ch. 5, 14, 26, 36 |
| Ligh, Case, Levy & Walters, The Art of Memory Forensics (2014) | The definitive treatment of RAM analysis with Volatility | Ch. 22, 32 |
| NIST SP 800-86 (2006) | The free, standards-level statement of collection → examination → analysis → reporting | Ch. 5, 15, 22, 23 |
| ISO/IEC 27037:2012 | The international standard for identification, collection, acquisition, preservation | Ch. 5, 14 |
Books
Grouped by where they earn their place on your shelf. One line each: what it offers, then the chapter it most supports.
Foundations and the forensic process
- 🔍📜 Brian Carrier, File System Forensic Analysis (Addison-Wesley, 2005, ISBN 978-0321268174). The canonical, byte-level treatment of volume systems and FAT/NTFS/ext/UFS — the reference behind deleted-file recovery and
$STANDARD_INFORMATION` vs. `$FILE_NAMEanalysis. Supports Ch. 4 — File Systems (also Ch. 2, 6, 7, 16, 17; Appendix G). - 🔍📜 Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (3rd ed., Academic Press, 2011, ISBN 978-0123742681). The authoritative statement of evidentiary integrity, the scientific method in casework, and chain of custody. Supports Ch. 5 — The Forensic Process (also Ch. 25–28).
- 🔍 Eoghan Casey (ed.), Handbook of Digital Forensics and Investigation (Academic Press, 2009). A multi-author survey spanning systems, networks, and embedded devices — a fast map of the whole field. Supports Ch. 1 — Two Disciplines.
- 🔍📜 Bill Nelson, Amelia Phillips & Christopher Steuart, Guide to Computer Forensics and Investigations (Cengage, 6th ed., 2019 and later printings). The most classroom-friendly end-to-end process text, with screenshots of the very tools used here. A gentle on-ramp if Carrier feels steep. Supports Ch. 5 — The Forensic Process (also Ch. 14, 26, 36, 39).
- 💾🔍 Bruce Nikkel, Practical Forensic Imaging: Securing Digital Evidence with Linux Tools (No Starch Press, 2016, ISBN 978-1593277932). The best modern, hands-on guide to acquisition — write-blocking,
dc3dd/ewfacquire, hashing, and verifying images on Linux/BSD. Supports Ch. 14 — Forensic Acquisition (also Ch. 5, 8).
Windows, macOS, and Linux artifacts
- 🔍🛡️ Harlan Carvey, Windows Registry Forensics (2nd ed., Syngress, 2016) and Windows Forensic Analysis Toolkit (4th ed., Syngress, 2014). Practitioner-deep, case-driven coverage of registry, Prefetch, and Windows artifacts. Supports Ch. 16 — Windows Forensics (also Ch. 21, 30).
- 🔍 Cory Altheide & Harlan Carvey, Digital Forensics with Open Source Tools (Syngress, 2011). A vendor-neutral tour of doing real work with TSK, RegRipper, and friends. Supports Ch. 36 — The Forensic Toolkit (also Ch. 16, 17).
- 🔍 Philip Polstra, Linux Forensics (Pentester Academy, 2015). Focused coverage of ext4 internals, Linux logs, and scripting an exam. Supports Ch. 17 — macOS and Linux Forensics.
Memory, malware, and incident response
- 🔍🛡️ Michael Hale Ligh, Andrew Case, Jamie Levy & AAron Walters, The Art of Memory Forensics (Wiley, 2014, ISBN 978-1118825099). The definitive book on RAM analysis across Windows, Linux, and Mac, written by the Volatility authors. Supports Ch. 22 — Memory Forensics (also Ch. 32).
- 🛡️🔍 Jason Luttgens, Matthew Pepe & Kevin Mandia, Incident Response & Computer Forensics (3rd ed., McGraw-Hill, 2014). The IR playbook — scoping, triage, and turning artifacts into a timeline under time pressure. Supports Ch. 15 — Live Response and Triage.
- 🛡️🔍 Michael Sikorski & Andrew Honig, Practical Malware Analysis (No Starch Press, 2012). The standard introduction to static and dynamic analysis — read it for the post-incident, "analyze the weapon" mindset, not for weaponization. Supports Ch. 32 — Malware Forensics.
Network and cloud
- 🛡️📜 Sherri Davidoff & Jonathan Ham, Network Forensics: Tracking Hackers through Cyberspace (Prentice Hall, 2012). The book on packet captures, flow records, and tracing activity across the wire. Supports Ch. 23 — Network Forensics.
- 📜🔍 Darren Quick, Ben Martini & Kim-Kwang Raymond Choo, Cloud Storage Forensics (Syngress, 2014). Early, methodical treatment of acquiring and validating evidence from third-party servers. Supports Ch. 31 — Cloud Forensics.
Mobile
- 🔍 Rohit Tamma, Oleg Skulkin, Heather Mahalik & Satish Bommisetty, Practical Mobile Forensics (4th ed., Packt, 2020). The current, hands-on guide to iOS/Android acquisition and app-data parsing. Supports Ch. 24 — Mobile Device Forensics (also Ch. 11).
- 🔍 Andrew Hoog, Android Forensics (Syngress, 2011) and Hoog & Strzempka, iPhone and iOS Forensics (Syngress, 2011). Foundational platform-internals references; dated on tooling but durable on partition layout and data stores. Supports Ch. 24 — Mobile Device Forensics.
Media, documents, and synthetic media
- 🔍 Hany Farid, Photo Forensics (MIT Press, 2016). The rigorous, math-light science of detecting image manipulation — error-level, lighting, and sensor analysis. Supports Ch. 20 — Photo, Video, and Document Forensics (also Ch. 35).
Cryptocurrency
- 🔍📜 Nick Furneaux, Investigating Cryptocurrencies (Wiley, 2018). How blockchains work for investigators — addresses, clustering, mixers, and following the money. Supports Ch. 33 — Cryptocurrency Investigation.
Tools, certification, and career
- 🔍 Steve Bunting, EnCE: The Official EnCE Certified Examiner Study Guide (3rd ed., Sybex, 2012). Certification-focused but a solid grounding in EnCase methodology and evidence handling. Supports Ch. 39 — Certifications (also Ch. 36; Appendix I).
Recovery vs. Forensics. Notice the asymmetry on this shelf: the forensics literature is deep and academic; the data-recovery craft (head swaps, RAID rebuilds, controller-level NAND work) is taught largely through vendor docs, training, and community forums (see Online resources and communities). Carrier and Nikkel still anchor the recovery side, because the principle — image first, work on the copy — is identical.
Papers and standards
The published method behind your method. Cite the revision and the year; verify it is current before relying on it.
Standards-to-phase quick map
| Standard / document | Scope it governs | Supports (chapters) |
|---|---|---|
| NIST SP 800-86 (2006) | Integrating forensics into IR: collection → examination → analysis → reporting | 5, 15, 22, 23 |
| ISO/IEC 27037:2012 | Identification, collection, acquisition, preservation of digital evidence | 5, 14 |
| ISO/IEC 27041:2015 | Assurance/suitability of the investigation method | 5, 26 |
| ISO/IEC 27042:2015 | Analysis and interpretation of digital evidence | 21, 26 |
| ISO/IEC 27043:2015 | Incident-investigation principles and processes | 5, 15 |
| ISO/IEC 17025:2017 | General competence of testing/calibration labs (accreditation) | 27, 37 |
| SWGDE Best Practices (series) | Computer/mobile/imaging/memory examination practice | 5, 14, 26, 28 |
| NIST SP 800-101 Rev. 1 (2014) | Mobile device forensics | 11, 24 |
| NIST SP 800-88 Rev. 1 (2014) | Media sanitization (the inverse of recovery; wiping detection) | 9, 30 |
| RFC 3227 (2002) | Evidence collection and archiving; order of volatility | 5, 15 |
| ACPO Good Practice Guide (v5) | The four UK principles of digital evidence handling | 5, 14 |
Standards and best practices (annotated)
- 📜🔍 NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (Kent, Chevalier, Grance & Dang, 2006). The free, citable statement of the four-phase process this book is built on. Supports Ch. 5 — The Forensic Process (also Ch. 15, 22, 23).
- 📜🔍 ISO/IEC 27037:2012, Identification, collection, acquisition and preservation of digital evidence. The international standard your acquisition should match, so the defense argues against the standard, not just against you. Supports Ch. 14 — Forensic Acquisition.
- 📜 ISO/IEC 27041 / 27042 / 27043 (2015). The companion trio covering method assurance, analysis/interpretation, and investigation principles — cite alongside 27037 to cover the full lifecycle. Supports Ch. 26 — The Forensic Report (also Ch. 5, 21).
- 🔍📜 SWGDE (Scientific Working Group on Digital Evidence) Best Practices (swgde.org).** Consensus U.S. practice documents for computer, mobile, imaging, and memory examination — short, current, and widely accepted. Supports Ch. 5 — The Forensic Process (also Ch. 14, 26, 28).
- 🔍📜 NIST Computer Forensic Tool Testing (CFTT) reports (cftt.nist.gov). Independent test results for the specific write-blocker and imaging-tool models you use — the citation that turns "my tool works" into a Daubert-grade claim. Supports Ch. 14 — Forensic Acquisition (also Ch. 5, 27, 36).
- 📜 NIST SP 800-101 Rev. 1, Guidelines on Mobile Device Forensics (Ayers, Brothers & Jansen, 2014). The standards anchor for phone/tablet acquisition levels and validation. Supports Ch. 24 — Mobile Device Forensics (also Ch. 11).
- 💾📜 NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (2014). The authority on Clear/Purge/Destroy — read it to understand exactly why securely-wiped or cryptographically-erased media is unrecoverable. Supports Ch. 9 — SSD and Flash Recovery (also Ch. 30).
- 🛡️📜 RFC 3227, Guidelines for Evidence Collection and Archiving (Brezinski & Killalea, 2002). The classic statement of the order of volatility — what to capture first on a live machine. Supports Ch. 15 — Live Response and Triage.
- 🔍📜 ASTM E30.12 digital and multimedia evidence standards (e.g., E3016, Establishing Confidence in DME Results by Error Mitigation Analysis).** Process and terminology standards useful for accredited labs and error-rate testimony. Supports Ch. 28 — Ethics (also Ch. 5, 27).
Research papers and whitepapers (annotated)
- 🔍 G. Palmer, "A Road Map for Digital Forensic Research" (DFRWS, 2001). The paper that named the field's process model — historically the source of the "examination vs. analysis" distinction. Supports Ch. 1 — Two Disciplines.
- 🔍 B. Carrier & E. Spafford, "Getting Physical with the Digital Investigation Process" (2003) and "An Event-Based Digital Forensic Investigation Framework" (2004). The conceptual backbone of timeline reasoning and event reconstruction. Supports Ch. 21 — Timeline Analysis.
- 🔍 S. Garfinkel et al., "Bringing science to digital forensics with standardized forensic corpora" (DFRWS, Digital Investigation 6:S2–S11, 2009). The rationale and design of shareable test data — the origin story of Digital Corpora. Supports Appendix J — Practice Images and Lab Setup (and every lab).
- 🔍 S. Garfinkel, "Digital forensics research: The next 10 years" (Digital Investigation 7:S64–S73, 2010). The "coming crisis" paper on scale, encryption, and cloud — still the best framing for Ch. 35 and Ch. 40. Supports Ch. 40 — The Career.
- 🔍🛡️ A. Davis (Mandiant), "Leveraging the Application Compatibility Cache in Forensic Investigations" (2012). The whitepaper that put ShimCache on the map — and the source of the warning that its timestamp is a file's modified time, not an execution time. Supports Ch. 16 — Windows Forensics.
- 📜 Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993); Frye v. United States, 293 F. 1013 (D.C. Cir. 1923); Kumho Tire v. Carmichael, 526 U.S. 137 (1999). The admissibility trilogy for expert/technical evidence; read with Federal Rules of Evidence 702, 901, 902(13)–(14), 1001–1003 (FRE 902(14) self-authenticates copies by hash). Supports Ch. 25 — The Legal Framework (also Ch. 27; Appendix E).
Tool Tip. The single most useful habit from this section: before any acquisition, bookmark the CFReDS "Hacking Case" and the CFTT page for your write-blocker. The first gives you a free image to keep your skills sharp; the second is the citation you will paste into a report a year from now.
Documentation
Primary, format- and tool-level references — the place to look when you must explain why a parser produced a value down to the byte.
- 🔍 The Sleuth Kit (TSK) documentation (sleuthkit.org/sleuthkit/docs.php).** Authoritative reference for
fls,icat,istat,mmls,blkls, and the TSK body-file format. Supports Ch. 6 — Logical Recovery (also Ch. 7, 16; Appendix H). - 🔍 Autopsy user documentation (sleuthkit.org/autopsy/docs).** Module-by-module guide to the GUI most readers start with. Supports Ch. 36 — The Forensic Toolkit.
- 🔍🛡️ Volatility 3 documentation (volatility3.readthedocs.io) and the Volatility command/plugin reference.** The current API and plugin docs for memory analysis. Supports Ch. 22 — Memory Forensics (also Ch. 32).
- 🔍 Joachim Metz's libyal documentation (github.com/libyal —
libregf,libevtx,libscca,liblnk,libfwsi,libfwps,libfsntfs,libfsapfs,libewf,libvshadow,libbde,libfvde,libluksde).** Free, exhaustive, byte-level specs for the registry,.evtx, Prefetch, LNK, shell items, NTFS/APFS, E01, shadow copies, and full-disk encryption containers. Supports Ch. 16 — Windows Forensics (also Ch. 17, 29; Appendix G). - 🔍 Plaso / log2timeline documentation (plaso.readthedocs.io).** The reference for super-timeline parsers, filters, and output formats. Supports Ch. 21 — Timeline Analysis.
- 🔍 ExifTool documentation (Phil Harvey, exiftool.org).** The encyclopedic reference for image/video/document metadata tags, including maker notes and GPS. Supports Ch. 20 — Photo, Video, and Document Forensics (also Appendix H).
- 🛡️ Wireshark User's Guide and Display Filter Reference (wireshark.org/docs).** The authority for capture/display filters and protocol dissectors. Supports Ch. 23 — Network Forensics.
- 🔍🛡️ Eric Zimmerman tools + KAPE documentation (ericzimmerman.github.io; KAPE via Kroll).** Per-tool guides for the EZ suite (
RECmd,PECmd,AmcacheParser,LECmd,SBECmd,EvtxECmd, Timeline Explorer) and KAPE Targets/Modules. Supports Ch. 15 — Live Response and Triage (also Ch. 16, 21). - 🔍 SQLite file format documentation (sqlite.org/fileformat2.html) and the WAL doc.** Why browser, chat, and mobile-app data lives in
.db/-wal/-shmfiles — and where deleted rows hide. Supports Ch. 18 — Browser and Internet Forensics (also Ch. 19, 24). - 🔍 Microsoft Learn — Windows security audit events, NTFS, and BitLocker reference. The authoritative source for what each event ID/logon type means and how BitLocker keys are protected. Supports Ch. 16 — Windows Forensics (also Ch. 29).
- 🔍 Apple Platform Security Guide and APFS reference. The vendor account of FileVault, the Secure Enclave, and APFS snapshots/containers. Supports Ch. 17 — macOS and Linux Forensics (also Ch. 29).
- 💾🔍 GNU
coreutils,ddrescue, and CGSecurity (TestDisk/PhotoRec) manuals. The reference for imaging, gentle recovery of failing media, and partition/file repair. Supports Ch. 8 — Hard Drive Recovery (also Ch. 5, 6, 7, 14; Appendix H). - 🛡️ YARA documentation (virustotal.github.io/yara).** The rule-syntax reference for pattern-matching malware and indicators across files and memory. Supports Ch. 32 — Malware Forensics.
- 🔍 Vendor user guides — Magnet AXIOM, FTK, EnCase, X-Ways, Cellebrite Physical Analyzer. Product-specific procedure and validation notes; keep the manual for the version you licensed. Supports Ch. 36 — The Forensic Toolkit (also Ch. 24; Appendix C).
Tools
Where to get and cite the software in this book; how to operate it is in Appendix C and Appendix H. "License" is summarized — verify terms before use in paid casework.
Open-source and free
| Tool | What it is | Home / author | License | Supports |
|---|---|---|---|---|
| The Sleuth Kit + Autopsy | File-system analysis, deleted-file recovery, GUI case mgmt | sleuthkit.org (Carrier / Basis Tech) | Open source | Ch. 6, 7, 16, 36 |
| Volatility 2 / 3 | Memory analysis framework | volatilityfoundation.org | Open source | Ch. 22, 32 |
| Plaso / log2timeline | Super-timeline generation | github.com/log2timeline/plaso | Apache 2.0 | Ch. 21 |
| Eric Zimmerman tools (EZ) | Windows artifact parsers + Timeline Explorer | ericzimmerman.github.io | Free | Ch. 16, 21 |
| KAPE | Targeted live collection + module runner | Kroll (kroll.com) | Free for any use | Ch. 15 |
| RegRipper | Registry triage via plugins | github.com/keydet89 (Carvey) | Open source | Ch. 16 |
| ExifTool | Metadata read/write for media + docs | exiftool.org (Harvey) | Perl Artistic/GPL | Ch. 20 |
| Wireshark / tshark / tcpdump | Packet capture and analysis | wireshark.org; tcpdump.org | GPLv2 / BSD | Ch. 23 |
| GNU ddrescue | Gentle, resumable imaging of failing media | gnu.org/software/ddrescue | GPLv3 | Ch. 8, 14 |
| dc3dd / dcfldd | Forensic dd with hashing + logging |
sourceforge (DC3) | GPL | Ch. 5, 14 |
| Guymager | Fast GUI imager (E01/AFF/raw) | guymager.sourceforge.io | GPL | Ch. 14 |
| ewftools (libewf) | Create/verify Expert Witness (E01) images | github.com/libyal/libewf | LGPL | Ch. 14 |
| TestDisk / PhotoRec | Partition repair / signature carving | cgsecurity.org | GPLv2 | Ch. 6, 7 |
| foremost / scalpel | Header-footer file carvers | AFOSI / G. Richard | Public domain / GPL | Ch. 7 |
| bulk_extractor | Stream-scan for emails, URLs, CCNs, etc. | github.com/simsong (Garfinkel) | Open source | Ch. 7, 18, 33 |
| hashdeep / md5deep | Recursive, auditable hashing | github.com/jessek/hashdeep | Public domain | Ch. 5, 14 |
| YARA | Pattern-matching rules engine | virustotal.github.io/yara | BSD-3 | Ch. 32 |
| CyberChef | Browser-based data transforms/decoding | gchq.github.io/CyberChef (GCHQ) | Apache 2.0 | Ch. 18, 32, 33 |
| Velociraptor | Endpoint hunting/collection at scale | github.com/Velocidex (Rapid7) | AGPL | Ch. 15, 23 |
| Hayabusa / Chainsaw | Fast EVTX threat triage | Yamato-Security / WithSecure | AGPL / GPL | Ch. 16 |
| FTK Imager | Free imaging + preview (raw/E01) | Exterro (exterro.com) | Free (proprietary) | Ch. 14, 36 |
| SIFT Workstation | Free Ubuntu DFIR distribution | sans.org/tools/sift-workstation | Free | Ch. 37 |
| CAINE / Tsurugi / Paladin | Bootable forensic Linux distros | caine-live.net; tsurugi-linux.org; sumuri.com | Free | Ch. 37 |
Commercial (cite vendor + version + license seat)
| Tool | What it is | Vendor | Supports |
|---|---|---|---|
| Magnet AXIOM / AXIOM Cyber | All-in-one acquisition + analysis | Magnet Forensics | Ch. 31, 36 |
| FTK | Examination suite + distributed processing | Exterro | Ch. 36 |
| EnCase Forensic | Examination suite; EnScript automation | OpenText | Ch. 36 |
| X-Ways Forensics | Lightweight, deep low-level examiner | X-Ways Software | Ch. 16, 36 |
| Cellebrite UFED / Physical Analyzer / Inspector | Mobile + computer acquisition/parsing | Cellebrite | Ch. 24 |
| Oxygen Forensic Detective / Belkasoft X | Mobile + cloud + app artifacts | Oxygen; Belkasoft | Ch. 24, 31 |
| R-Studio / UFS Explorer / DMDE | RAID-aware data recovery | r-tt.com; ufsexplorer.com; dmde.com | Ch. 6, 10 |
| PC-3000 | Controller-level/firmware drive recovery | ACE Lab | Ch. 8, 9 |
| Chainalysis Reactor / TRM / Elliptic | Blockchain analytics + attribution | Chainalysis; TRM Labs; Elliptic | Ch. 33 |
Limitation. A tool's output is only as defensible as your record of which build produced it. Volatility 2 vs. 3, two Autopsy point releases, or a firmware bump in a write-blocker can change results. Pin and log versions — see below.
Citing sources and tool versions in a report
Capture the exact versions you ran. Paste these into your report's "Standards & References" section (Ch. 26).
# Linux/macOS: record OS + tool versions (flags vary by tool — see Appendix H).
uname -a
tsk_version # The Sleuth Kit
fls -V ; icat -V
ewfacquire -V 2>&1 | head -1 # libewf
ddrescue --version | head -1
dc3dd --version 2>&1 | head -1
foremost -V ; scalpel -V
exiftool -ver
tshark -v | head -1 ; tcpdump --version
bulk_extractor -V ; hashdeep -V
yara --version
vol.py --info 2>/dev/null | head -1 # Volatility 2
vol -h 2>/dev/null | head -1 # Volatility 3
log2timeline.py --version
# Windows: version + binary hash for EZ Tools, FTK Imager, etc.
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber
Get-ChildItem .\*.exe | ForEach-Object {
[PSCustomObject]@{
Tool = $_.Name
Version = $_.VersionInfo.ProductVersion
SHA256 = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
}
} | Format-Table -AutoSize
vol -h | Select-Object -First 1 # Volatility 3, if installed
A small helper to fold a citation (and, for a tool, its real version + binary hash) into your case file's references manifest — pairs with Appendix B:
# refs_manifest.py — build a defensible "Standards & References" manifest.
# Illustrative (never executed here); the version flag varies per tool.
import json, subprocess, hashlib, datetime
from pathlib import Path
def sha256(path: Path) -> str:
h = hashlib.sha256()
with open(path, "rb") as f:
for chunk in iter(lambda: f.read(1 << 20), b""):
h.update(chunk)
return h.hexdigest()
def add_reference(manifest, *, kind, citation, supports="",
tool_path=None, version_arg="--version"):
entry = {
"kind": kind, # book | standard | paper | tool | url | case_law
"citation": citation, # full, edition-specific reference text
"supports": supports, # case task / chapter(s) it backs
"recorded": datetime.datetime.now().astimezone().isoformat(),
}
if tool_path: # capture the binary you ACTUALLY ran
p = Path(tool_path)
try:
entry["tool_version"] = subprocess.run(
[str(p), version_arg], capture_output=True, text=True
).stdout.strip()
except Exception as e: # noqa: BLE001 — record the failure, don't crash
entry["tool_version"] = f"<unavailable: {e}>"
entry["tool_sha256"] = sha256(p) if p.is_file() else "<not a file>"
manifest.append(entry)
return entry
if __name__ == "__main__":
refs = []
add_reference(refs, kind="standard",
citation="NIST SP 800-86 (2006), Guide to Integrating "
"Forensic Techniques into Incident Response.",
supports="Acquisition + analysis methodology (Ch. 5)")
add_reference(refs, kind="tool",
citation="ExifTool by Phil Harvey, exiftool.org",
supports="EXIF/GPS analysis (Ch. 20)",
tool_path="/usr/bin/exiftool", version_arg="-ver")
Path("references.json").write_text(json.dumps(refs, indent=2))
Report-section and citation-format templates to keep your references consistent:
STANDARDS & REFERENCES (Forensic Report §; see Ch. 26)
---------------------------------------------------------
Methodology conforms to:
- NIST SP 800-86 (2006) — collection, examination, analysis, reporting.
- ISO/IEC 27037:2012 — identification, collection, acquisition, preservation.
- SWGDE Best Practices for Computer Forensic Examination (cite version/date).
Tools used (name | version | SHA-256 of binary):
- The Sleuth Kit / icat | 4.12.x | <hash>
- Autopsy | 4.21.x | <hash>
- Volatility 3 | 2.x.x | <hash>
Validation:
- Write blocker (make/model, firmware) validated per NIST CFTT, <date>.
Cited literature:
- Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
- Casey, E. (2011). Digital Evidence and Computer Crime (3rd ed.). Academic Press.
CITATION FORMAT (use consistently throughout the case file)
-----------------------------------------------------------
Book : Author(s) (Year). Title (edition). Publisher. [ISBN]
Chapter : Author (Year). "Chapter." In Editor (ed.), Book. Publisher, pp. x-y.
Paper : Author(s) (Year). "Title." Venue vol(no), pages. DOI/URL.
Standard : Body Number:Year, Title. e.g. ISO/IEC 27037:2012
NIST SP : Authors (Year). Title (SP 800-NN[ rNN]). NIST. URL.
Tool : Project (Version). Author/Vendor. URL. Accessed YYYY-MM-DD.
Web/URL : Author/Org (Year). "Title." Site. URL. Accessed YYYY-MM-DD.
Case law : Party v. Party, Vol Reporter Page (Court Year).
Online resources and communities
The living edge of the field — where new artifacts get documented and questions get answered. Treat blog posts as leads to verify against primary docs and standards, not as citable authority on their own.
The DFIR community
- 🔍🛡️ SANS DFIR (sans.org/digital-forensics-incident-response). Blog, the indispensable one-page artifact posters**, webcasts, and the annual DFIR Summit. Supports Ch. 16 — Windows Forensics (and broadly).
- 🔍 This Week in 4n6 (thisweekin4n6.com, Phill Moore).** The weekly roundup of new posts, tool releases, and research — the single best way to stay current. Supports Ch. 40 — The Career.
- 🔍🛡️ AboutDFIR (aboutdfir.com) and Forensic Focus (forensicfocus.com).** Curated resources, tool/cert directories, articles, jobs, and a long-running practitioner forum. Supports Ch. 39 — Certifications (also Ch. 40).
- 🔍 DFIR Review (dfir.pubpub.org).** Peer-reviewed DFIR research — when you need something more citable than a blog. Supports Ch. 27 — Expert Testimony.
- 🔍 13cubed (Richard Davis), YouTube + training. Short, rigorous, free walk-throughs of Amcache, ShimCache, memory, and more. Supports Ch. 16 (also Ch. 22).
- 🔍 ForensicArtifacts (github.com/ForensicArtifacts/artifacts).** Machine-readable artifact definitions consumed by Plaso, KAPE, and Velociraptor. Supports Ch. 17 — macOS and Linux Forensics (also Ch. 16).
- 🔍🛡️ Reddit r/computerforensics; the DFIR Discord/Slack communities. Active Q&A and tooling chatter for when you are stuck at the bench. Supports Ch. 36 — The Forensic Toolkit.
Datasets, practice images, and tool testing
- 🔍 Digital Corpora (digitalcorpora.org). Garfinkel's freely usable corpora — govdocs1, the M57-Patents scenario, and NPS test disk images — the backbone of realistic, legal practice. Supports Appendix J — Practice Images and Lab Setup (and every lab).
- 🔍 NIST CFReDS — Computer Forensic Reference Data Sets (cfreds.nist.gov).** Reference images including the classic "Hacking Case," built to exercise tools against a known ground truth. Supports Appendix J — Practice Images and Lab Setup.
- 🔍📜 NIST CFTT — Computer Forensic Tool Testing (cftt.nist.gov).** Independent, citable test reports for write-blockers, imagers, and mobile tools. Supports Ch. 14 — Forensic Acquisition (also Ch. 5, 27, 36).
- 🔍 NIST NSRL — National Software Reference Library (nsrl.nist.gov).** The Reference Data Set (RDS) of known-file hashes — used to filter out OS/application files (known-good) and flag known-bad. Supports Ch. 7 — File Carving (also Ch. 16, 20).
- 🔍 DFRWS (dfrws.org).** The research conference plus its annual forensic/carving challenges and released datasets. Supports Ch. 21 — Timeline Analysis (also Ch. 7).
- 🔍 DFIR.training (dfir.training, Brett Shavers) and Magnet Weekly / Belkasoft CTFs. Aggregated tools, test images, jobs, and recurring capture-the-flag exercises to sharpen on. Supports Ch. 38 — The Capstone Investigation.
- 🔍 DCode (Digital Detective) and CyberChef "From/To" recipes. Quick, reliable timestamp and encoding conversion when you are decoding an artifact by hand. Supports Ch. 21 — Timeline Analysis.
Standards bodies and portals
- 📜 NIST (nist.gov / csrc.nist.gov), ISO (iso.org), SWGDE (swgde.org), and IETF RFC Editor (rfc-editor.org).** The primary homes of the standards cited above — always confirm the current revision here. Supports Appendix E — Legal Frameworks Reference (and Ch. 5).
Data-recovery community
- 💾 r/datarecovery and the HDDGuru forums (hddguru.com).** Where bench recovery is actually taught — donor-drive matching, head swaps, firmware, and "is this DIY-safe or send-it-out?" judgment. Supports Ch. 8 — Hard Drive Recovery (also Ch. 13).
- 💾 Vendor knowledge bases — ACE Lab (PC-3000), R-Studio, UFS Explorer, DMDE. Drive-family notes, RAID-parameter guidance, and case write-ups from the recovery tool makers. Supports Ch. 10 — RAID Recovery (also Ch. 8, 9).
Ethics Note. Community generosity is real, but so is your duty of confidentiality. When you post a question, scrub it — no client names, no case identifiers, no original evidence. Ask about the technique, never about the case. See Chapter 28 — Ethics.
Citing this book
The DataField Project (2026). Data Recovery and Digital Forensics:
Finding What's Lost, Proving What Happened. Licensed CC-BY-SA-4.0.
When you reuse a figure, table, or passage, the CC-BY-SA-4.0 license requires attribution and share-alike. See LICENSE.md.
Keeping this list alive
This is a snapshot, and DFIR moves fast. Tool versions change weekly; standards are revised; URLs rot. The durable layer is the named authors and standards bodies — Carrier, Casey, Ligh, NIST, ISO, SWGDE — who will still anchor the field after this edition. Build your own running bibliography as you work (the refs_manifest.py pattern above), and let This Week in 4n6 and the SANS DFIR posters keep the moving parts current.
See also: Appendix C — Tool Reference · Appendix E — Legal Frameworks Reference · Appendix H — Command-Line Reference · Appendix J — Practice Images and Lab Setup · Glossary · Appendices index.