Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.

Chapter 5 — Further Reading

Foundations (🔬 deeper)

Approachable explanations (everyone)

  • Bill Nelson, Amelia Phillips & Christopher Steuart, Guide to Computer Forensics and Investigations (Cengage). A classroom-friendly walk through the whole process — identification, write-blocking, imaging, hashing, reporting — with screenshots of the very tools in this chapter. A gentle on-ramp if Carrier feels steep.
  • Forensic Focus and the SANS DFIR blog. Practitioner articles and case walk-throughs; search for "chain of custody," "write blocker validation," and "order of volatility."
  • 🔍 NIST Computer Forensics Tool Testing (CFTT) reports (cftt.nist.gov). Look up the specific write-blocker and imaging-tool models you use — these are the independent test results you cite for Daubert.
  • 🔍📜 SWGDE Best Practices for Computer Forensics and ISO/IEC 27037 (identification, collection, acquisition, and preservation of digital evidence). The published standards your method should match, so the defense argues against the standard, not just against you.
  • 📜 Daubert v. Merrell Dow (1993) and Federal Rules of Evidence 901–902 and 1001–1003. The case and the rules that turn "I imaged and hashed it" into "the court accepts it" — especially FRE 902(14), self-authentication by hash.
  • 🛡️ RFC 3227, Guidelines for Evidence Collection and Archiving. The classic statement of the order of volatility — what to capture first when a machine is still running.
  • 💾 GNU ddrescue manual. Why recovery images a failing source first and gently — map files, retry passes, resumable captures (Case Study 2 of Chapter 14, and Chapter 8).

Reference (this book)

Do, don't just read

  • Validate a write-blocker the lab way. Hash a scratch disk, attempt a write through the blocker, re-hash, and confirm the hashes are identical — then log the blocker's make, model, and firmware.
  • Image and verify a practice drive. Populate a disposable USB stick, image it with dual hashes, and read the verification report until "verified" beside both hashes means something to you.
  • Build a chain of custody and an investigation plan. Start the Appendix F chain log and write the one-page plan for the MHA progressive-project case — scope on paper before you touch the data.

Next: Chapter 6 — Logical Recovery: take the verified image you now know how to make and go hunting inside it — recovering deleted files from MFT and inode remnants, and proving that deleted does not mean destroyed.