Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 14 โ Further Reading
Foundations (๐ฌ deeper)
- Brian Carrier, File System Forensic Analysis (Addison-Wesley). The canonical text on what is actually on a disk โ sectors, partitions, slack, unallocated space, and the structures an image preserves. Read it to understand why you copy the whole device, not just files.
- Eoghan Casey, Digital Evidence and Computer Crime (Academic Press) and the edited Handbook of Digital Forensics and Investigation. Authoritative on the integrity and chain-of-custody principles that make an acquisition admissible.
- NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response. Free from NIST. The standards-level statement of acquisition, preservation, and the order they happen in.
Approachable explanations (everyone)
- Bill Nelson, Amelia Phillips & Christopher Steuart, Guide to Computer Forensics and Investigations (Cengage). A classroom-friendly walk through imaging, write-blocking, and hashing with screenshots of the very tools in this chapter โ a gentle on-ramp if Carrier feels steep.
- Forensic Focus and the SANS DFIR blog. Practitioner articles and tool walk-throughs; search for "write blocker validation," "E01 vs raw," and "imaging a failing drive."
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐ NIST Computer Forensics Tool Testing (CFTT) reports (cftt.nist.gov). Look up the specific write-blocker and imaging-tool models you use; these are the independent test results you cite for Daubert.
- ๐๐ SWGDE Best Practices for Computer Forensic Acquisitions and ISO/IEC 27037; the UK ACPO Good Practice Guide for Digital Evidence. The published standards your method should match so the defense argues against the standard, not just against you.
- ๐พ GNU
ddrescuemanual. The tool for failing-drive acquisition โ map files, retry passes, and resumable captures (Case Study 2, and Chapter 8). - ๐ libewf documentation (Joachim Metz):
ewfacquire,ewfverify,ewfinfo,ewfmount. The open toolchain for creating, verifying, inspecting, and mounting E01 images. - ๐ก๏ธ The AFF4 specification and
pyaff4/aff4imager(Cohen, Schatz, Garfinkel). For sparse, partial, and cloud-scale acquisition when full bit-imaging is impossible. - ๐ NSRL (National Software Reference Library) hash sets. Why MD5 still earns its keep: matching known-file hashes to filter the noise.
Reference (this book)
- Appendix C โ Tool Reference: FTK Imager, Guymager, libewf, and the full acquisition tool landscape side by side.
- Appendix H โ Command-Line Reference:
dd,dcfldd,ddrescue,hashdeep,hdparm, and friends, with flags. - Appendix F โ Chain-of-Custody and Report Templates: ready-to-use CoC forms, evidence labels, and verification-report skeletons.
- Appendix J โ Practice Images and Lab Setup: where to get images you may legally practice on.
- Chapter 5 โ The Forensic Process: the end-to-end arc this chapter deepens. Chapter 25 โ The Legal Framework: warrants, scope, and Daubert.
Do, don't just read
- Acquire something today. Populate a disposable USB drive, image it to a compressed E01 with Guymager or FTK Imager entering full case metadata, and read the verification report until the word "verified" beside both hashes means something to you.
- Validate a write-blocker the lab way: hash a scratch disk, attempt a write through the blocker, re-hash, confirm the hashes are identical โ then log it.
- Break a hash on purpose. Hash a file, flip one byte in a hex editor on a copy, re-hash, and watch every digit change. That avalanche is the whole reason the technique works.
Next: Chapter 15 โ Live Response and Triage Forensics: when you cannot pull the plug โ capturing RAM and running state before they vanish, and triaging at speed.