Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.
Chapter 15 — Further Reading
Foundations (🔬 / deeper)
- RFC 3227, "Guidelines for Evidence Collection and Archiving" — Brezinski & Killalea (IETF, Feb. 2002). Short, free, and still the citation for the order of volatility (§2.1). Read it once so you can name the standard, not just the idea, on the stand.
- NIST SP 800-86, "Guide to Integrating Forensic Techniques into Incident Response" — Kent, Chevalier, Grance, Dang (2006). The government reference that ties volatile-data collection to the IR lifecycle. Pairs with NIST SP 800-61 Rev. 2 ("Computer Security Incident Handling Guide") for the containment-vs-preservation framing.
- "The Art of Memory Forensics" — Ligh, Case, Levy & Walters (Wiley). The definitive memory book. You only capture RAM in this chapter; this is where it gets analyzed (and it is the backbone of Chapter 22).
Approachable explanations (everyone)
- "Incident Response & Computer Forensics," 3rd ed. — Luttgens, Pepe & Mandia (McGraw-Hill). The most readable end-to-end IR book; its live-data and triage chapters are this chapter at greater length, full of real-engagement judgment.
- 13Cubed (Richard Davis), YouTube. Free, superbly clear DFIR walk-throughs — memory capture, KAPE, and "Investigating Windows" episodes that show the tools in motion.
- AboutDFIR.com. A curated hub of DFIR tools, blogs, practice images, and learning paths — the fastest way to find the next resource on any sub-topic here.
In practice (💾 Recovery · 🔍 Examiner · 🛡️ IR · 📜 Legal)
- 🛡️ KAPE documentation — Eric Zimmerman / Kroll (
ericzimmerman.github.io, the KapeFiles repo). Learn Targets vs. Modules, theKapeTriagecompound target, and VHDX output. Eric's whole tool suite (MFTECmd, PECmd, RECmd) is the parsing half you run later. - 🛡️ CyLR (GitHub:
orlikoski/CyLR) and Velociraptor (docs.velociraptor.app). Cross-platform collection to a single container, and fleet-scale collection via agent and VQL. Stand up Velociraptor in a lab to feel triage at scale. - 🔍 WinPmem, AVML (Microsoft), and LiME (504ensicsLabs) — GitHub. The free memory imagers named in the chapter. Read each README; note how each describes its own footprint.
- 🛡️ The DFIR Report (
thedfirreport.com). Detailed, free write-ups of real intrusions — beaconing, fileless malware, lateral movement — that show why command line, PPID, and network state are the artifacts that matter. - 📜 SANS DFIR posters ("Hunt Evil," "Windows Forensic Analysis") — free PDFs. One-page maps of where the evidence lives; tape one to the wall of your collection kit.
Reference (this book)
- Appendix B — Python Forensics Toolkit: the full, reusable
triage_logger.py. - Appendix C — Tool Reference and Appendix H — Command-Line Reference: every capture command, by OS.
- Appendix F — Chain-of-Custody and Report Templates: the live-response log and decision-memo templates.
- Appendix J — Practice Images and Lab Setup: where to get memory images and live-response practice VMs.
Do, don't just read
- Capture your own RAM, twice, and diff the hashes. Five minutes with WinPmem or AVML makes the smear real in your hands — you will never be rattled by it under cross-examination.
- Run a KAPE
KapeTriagecollection on a spare VM to a USB drive, then mount the VHDX. Time it; feel how a host's evidentiary heart fits in minutes and megabytes. - Stage a deleted-but-open recovery. Open a file in a process,
rmit, then recover it from/proc/<pid>/fd/— theme one, deleted ≠ destroyed, proven on a live box. - Write one live-response log for a mock engagement, including the two-clock line and a hash on every artifact. The habit is the skill.
Next: Chapter 16 — Windows Forensics: now read what you collected — registry hives, event logs, Prefetch, Amcache, LNK files, and $Recycle.Bin — and watch the employee who "covered their tracks" give themselves away.