Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 36 โ€” Further Reading

The toolkit changes every year; the way you choose and defend tools does not. Read one author who built a tool you rely on, one validation body whose reports you will cite, and then go straight to a practice image โ€” because you do not understand a tool until you have validated it against data whose answer you already know.

Foundations (๐Ÿ”ฌ deeper / source-level)

  • Brian Carrier, File System Forensic Analysis. Written by the author of The Sleuth Kit and Autopsy. Understand this book and you understand what every disk tool โ€” open-source or commercial โ€” is doing under the hood. It is the reason TSK's layered mmls/fsstat/fls/istat/icat design feels inevitable.
  • Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters, The Art of Memory Forensics. The definitive Volatility text from the people who built it; the companion to memory analysis the way Carrier is to disks.
  • NIST CFTT and CFReDS program documentation (nist.gov / cfreds.nist.gov). The tool-category specifications, product test reports, and reference images with documented ground truth. This is what "validated" means in writing, and what you cite to speak the language of Daubert.
  • SWGDE, "Recommended Guidelines for Validation Testing." A free, practical blueprint for how a lab proves a tool does what it claims โ€” the document behind every credible validation log.

Approachable explanations (everyone)

  • The Sleuth Kit & Autopsy documentation (sleuthkit.org) and the Autopsy training videos. The fastest on-ramp to a complete, free, court-defensible disk workflow.
  • Eric Zimmerman's tools (ericzimmerman.github.io) and the SANS DFIR posters/cheat sheets. The Windows-artifact field standard, with a one-page map of which parser eats which artifact.
  • 13cubed (Richard Davis), YouTube. Short, rigorous, free walk-throughs of TSK, the EZ suite, memory, and the artifact subtleties (including dirty hives and transaction logs) that drive Case Study 1.
  • ๐Ÿ’พ CGSecurity (PhotoRec/TestDisk) docs, and the R-Studio / UFS Explorer / DMDE manuals. The recovery shelf โ€” chosen for speed of restoration; pair with the discipline of working from an image (the lesson of Case Study 2).
  • ๐Ÿ” Vendor learning portals: OpenText EnCase, Exterro FTK, Magnet AXIOM, Cellebrite, X-Ways. Learn the commercial platforms you will be tested on in court โ€” but learn the open-source fundamentals first so you can defend them.
  • ๐Ÿ›ก๏ธ Volatility Foundation, the KAPE/Velociraptor docs, and Wireshark University (Laura Chappell). The incident-response stack, where scale and speed decide whether you contain tonight or next week.
  • ๐Ÿ“œ Federal Rules of Evidence 702 and the Daubert line of cases; SWGDE/NIST validation references. For the legal reader: why "a validated, court-accepted tool, confirmed by a second" is the sentence that survives cross-examination.

Reference (this book)

Do, don't just read

  • Run the triple-tool verification yourself. Recover one deleted file with TSK icat, Autopsy, and a third tool; hash all three. Watching three independent codebases produce one identical SHA-256 teaches "defensible" better than any definition.
  • Validate a tool against known data. Download a CFReDS image, recover its documented deleted files, and confirm your tool finds what is provably there and invents nothing โ€” then write the log row. A validation you never wrote down did not happen.

Next: Chapter 37 โ€” Building a Forensic Lab: the toolkit gets a defensible home โ€” workstation, write-blockers, tiered and immutable storage, network isolation, accreditation, and the procedures that make every later finding hold up.