Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 36 โ Further Reading
The toolkit changes every year; the way you choose and defend tools does not. Read one author who built a tool you rely on, one validation body whose reports you will cite, and then go straight to a practice image โ because you do not understand a tool until you have validated it against data whose answer you already know.
Foundations (๐ฌ deeper / source-level)
- Brian Carrier, File System Forensic Analysis. Written by the author of The Sleuth Kit and Autopsy. Understand this book and you understand what every disk tool โ open-source or commercial โ is doing under the hood. It is the reason TSK's layered
mmls/fsstat/fls/istat/icatdesign feels inevitable. - Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters, The Art of Memory Forensics. The definitive Volatility text from the people who built it; the companion to memory analysis the way Carrier is to disks.
- NIST CFTT and CFReDS program documentation (nist.gov / cfreds.nist.gov). The tool-category specifications, product test reports, and reference images with documented ground truth. This is what "validated" means in writing, and what you cite to speak the language of Daubert.
- SWGDE, "Recommended Guidelines for Validation Testing." A free, practical blueprint for how a lab proves a tool does what it claims โ the document behind every credible validation log.
Approachable explanations (everyone)
- The Sleuth Kit & Autopsy documentation (sleuthkit.org) and the Autopsy training videos. The fastest on-ramp to a complete, free, court-defensible disk workflow.
- Eric Zimmerman's tools (ericzimmerman.github.io) and the SANS DFIR posters/cheat sheets. The Windows-artifact field standard, with a one-page map of which parser eats which artifact.
- 13cubed (Richard Davis), YouTube. Short, rigorous, free walk-throughs of TSK, the EZ suite, memory, and the artifact subtleties (including dirty hives and transaction logs) that drive Case Study 1.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐พ CGSecurity (PhotoRec/TestDisk) docs, and the R-Studio / UFS Explorer / DMDE manuals. The recovery shelf โ chosen for speed of restoration; pair with the discipline of working from an image (the lesson of Case Study 2).
- ๐ Vendor learning portals: OpenText EnCase, Exterro FTK, Magnet AXIOM, Cellebrite, X-Ways. Learn the commercial platforms you will be tested on in court โ but learn the open-source fundamentals first so you can defend them.
- ๐ก๏ธ Volatility Foundation, the KAPE/Velociraptor docs, and Wireshark University (Laura Chappell). The incident-response stack, where scale and speed decide whether you contain tonight or next week.
- ๐ Federal Rules of Evidence 702 and the Daubert line of cases; SWGDE/NIST validation references. For the legal reader: why "a validated, court-accepted tool, confirmed by a second" is the sentence that survives cross-examination.
Reference (this book)
- Appendix C โ Tool Reference: the maintained catalog โ versions, formats, and use notes for every tool named in this chapter.
- Appendix J โ Practice Images and Lab Setup: where to get CFReDS and other ground-truth images to validate against.
- Appendix H โ Command-Line Reference and Appendix A โ File Signatures: the TSK syntax and the magic numbers that validate a recovered file.
- Chapter 25 โ The Legal Framework and Chapter 27 โ Expert Testimony: where tool choice becomes admissibility.
Do, don't just read
- Run the triple-tool verification yourself. Recover one deleted file with TSK
icat, Autopsy, and a third tool; hash all three. Watching three independent codebases produce one identical SHA-256 teaches "defensible" better than any definition. - Validate a tool against known data. Download a CFReDS image, recover its documented deleted files, and confirm your tool finds what is provably there and invents nothing โ then write the log row. A validation you never wrote down did not happen.
Next: Chapter 37 โ Building a Forensic Lab: the toolkit gets a defensible home โ workstation, write-blockers, tiered and immutable storage, network isolation, accreditation, and the procedures that make every later finding hold up.