Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases β€” at no additional cost to you.

Chapter 38 β€” Further Reading

This chapter integrates the whole book, so the best reading is whole-case reading β€” sources that show the lifecycle end to end and full scenario images you can work yourself.

Foundations (πŸ”¬ deeper)

  • Brian Carrier, File System Forensic Analysis (Addison-Wesley). The bedrock under phases 4–5 and your timeline: NTFS $MFT` (`$SI vs $FN), partitions, unallocated space, and what "deleted" means structurally. When a cross-examiner presses on why the kernel's clock is more trustworthy than the user's, this is where the answer lives.
  • NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response. The investigative lifecycle as a federal standard β€” collection, examination, analysis, reporting. Free PDF; read it as the official skeleton your twelve phases flesh out.
  • Eoghan Casey, Digital Evidence and Computer Crime (Academic Press). Authoritative on integrity, interpretation, correlation, and the proportionality that separates "I found this" from "I can prove it and I will not overstate it" β€” the spine of phases 10–12.

Approachable explanations (everyone)

  • Bill Nelson, Amelia Phillips & Christopher Steuart, Guide to Computer Forensics and Investigations (Cengage). A classroom-friendly walk through a complete case, assignment to testimony, pitched at exactly the newcomer's level β€” the closest single book to this chapter's arc.
  • SANS DFIR posters and cheat sheets (free). The Windows Forensic Analysis poster, the Hunt Evil poster, and the SIFT/KAPE cheat sheets are one-page maps of the artifacts each phase touches; pin one beside the lifecycle map and work outward.
  • πŸ” SANS FOR508, Advanced Incident Response, Threat Hunting, and Digital Forensics. The course runs a full intrusion case end to end; its scenario discipline is the professional version of this capstone.
  • πŸ›‘οΈ NIST SP 800-61, Computer Security Incident Handling Guide. The compressed IR lifecycle β€” preparation, detection, containment, eradication, recovery, lessons learned β€” and where the responder's first ten minutes must already be evidence collection.
  • πŸ“œ SWGDE best-practice documents and The Sedona Conference eDiscovery commentaries. Process and admissibility from the standards bodies and the legal side; the language counsel and the court expect your report to honor.
  • πŸ’ΎπŸ” Full scenario images with ground truth: Digital Corpora's M57-Patents and Lone Wolf cases, the NIST CFReDS images, and DFIR CTFs (Magnet Weekly, DFRWS, Ali Hadi's challenges). These are complete disks built to be worked end to end β€” the only way to practice integration rather than technique.

Reference (this book)

Do, don't just read

  • Work one full scenario image end to end. Take M57-Patents or Lone Wolf from assignment to a complete case file, then score it on the chapter's rubric and fix every row below 2. One integrated case teaches more than ten isolated labs.
  • Run the morning-of-trial re-verification. Re-hash your working image against the acquisition value, log the result and tool versions, and write the single sentence you could say under oath about current integrity.
  • Hold a mock trial. Have a partner cross-examine you on your finished report using the seven classic attacks; every question you cannot answer cleanly is a finding to strengthen, a limitation to state, or a corroboration to add.

Next: Chapter 39 β€” Certifications and Professional Development: turning the case file you just assembled into a credential employers and courts recognize β€” EnCE, GCFE, GCFA, GNFA, CCE, CFCE, CHFI β€” and how to choose a path and stay current.