Chapter 37 Further Reading: Incident Response and Digital Forensics

Essential Reading

"Incident Response and Computer Forensics" by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia (3rd Edition, 2014). Written by Mandiant practitioners, this book provides comprehensive coverage of incident response methodology, evidence acquisition, and forensic analysis. The case study approach connects theory to real-world investigations.

"The Art of Memory Forensics" by Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters (2014). The definitive guide to memory forensics from the creators of Volatility. Despite its age, the fundamental techniques and analysis approaches remain essential. Covers Windows, Linux, and Mac OS X memory analysis.

"Digital Forensics with Kali Linux" by Shiva V.N. Parasram (3rd Edition, 2023). Practical guide to conducting digital forensics using open-source tools available in Kali Linux. Covers disk forensics, network forensics, and memory analysis.

NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide. The foundational document for incident response. Free from NIST. Read the complete document, paying particular attention to the preparation phase and the incident handling checklist in Appendix A.

Memory Forensics

Volatility 3 Documentation (volatility3.readthedocs.io). Official documentation for the current version of Volatility. Covers installation, plugin usage, and analysis methodology. Start with the getting started guide, then explore individual plugin documentation.

MemLabs (github.com/stuxnet999/MemLabs). Practice memory forensics challenges designed for learning Volatility. Seven progressively difficult challenges with hints and solutions. The best hands-on resource for building memory forensics skills.

"Practical Memory Forensics" by Svetlana Ostrovskaya and Oleg Skulkin (2022). Modern guide to memory forensics covering Volatility 3, Windows 10/11 artifacts, and cloud forensics. More current than "The Art of Memory Forensics."

13Cubed YouTube Channel. Richard Davis produces high-quality video tutorials on memory forensics, disk forensics, and Volatility usage. Excellent visual learning resource.

Disk and Windows Forensics

"Windows Forensic Analysis Toolkit" by Harlan Carvey (4th Edition, 2014). Comprehensive coverage of Windows forensic artifacts including Registry, Event Logs, and file system analysis. Carvey's RegRipper tool documentation is included.

Eric Zimmerman's Tools Documentation (ericzimmerman.github.io). Documentation for the definitive suite of Windows forensic artifact parsers: PECmd, AmcacheParser, SBECmd, MFTECmd, Timeline Explorer, ShellBags Explorer, and more. Each tool page includes usage examples and output descriptions.

"SANS Windows Forensic Analysis Poster" (free from SANS). Quick reference for Windows forensic artifacts including Registry keys, Event Log IDs, and artifact locations. Essential wall reference for any forensic analyst.

KAPE Documentation (github.com/EricZimmerman/KapeFiles). Documentation for Kroll Artifact Parser and Extractor. The KapeFiles repository contains all target and module definitions, showing exactly what artifacts each configuration collects.

Network Forensics

"The Practice of Network Security Monitoring" by Richard Bejtlich (2013). Foundational text on network security monitoring covering data collection, detection, and analysis. Covers Zeek (formerly Bro), Snort, and Sguil.

"Network Forensics: Tracking Hackers through Cyberspace" by Sherri Davidoff and Jonathan Ham (2012). Comprehensive coverage of network forensic techniques including packet analysis, flow analysis, and log correlation.

Malware-Traffic-Analysis.net. Free practice PCAP files containing real malware traffic for analysis. Exercises include answers showing the complete analysis process. The best resource for practicing network forensic skills.

Zeek Documentation (docs.zeek.org). Official documentation for the Zeek network analysis framework. Understanding Zeek's log output format is essential for network forensics.

Malware Analysis

"Practical Malware Analysis" by Michael Sikorski and Andrew Honig (2012). The most widely recommended malware analysis textbook. Covers static analysis, dynamic analysis, debugging, and advanced techniques. Labs reinforce each chapter's concepts.

"Malware Analysis and Detection Engineering" by Abhijit Mohanta and Anoop Saldanha (2020). More recent coverage of malware analysis techniques including modern evasion methods, .NET analysis, and automated analysis platforms.

ANY.RUN (any.run). Interactive online sandbox for malware analysis. The free tier provides access to a virtual machine for running suspicious files in a controlled environment. Past analysis results from other users provide examples of malware behavior.

MalwareBazaar (bazaar.abuse.ch). Malware sample repository for research purposes. Provides hash-verified samples tagged with malware family names. Use only in isolated analysis environments.

YARA Documentation (virustotal.github.io/yara/). Official documentation for the YARA pattern matching tool. Covers rule syntax, conditions, modules, and performance optimization.

Incident Response Frameworks and Standards

SANS Incident Handler's Handbook. Practical guide covering the PICERL methodology with checklists for each phase. Free from SANS. Essential quick reference for incident handlers.

CISA Incident Response Playbooks (cisa.gov). Standardized response procedures for common incident types including phishing, ransomware, and vulnerability exploitation. Developed by the U.S. government but broadly applicable.

FIRST (Forum of Incident Response and Security Teams) Resources. FIRST provides frameworks for CSIRT operations, including the CSIRT Services Framework and the Traffic Light Protocol (TLP) for information sharing.

MITRE D3FEND (d3fend.mitre.org). A knowledge graph of cybersecurity countermeasures. Complements ATT&CK by mapping defensive techniques to adversary behaviors. Useful for developing detection and response strategies.

Case Studies and Reports

Mandiant APT1 Report (2013). The landmark report attributing Chinese cyber espionage to PLA Unit 61398. A masterclass in forensic attribution methodology. Free to download.

CrowdStrike Cyber Intrusion Services Casebook. Published annually, featuring anonymized case studies from CrowdStrike's incident response practice. Provides insight into real-world IR methodology and findings.

Verizon Data Breach Investigations Report (DBIR). Published annually with statistics on incident types, threat actors, and attack vectors. Essential context for understanding the incident landscape.

DFIR Report (thedfirreport.com). Detailed, anonymized write-ups of real incident investigations. Each report covers the complete attack chain from initial access through impact, with forensic evidence and IOCs. One of the best resources for learning practical IR skills.

Training and Practice

SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics. Premier professional training course for incident response and forensics. Covers memory forensics, timeline analysis, and threat hunting methodology.

SANS FOR500: Windows Forensic Analysis. Focused training on Windows forensic artifacts. Provides the depth needed for professional Windows forensic analysis.

CyberDefenders (cyberdefenders.org). Free blue team training platform with forensic challenges covering memory analysis, disk forensics, network analysis, and malware analysis. Challenges range from beginner to advanced.

Blue Team Labs Online (blueteamlabs.online). Practice challenges for incident response, forensics, and threat hunting. Provides realistic scenarios in a browser-based environment.

Digital Corpora (digitalcorpora.org). Repository of disk images, memory images, and network captures for forensic education. Includes both realistic scenarios and challenge sets.

NIST CFReDS (cfreds.nist.gov). Computer Forensic Reference Data Sets from NIST. Practice forensic images with documented evidence for training and tool validation.