Get best of the week

Computer Forensic Bookshelf: Top 11 Books on Digital Forensics, Incident Response and Malware Analysis



Want to understand computer or mobile forensics? Learn to respond to incidents? Malware reverse? Threat Hunting? Cyber ​​Intelligence? Prepare for an interview? In this article, Igor Mikhailov, a specialist at the Group-IB Laboratory of Computer Forensics , has compiled the top 11 books on computer forensics, incident investigation and malware reversal, which will help to study the experience of professionals, pump their skills, get a higher position or a new high-paying job.

When I came to computer examination - and this was in 2000 - from the methodological literature, the specialists had only 71 pages: “General Provisions for the Designation and Production of Computer-Technical Expertise: Methodological Recommendations”, issued by the Russian Ministry of Internal Affairs and a number of publications in various periodicals editions. And even these few materials were available only to a limited circle. I had to search, photocopy, translate foreign books on forensics - there was no decent literature on this topic in Russian.

Now the situation is a little different. There is a lot of literature, as before, it is mainly in English. And in order to navigate this sea of ​​information, so as not to re-read the book containing the entry-level material 101 times, I prepared this collection, which will be useful for beginners and professionals to study.

1. File Systems Forensic Analysis

author: Brian Carrier

How does almost any study of a digital object begin? With the definition of the operating and file systems of the device under investigation. The author of the book did a great job of summarizing information about various file systems. The reader will learn many details about how information is stored on hard drives and RAID arrays. He is waiting for a deep immersion in the architecture and subtleties of file systems on computers running Linux / BSD and running Windows operating systems.

In his work, the author used such a famous forensic tool as the Sleuth Kit (TSK), developed by him on the basis of The Coroner's Toolkit. Anyone can repeat the steps taken by the author with this tool, or conduct their research. The Sleuth Kit graphical tool, the Autopsy program, is widely used for forensic analysis of digital evidence and incident investigation.

This book has been translated into Russian under the title “Forensic Analysis of File Systems”. But be careful with the information contained in it, since there are inaccuracies in the translation, which in some cases seriously distort the meaning.

2. Incident Response & Computer Forensics (Third Edition)

authors: Jason T. Luttgens, Matthew Pepe, Kevin Mandia

The book is a practical guide to investigating incidents. It describes in detail all stages of the investigation: from preparing for an incident response, forensic copying of digital evidence and searching for incident artifacts in various operating systems (Windows, Linux, MacOS) to compiling an incident report.

The book turned out to be so good that it was included in the training package for the SANS course “FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics” - a top-level incident investigation training course.

There is a translated edition of this book: “Protection against intrusions. Computer Crime Investigation. ” The translation was published in Russia in two editions. But since the first version of the book was being translated, the information in it was outdated.

3. Investigating Windows Systems

author: Harlan Carvey

A special book from the author of many bestselling books on computer forensics. In it, the author talks not only about the technical details of researching Windows artifacts and investigating incidents, but also about his methodological approaches. The philosophy of Harlan Carvey, a specialist with extensive experience in responding to incidents, is priceless.


4. Digital Forensics and Incident Response (Second Edition)

author: Gerard Johansen

Investigation of incidents, analysis of RAM, network forensics and a little classical forensics - all this is collected in one book and described in an easy, accessible language.

In addition, the reader will receive a basic understanding of the study of system logs, learn the principles of reverse malware, the basics of proactive threat search (Threat Hunting) and cyber intelligence (Threat Intelligence), and also get acquainted with the rules for writing reports.



5. Windows Forensics Cookbook

authors: Oleg Skulkin, Scar de Courcier

This book, co-written by my colleague in Group-IB Oleg Skulkin, is a collection of tips ("recipes") on how to act in a particular situation when researching artifacts of the Windows 10 operating system. The material is built on the principle: there is a problem - the authors give a step-by-step guide to solving it (from which tool you can solve the problem and where to get it, before setting up and applying this tool correctly). The priority in the book is given to free utilities. Therefore, the reader will not need to purchase expensive specialized forensic programs. In book 61, advice - this covers all the typical tasks that a researcher usually encounters when analyzing Windows. In addition to the classic forensic artifacts, the book discusses examples of analysis of artifacts specific to Windows 10 only.


6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

author: Michael Hale Ligh

Huge (over 900 pages), a direct academic work devoted to the study of computer RAM. The book is divided into four main parts. The first part introduces the reader to how the RAM of the computer is arranged and how to correctly capture the data that is in it forensically. The next three sections detail the approaches to extracting artifacts from the main storage dumps of computers running Windows, MacOS, and Linux.
It is recommended for reading to those who decided to understand in as much detail as possible what criminalistic artifacts can be found in RAM.


7. Network Forensics

author: Ric Messier

This book is for those who want to dive into the study of online forensics. The reader is told about the architecture of network protocols. Then, methods for capturing and analyzing network traffic are described. It describes how to detect attacks based on data from network traffic and system logs of operating systems, routers and switches.



8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices (fourth edition)

authors: Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty

The world has changed a lot over the past ten years. All personal data (photos, videos, correspondence in messengers, etc.) migrated from personal computers and laptops to smartphones. Practical Mobile Forensics is a bestseller at Packt Publishing, and has been published four times. The book details the extraction of data from smartphones running iOS, Android, Windows 10 operating systems, how to recover and analyze the extracted data, how to analyze the data of applications installed on smartphones. This book also introduces the reader to the principles of operation of operating systems on mobile devices.


9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques (second edition)

authors: Oleg Skulkin, Donnie Tindall, Rohit Tamma

Researching devices running the Android operating system is becoming more difficult every day. We wrote about this in the article “Forensic analysis of HiSuite backups”. This book is designed to help the reader dive deep into the analysis of such mobile devices. In addition to traditional practical tips for extracting and analyzing data from Android smartphones, the reader will learn how to make a copy of the smartphone’s RAM, analyze application data, reverse the malware for Android and write a YARA rule for detecting such programs in the memory of mobile devices.


10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware

author: Monnappa KA

The expert community has been expecting this book for more than a year. And the author did not disappoint his readers. He got a very good manual for those who want to start their journey in reverse malware. The information is presented clearly and intelligibly.

The reader will learn how to set up his laboratory for malware analysis, get acquainted with the methods of static and dynamic analysis of such programs, receive lessons on working with the IDA Pro interactive disassembler, learn how to bypass obfuscation, a technology that complicates the study of the source code of programs.

This book is available in translation in Russian: “Analysis of malware.”

11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

authors: Alex Matrosov, Eugene Rodionov, Sergey Bratus

This publication discusses a complex topic: the study of rootkits and bootkits. The book is written by three professionals. This book describes both the basic principles of reverse malware, and sophisticated techniques designed for professional researchers of such programs - virus analysts.

The reader will become familiar with topics such as the process of loading 32-bit and 64-bit Windows operating systems, along with examples, he will analyze methods for analyzing specific rootkits and bootkits, learn about attack vectors on BIOS and UEFI and develop methods for detecting such attacks, and learn about the application virtualization for analyzing bootkit behavior.


Enjoy reading!

More articles:


All Articles