05.07.2020

Digital forensics specialist's bookshelf

Top 11 books on digital forensics, incident response, and malware analysis
Igor Mikhailov
specialist at Group-IB's Digital Forensics Lab
Are you thinking of getting a good grasp of computer and mobile forensics; learning how to do incident response, malware reverse engineering, threat hunting, and threat intelligence; or preparing for an interview? This article by Igor Mikhailov, a specialist at Group-IB's Digital Forensics Lab, offers a selection of top 11 books on digital forensics, incident response, and malware reverse engineering that will help you learn from professionals' experience, upgrade your skills, get promoted, or land a new high-paying job.

I got into computer forensics in 2000. There was not enough special books for understanding: How to do digital forensic investigations? How to do mobile forensics? How to do malware analysis? Etc.

The situation has slightly changed now. Literature abounds, but — as before — it is predominantly in English. I compiled the list below to help people navigate through this sea of information so that they do not end up reading a beginner-level book for a hundredth time. It will be useful for both beginners and professionals.
1. File System Forensic Analysis
by Brian Carrier
Virtually any analysis of digital devices starts with determining what operating and file systems they run. The author put a great deal of effort into summing up information about various file systems. Readers will find a lot of details on how information is stored on hard disk drives and RAIDs and are in for a deep dive into the architecture and nuances of file systems on Linux/BSD and Windows computers.

In his work, the author used Sleuth Kit (TSK), a very well-known forensic tool that he developed based on the Coroner's Toolkit. Anyone can follow the author's steps in using this tool, or carry out their own analysis. Sleuth Kit's graphical shell is Autopsy, a program that is widely used for incident investigations and forensic analysis of digital evidence.
2. Incident Response & Computer Forensics, Third Edition
by Jason T. Luttgens, Matthew Pepe, Kevin Mandia
This book is a practical guide on incident investigation. It details all investigation stages from preparation to incident response, forensic cloning of digital evidence, and search for incident artefacts in various operating systems (Windows, Linux, MacOS) to preparing reports on incidents.

The book is so well-written that it has been included in the training materials for SANS's top-notch incident investigation course FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics.
3. Investigating Windows Systems
by Harlan Carvey
A special book by the author of many computer forensics bestsellers. In this book, he focuses not only on the technical details of analyzing Windows artefacts, but also on his own methods and approaches. The philosophy of Harlan Carvey, who has enormous incident response experience, is priceless.
4. Digital Forensics and Incident Response, Second Edition
by Gerard Johansen
Incident investigation, memory analysis, network forensics, and a little bit of classic forensics — all in one easy-to-read book.

Readers will additionally gain a basic understanding of system log analysis and learn about the principles of malware reverse engineering and the essentials of threat hunting and threat intelligence; they will also find information on how to prepare reports.
5. Windows Forensics Cookbook
by Oleg Skulkin and Scar de Courcier
This book was co-authored by my colleague at Group-IB Oleg Skulkin. It compiles recipes for analyzing artefacts in Windows 10. The information is organized in such a way that a problem is presented first and then followed by a step-by-step guide on how to solve it (from what tools can be uses and where they can be found to how to configure and properly apply them). The book prioritizes free utilities, so the reader will not need to buy expensive specialized forensic programs. There are 61 recipes, which cover all typical tasks researches face in Windows. In addition to classic forensic artefacts, the book gives examples of analyzing Windows 10–specific artefacts.
6. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
by Michael Hale Ligh
Enormous (over 900 pages) scholarly body of work on analyzing computer RAM. The book is divided into four parts. The first one introduces how RAM works and how to properly capture data in it from a forensic perspective. The other three parts detail approaches to extracting artifacts from memory dumps acquired on Windows, MacOS and Linux computers. Recommended for those who want to go into extreme detail about what forensic artifacts can be found in memory.
7. Network Forensics
by Ric Messier
This book is for those who want to dive into network forensics. It describes the architecture of network protocols and the methods of capturing and analyzing network traffic. The book then focuses on how to detect attacks based on data from network traffic and system logs of operating systems, routers, and switches.
8. Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices, Fourth Edition
by Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty
The world has drastically changed in the past decade. All personal data (photos, videos, correspondence in messaging apps, etc.) has migrated from personal computers and laptops to smartphones. Practical Mobile Forensic published by Packt Publishing is a bestseller, now in its fourth edition. The book details how to extract data from iOS, Android and Windows 10 smartphones; how to recover and analyze extracted data; and how to analyze data from installed applications. Readers will also learn about the principles of how mobile operating systems function.
9. Learning Android Forensics: Analyze Android devices with the latest forensic tools and techniques, Second Edition
by Oleg Skulkin, Donnie Tindall, Rohit Tamma
Analysis of Android devices is becoming increasingly challenging by the day. We mentioned this in our article about HiSuite. This book aims to help readers deep dive into the analysis of Android mobile devices. In addition to giving traditional practical tips on extracting and analyzing data in Android smartphones, the authors explain how to make a copy of smartphone RAM, analyze application data, reverse engineer Android malware, and write YARA rules to detect such malware in mobile device memory.
10. Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
by Monnappa K. A.
The expert community waited for this book to be released for over a year. The author did not let his audience down. He managed to create a good guide for those who want to start their journey in malware reverse engineering. The information is presented in a very clear and easy-to-understand way.

Readers will learn how to set up their own malware analysis lab, find out about static and dynamic analysis methods, have lessons on the interactive disassembler IDA Pro, and discover how to bypass obfuscation (technology that hinders source code analysis).
11. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
by Alex Matrosov, Eugene Rodionov, Sergey Bratus
This book focuses on the complex topic of analyzing rootkits and bootkits. It was authored by three professionals and describes both basic malware reverse engineering principles and complex techniques geared toward professional researchers in this field, i.e. malware analysts.

Readers will be introduced to topics such as booting 32- and 64-bit Windows systems; they will also go through the methods of analyzing particular rootkits and bookits together with the authors with examples provided; and will learn about attack vectors against BIOS and UEFI, development of detection methods for these types of attacks, and how virtualization is used for bookit behavior analysis.

Enjoy!