As an additional recommendation - do check the download section of the forum for the PDF's. When I first started with CF I bought a few reams of three hole paper and duplex printed all the guides, put them in binders with note paper and keep them at arms reach.
And as far as WFA 2nd - Harlan did a great job with the research and writing of the book. Harlan has always shared here and in other areas of the Internet with almost too much humility - buy his book - it is a PDR for Windows Forensics.
File System Forensic Analysis is SO thorough - invaluable reference.
Craig,
Keydet89, I don't think you needed to remove your post. I would have acutally found it beneficial knowing the author, it would be easy to PM you a 'Thank you' if I enjoy your book.
When I posted, I provided the author's name, as well.
From my experience and from talking to other authors, we all appreciate a "thank you", but when it's done as a PM or email, it's not nearly as beneficial as when it's posted someplace publicly…doing it that way lets others know that you found the resource useful and provides credibility.
Think about it…how do you decide with resources to invest your time, money and effort into? Many will go to a book store and browse through a book, but many times folks like to get recommendations from others. PMs and emails directly to the author don't provide those recommendations to others.
Thanks.
Craig,
If you want to extend your knowledge of MAC/timestamp issues into the UNIX side of things try "Forensic Discovery" by Farmer and Venema. There's a good amount of detail but also a nice discussion of broader issues (e.g. volatility)
Jamie
I was looking into something recently regarding the NTFS MFT, and found that Brian's book did a great job of describing not only the various attributes, but he also mentioned three times that I saw how the MAC times in the $FILE_NAME attribute can be used in differential analysis with those in the $STANDARD_INFORMATION attribute to detect tampering.
Craig,
Keydet89, I don't think you needed to remove your post. I would have acutally found it beneficial knowing the author, it would be easy to PM you a 'Thank you' if I enjoy your book.
When I posted, I provided the author's name, as well.
From my experience and from talking to other authors, we all appreciate a "thank you", but when it's done as a PM or email, it's not nearly as beneficial as when it's posted someplace publicly…doing it that way lets others know that you found the resource useful and provides credibility.
Think about it…how do you decide with resources to invest your time, money and effort into? Many will go to a book store and browse through a book, but many times folks like to get recommendations from others. PMs and emails directly to the author don't provide those recommendations to others.
Thanks.
I have quite a few digital forensic books that I like, but the three that I feel strongly enough to recommend to people on a forum like this are
Harlan's Windows Forensic Analysis 2nd Edition
Brian Carrier's File System Forensic Analysis
Eoghan Casey's Handbook of Digital Forensics and Investigation
You can find my Amazon reviews at
I don't know if it's necessary to disclose this, but in regards to Eoghan's book, I'm on a board with some of the authors as I explain in my review.
If I ever break down and purchase some sort of Kindle type device, I'll likely pay the money all over again to buy them in the electronic format. That's right. They're so good that I'd buy them twice.
Getting to Harlan's point, one of the reasons why I post reviews and recommendations in public is to spread the word to the digital forensic community about these books and to provide some form of thanks to the authors for the effort they put into them. It's not like these people are making Tom Clancy money by writing these sort of technical books.
I am currently trying to get some of the books recommended, so I hopefully will get a few read while I am off.
Thanks again for the recommendations and I will post back when I have finished reading them.
Craig