Leanpub Header

Skip to main content

Digital Forensics: A Practical Guide to Modern Investigations

From Evidence Acquisition to Advanced Analysis

This book is 100% completeLast updated on 2026-07-12

Discover how to uncover, preserve, and analyze digital evidence with confidence. From fundamental forensic principles to advanced investigative techniques, this practical guide combines hands-on exercises, real-world case studies, and industry-standard tools to help you conduct modern digital investigations with accuracy and credibility.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
WEB
APP
About

About

About the Book

This is a comprehensive, hands-on guide to digital forensics that takes you from the foundational principles of evidence handling through advanced investigative methodologies used by professional investigators. Every chapter provides actionable techniques, real-world case studies, step-by-step walkthroughs, and command-line examples using industry-standard tools. Whether you are a student entering the field, a security professional expanding your skill set, or an experienced investigator looking for current best practices, this book delivers practical knowledge you can apply immediately in the lab, in incident response, and in court.

Author

About the Author

Steve T. Publications

Steve T. is a cybersecurity leader, researcher, and engineer with more than 20 years of experience across application security, infrastructure security, vulnerability management, software development, and secure engineering practices. Having built his career alongside the growth of the modern internet, he has worked through multiple generations of technology, evolving security threats, and changing development methodologies.

He is currently part of the advanced research organization at a leading cybersecurity company, where he focuses on emerging threats, security innovation, and the practical application of research. His work involves investigating new attack techniques, evaluating emerging technologies, conducting deep technical analysis, and helping organizations better understand and manage complex security risks.

In addition to his research responsibilities, Steve leads a team of senior engineers and subject matter experts who create technical books, training programs, and educational resources for security professionals. Through this work, he helps engineers, developers, architects, and security practitioners strengthen their skills and build more secure systems.

Steve's technical expertise spans software development, reverse engineering, web application security, penetration testing, security architecture, incident response, vulnerability research, operating system internals, and secure software development. His ability to analyze systems at both the source code and binary levels enables him to bridge the worlds of software engineering, security research, and practical defense.

Over the course of his career, Steve has worked with organizations across a wide range of industries, helping them identify, assess, and remediate security weaknesses in critical applications and infrastructure. He is recognized for combining deep technical expertise with a pragmatic approach to security, focusing on solutions that are effective, sustainable, and aligned with business goals.

Through his work in research, engineering, leadership, and education, Steve continues to contribute to the advancement of cybersecurity and the development of secure, resilient technology systems.

Contents

Table of Contents

From Evidence Acquisition to Advanced Analysis

Introduction: The Digital Crime Scene

  1. Why This Book Exists
  2. How to Use This Book
  3. What You Will Need
  4. Tool Version Matrix
  5. Managing Tool Version Drift
  6. A Note on Ethics and Legality
  7. The Road Ahead
  8. Running Case Studies

Chapter 1: Foundations of Digital Forensics

  1. What Is Digital Forensics (and What It Is Not)
  2. The Four Pillars: Identification, Preservation, Analysis, Presentation
  3. A Brief History: From Enron to Modern Cybercrime
  4. The Investigator’s Mindset: Scientific Method Meets Detective Work
  5. Legal Foundations and Admissibility Standards
  6. Summary

Chapter 2: Evidence Handling and Chain of Custody

  1. Identifying Digital Evidence: Sources, Types, and Prioritization
  2. The Chain of Custody Framework
  3. The Evidence Acquisition Workflow
  4. Write Blockers: Hardware and Software Solutions
  5. Forensic Imaging: Bit-by-Bit Copies and Image Formats
  6. Hashing and Integrity Verification (MD5, SHA-1, SHA-256, BKA)
  7. Troubleshooting and Performance: Imaging Challenges
  8. Chain of Custody Field Checklist
  9. Summary

Chapter 3: File Systems and Operating System Artifacts

  1. NTFS Internals: MFT, USN Journal, $LogFile, and Alternate Data Streams
  2. ext4 Forensics: Inodes, Journals, and Extents
  3. APFS and HFS+: macOS File System Artifacts
  4. Deleted Files, Slack Space, and Unallocated Space Recovery
  5. Sleuth Kit and Autopsy: Command-Line File System Analysis
  6. Cross-Platform Artifact Comparison Matrix
  7. Summary

Chapter 4: Windows Forensic Artifacts

  1. Registry Hive Analysis: SAM, SOFTWARE, SYSTEM, and NTUSER.DAT
  2. Prefetch, ShimCache, Amcache, and ShellBags
  3. Event Log Forensics: EVTX Parsing and Key Event IDs
  4. LNK Files, Jump Lists, and Recent File Artifacts
  5. Windows Memory Artifacts and Dump Analysis Preparation
  6. Summary

Chapter 5: Linux and macOS Forensic Artifacts

  1. Shell History, Bash RC Files, and Cron Artifacts
  2. Package Manager Logs: APT, YUM, DNF, and Homebrew
  3. System Logs: syslog, journalctl, and auth.log Analysis
  4. macOS-Specific Artifacts: LaunchDaemons, Spotlight, and Time Machine
  5. Container and VM Forensics Considerations
  6. Summary

Chapter 6: Memory Forensics

  1. The Volatility Framework: Installation and Profile Management
  2. Process Tree Analysis and Hollowing Detection
  3. Network Connection Extraction from Memory
  4. Malware Artifact Discovery: Strings, DLLs, and Code Injection
  5. Rekall, MemProcFS, and Commercial Alternatives
  6. Troubleshooting and Performance: Volatility 3 Common Issues
  7. Summary
  8. Memory Acquisition Field Checklist

Chapter 7: Mobile Device Forensics

  1. Acquisition Methods: Physical, Logical, File System, and Cloud
  2. Open-Source iOS Extraction: libimobiledevice Sequential Workflow
  3. iOS Forensics: SQLite Databases, Keychain, and Backup Parsing
  4. Android Forensics: ADB, DDMS, and App Data Extraction
  5. Cellebrite UFED and Commercial Tool Ecosystems
  6. WhatsApp, Signal, and Encrypted Messaging Analysis
  7. Mobile Forensics Field Checklist
  8. Summary

Chapter 8: Network Forensics

  1. Packet Capture Fundamentals: tcpdump, Wireshark, and tshark
  2. Zeek (Bro) for Network Forensic Analysis
  3. Reconstructing Sessions: HTTP, DNS, SMTP, and TLS
  4. Network Timeline Reconstruction
  5. KAPE and Velociraptor for Remote Collection
  6. Summary

Chapter 9: Cloud and Email Forensics

  1. Cloud Forensics Challenges: Ephemeral Infrastructure and Shared Responsibility
  2. AWS, Azure, and GCP Artifact Collection
  3. Automated Cloud Log Ingestion and Analysis
  4. Email Header Analysis and Message Reconstruction
  5. Exchange, Gmail, and IMAP/POP3 Forensic Techniques
  6. Cloud Logging and SIEM Integration
  7. Summary

Chapter 10: Browser Artifacts and Application Forensics

  1. Chrome, Firefox, and Edge Artifact Analysis
  2. Browser History, Cookies, Cache, and IndexedDB
  3. Flash, Java, and Plugin Artifacts
  4. Office Document Metadata and Hidden Content
  5. Application-Specific Forensics: Discord, Slack, Teams
  6. Summary

Chapter 11: Malware Investigation and Incident Response

  1. Incident Response Frameworks: NIST, SANS, and ISO 27035
  2. Static Analysis: YARA Rules, Strings, and PE Header Examination
  3. Dynamic Analysis: Sandboxing and Network Monitoring
  4. Memory-Based Malware Detection Techniques
  5. Threat Hunting with Sigma Rules and Velociraptor
  6. Summary
  7. Incident Response Triage Checklist

Chapter 12: Timeline Reconstruction and Log Analysis

  1. Plaso (log2timeline) and SuperTimeline Construction
  2. MACB Times and File System Timestamps
  3. Multi-Source Correlation Techniques
  4. Bulk Extractor for Keyword and Pattern Extraction
  5. Automated Timeline Generation and Visualization
  6. Troubleshooting and Performance: Plaso at Scale
  7. Summary

Chapter 13: Anti-Forensics and Countermeasures

  1. Data Hiding Techniques: Steganography, Hidden Partitions, and Timestomping
  2. Wiping and Destruction Tools: DBAN, shred, and sdelete
  3. Anti-Forensics Detection Strategies
  4. Rootkits, Bootkits, and Firmware-Level Attacks
  5. Living-off-the-Land Binary (LOTL) Investigations
  6. Summary

Chapter 14: Forensic Reporting, Legal Issues, and Emerging Trends

  1. Writing Defensible Forensic Reports
  2. Annotated Sample Forensic Report
  3. Expert Testimony and Cross-Examination Preparation
  4. Privacy Laws, GDPR, and International Jurisdiction
  5. AI-Assisted Investigations: Machine Learning in Forensics
  6. AI Admissibility: Current Legal Standards and Validation Requirements
  7. The Future: Quantum Computing, IoT, and Next-Generation Challenges
  8. Summary

Conclusion: The Investigator’s Path Forward

References

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub