The following are books I've read on the subject (I've read others, but don't know their titles):

"Computer Forensics: Incident Response Essentials" by Kruse & Heiser ( www.amazon.com/exec/obido...=1071514668 )
Its one of the more fun read in this category of books, and is well suited for a beginner, but also delves into some more advanced topics. I got the feeling the authors had been in the business of forensics for a while, however, they also touch on new points (this book is where I first heard about Alternate Data Streams).

"Incident Response & Computer Forensics: Second Edition" by Kevin Mandia, Chris Prosise and Matt Pepe. ( www.amazon.com/exec/obido...1071514980/ )
This book was written by some guys from Foundstone, and thus in thier examples, they tend to promote their own tools more (which are all free though, so I don't mind). This book was actually used as a "text-book" (even though it definitely is not a textbook), for a course in computer forensics I just finished taken (no, like I _JUST_ finished it, I handed in the final 4 hours ago). This book leans more towards the legal issues involved with forensics, and how an investigator should carry out thier job to ensure their work will hold up in court. Hence, its not as much fun to read as the previous book. As far as forensics info goes, this book tends to span a broader range of topics, but still doesn't go in depth a whole lot on anything (as is common for all of the books I've read from authors at Foundstone).

If you didn't know already, "Computer Forensics" is that act of getting down and dirty figuring stuff out, whereas "Incident Response" is basically doing the same but in preparation for legal action. Thus, if you want to learn the technical stuff, find a book that emphasizes "Computer Forensics", and if you want a book on legalities, find one that stresses "Incident Response".

Both books are just broad overviews/introductions of the topic, and as such, you will need to read other books, or articles, in order to put some skills behind you.

I'd recommend "Guide to Computer Forensics and Investigations", (ISBN 0-619-13120-9) by Bill Nelson, Amelia Phillips, Frank Enfinger, and Chris Steuart. This is the textbook we're using for my Computer Forensics class at Lake Washington Technical College.

It's not cheap (about $65), but the list of authors is pretty impressive, and is a good cross-section of the Seattle forensics community: Bill Nelson (who wrote about half the book) is one of the founding members of CTIN (Computer Technology Investigators Northwest), and has been the head of computer security and forensics at Boeing for about a decade. He came and gave a presentation to my class, and seems like a very personable guy. Frank Enfinger teaches the Forensics class at North Seattle Community College, and works for a local police department. Chris Steuart is a practicing attourney, and runs itforensics.com, and Amelia Phillips is an MIT grad that used to work for JPL, and now designs computer forensics programs for technical colleges.

The book contains a trial (I think 45-day) version of DriveSpy, and uses the tool for tutorials throughout the book.

It's not what I'd consider "easy reading", but gives a good overview of both the technical and legal aspects of the field. It gives overviews of various industry-standard tools, the architecture of hard drives, how to gather evidence, forensic analysis, writing reports, etc.

I'll review other books as I work my way through the program...

Personally, I thought that "Incident Response & Computer Forensics: Second Edition" is the best introduction into incident response and computer forensics. The examples are clear enough to help you understand the process, but they don't provide a clear-cut methodology (not that any authors really have) or method for conducting an entire investigation.

I really like a new book called "Security Warrior," which discusses forensics and incident response in a new light. Instead of starting from the discovery of the incident, the authors discuss how hackers act, typical anti-forensics techniques, and some hacker profiling; from there they then discuss conducting an investigation.

Of course, virtually all forensics books are little more than introductions and/or toilet reading. You'll learn a lot more doing investigations. Buy a cheap box, install an old unpatched RedHat image, put it on a cable modem overnight without a firewall, and then try to piece together what happened to it. A cheaper way to learn is to do the Scan-of-the-Month challenges over at honeynet.org. This month's is the analysis of a month's worth of network traffic. Good times.