As part of the training I took this year, GCFA ( https://www.sans.org/course/advanced-incident-response-threat-hunting-training) I was given this book together with the course. Thumbs up for the people at SANS again.

I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it at the time. Today, I can say that this is a must have book  in IR and Forensics. It goes from defining the IR process and the common pitfalls and how to avoid them, to deep technical chapters covering threat hunting from the perspective of DFIR. The book is indeed very well built, covering hunting in the 3 different spheres we can hunt today which are network, endpoint and application.

 

The book is solid in the topics that it covers and the chapters that I believe are more interesting are:  ‘Investigating Windows Systems’, ‘Investigating Applications’ and ‘Malware Triage’.

These 3 chapters set this book apart from many other incident response books, all of them very solid in topics around incident response and tools but they fail to explain what the artefacts are to investigate in windows systems. This book contains an exhaustive list of artefacts plus memory forensics and file system.

As a bonus it also packs a full chapter on how to investigate Mac OS X systems. To sum up I only see benefits in paying the price for reading this book if you are into DFIR and threat hunting.

https://www.amazon.co.uk/gp/product/0071798684/ref=s9_simh_gw_g14_i1_r?ie=UTF8&fpl=fresh&pf_rd_m=A3P5ROKL5A1OLE&pf_rd_s=&pf_rd_r=4ETCVFESTV4857FWYACV&pf_rd_t=36701&pf_rd_p=16f14aeb-bd11-4e9e-8c26-9ca0139074ee&pf_rd_i=desktop