Incident Response and Computer Forensics
3rd Edition
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2014
- Publisher
- McGraw Hill
- Pages
- 624
- Edition
- 3rd Edition
- Language
- English
Read this if
Junior-to-senior incident responders, SOC leads, and CISOs who need the canonical cross-discipline reference for what a real IR program looks like end to end. Strongest as a structural primer — the maturity model implicit in the book is still the field's de facto baseline.
Skip this if
Readers wanting current tradecraft on identity-attack response (AAD, OAuth abuse, golden SAML), cloud-IR specifically, or modern EDR-driven hunting; the book is largely on-prem 2014. Pair with cloud-IR-specific resources (Mandiant blog, AWS / Azure incident-response runbooks) for the missing layer.
Key takeaways
- Readiness is the engagement: most of what determines the outcome of an IR is decided before the call comes in.
- The acquire-then-analyze discipline still holds; cutting that corner is what produces the bad-headline retrospectives.
- The book's project-management chapters are the underrated half — most failed responses are management failures, not technical ones.
Notes
Pair with The Art of Memory Forensics (Ligh et al.) for the analysis depth and with The Practice of Network Security Monitoring (Bejtlich) for the detection-side mindset. Mandiant's M-Trends report each year is the live update on how the field has moved since 2014. The book's sustained influence is why a fourth edition would be the most-anticipated DFIR title in the field.
What to read before
What to read before Incident Response and Computer Forensics →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Intermediate · 2021
Practical Linux Forensics
Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.
What to read next
What to read after Incident Response and Computer Forensics →Advanced · 2014
The Art of Memory Forensics
Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.
Intermediate · 2021
Practical Linux Forensics
Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.
Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Explore similar books
Alternatives to Incident Response and Computer Forensics →Intermediate · 2021
Practical Linux Forensics
Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.
Advanced · 2014
The Art of Memory Forensics
Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.