// Comparison

Practical Linux Forensics vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52021

A Guide for Digital Investigators

Bruce Nikkel

Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Incident responders and forensic analysts working modern Linux systems. Nikkel covers ext4 / XFS / Btrfs internals, systemd journaling, persistence locations, and the chain-of-custody discipline that distinguishes evidence from notes. The post-systemd reference the field needed.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Windows-only forensic analysts, or beginners without IR experience. The book assumes filesystem fluency and command-line forensics comfort.

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

Modern Linux forensics is not just "parse syslog"; systemd, journald, and the move to overlay-based containers each created new artifact classes.
The book's chapter on persistence enumeration is the cleanest in print; cron, systemd timers, init.d, profile files, all named.
Most cloud workloads are Linux, which means most cloud-incident forensics is Linux forensics; the book is the right starting reference.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Practical Linux Forensics). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Practical Linux Forensics is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Practical Linux Forensics and The Practice of Network Security Monitoring both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Practical Linux Forensics

→ Alternatives to Practical Linux Forensics → What to read after Practical Linux Forensics