Book Review: "How to Investigate like a Rockstar"

"How to Investigate Like a Rockstar: Live a real crisis to master the secrets of forensic analysis" by Sparc Flow is an excellent take on incident response and forensics. This is the 5th Sparc book I've read and each one has been well worth my time, providing new infosec techniques in a fun, story-like text.  Like most other full Sparc texts, it was easily digestible and short while providing top notch information pulled directly from practice. Where as most of his books promote offensive security or penetration testing, this one promotes incident response and forensics, which serves both as a counter balance to Sparc's teachings and to create more well rounded security professionals. I read the book for ~$7 on Amazon, in about two sitting on the Kindle at ~120 pages. I give the book 6 out of 10 stars, for being a highly educational, intriguing, and fun book on incident response. I recommend it those into incident response or forensics, as well as those looking to get into IR or those with a general interest in computer security. The following are the chapters of the book, in my typical fashion, before we dive into the critical analysis:

Chapter 1: The first call
1.1: Action plan
1.2: Preliminary Diagnosis
1.3: Further probing
Chapter 2: The culprit
2.1: Collecting artifacts
2.2: Analyzing data
2.3: Memory analysis
Chapter 3: Bigger picture
3.1: Round two
3.2: Disk analysis
3.3: IP analysis
3.4: Linux analysis
Chapter 3: Kill or cure

Ultimately, I really enjoyed this book. I like the story aspect of it and when coupled with uncovering the forensic details it made the book feel like a hacker mystery novel at times. I'm glad so much time was spent covering how the attacker moved laterally, especially how this was graphed out over time, showing their expansion around the network. I  really enjoyed the main-frame forensics at the beginning of the book, as that was pretty unique to me and got me hooked right away. I also enjoyed all of the memory forensics, I thought that was a great compromise between the live response techniques Sparc would use and the traditional disk forensic techniques. The book was also interesting because the attacker used fairly advanced techniques, such as process injection techniques to further obfuscate where their malicious code was running. I do wish there was a bigger importance placed on centralize logging and detection systems, for example the ability to write signatures for the attackers and detect if / when they return could be vital recovery step. As always, I like the numerous links and references, as I've mentioned before. Finally, don't forget to check out the companion site and code on github.