Rating: ★★★★★ (5 of 5 stars)
The book ‘Practical Linux Forensics’ is at the moment the only up to date post morten Linux forensics book on the market that I am aware of. I mainly bought and read this book to complement the SANS FOR-500, that deals with Windows only post mortem forensics.
Even if being familiar with Linux, I am very sure that this book holds something new for you. Don´t expect to find in this book all exotic distributions out there, but the most popular distributions are covered. This was also one of the most interesting parts for me, as I am mainly using Debian or Arch - Fedora and SUSE were largely unknown to me.
The book does a great job explaining the how things work under the hood, which is sometimes necessary to properly understand the created artifacts. In case of questions related to the functionality or the created artifacts the manuals and documentation are also covered in details which I highly appreciate, as understanding and consulting the documentation is a highly underestimated skill. Additionally a lot of links to the official documentation or source code is included, in case you want to dig deeper which is normally required in forensics.
Anecdote: we just had a small practical workshop related to pentesting for our dual students and trainees with some prepared VMs. When some of them had specific questions related to arguments for an executable, they consulted Google first instead of using the intergrated help and manual for that tool. There was a big amazement when the online suggestion didn´t work, because the online content was referring to a different version of the executable.
It is amazing having a book for that niche topic which is also well written. I highly recommend reading the book if you are interested in the topic!