Product Details
Product Rating
EnCase Forensic
Forensic Field Kit
Inforenz Forager
NetWitness Appliance
ProDiscover Incident Response
Stellar Phoenix FAT & NTFS
Total Event Log Management Suite
We have awarded a joint first place in this group test. EnCase Forensic is still head and shoulders above the crowd when it comes to file system analysis, and fully deserves another forensics Best Buy. Version 5 has addressed a number of small shortcomings in the previous version. However, we were equally impressed with NetWitness from Mantech, which offers a superb set of features for capturing and processing network traffic and we consider it also well worthy of a Best Buy award.
Forensic tools (2005)
We all know the value of lightning-fast incident response. But as Jon Tullett reports, security teams must now not only detect and block attacks, but carefully gather and analyze potential prosecution evidence
The term "forensics" has become diluted with use. Its true meaning is simply the process of preparing evidence for presentation in a court of law.
But in common use, the term has come to mean the investigation process itself, including gathering evidence, analyzing it for traces and clues, and drawing conclusions.
This shift in meaning occurred because of the tremendous need for incident response in modern IT security. Teams are expected to detect and react almost instantly, but are increasingly expected to do so in a forensically sound manner that can lead to later prosecution or disciplinary proceedings.
So in this forensics group test we focus mainly on incident response, reviewing products which will help security managers investigate an incident and collect evidence, but with a focus on the more strict forensic requirements, too. We check whether a product that is collecting evidence is doing so in a forensically sound manner, in accordance with best practice guidelines, which include ensuring that the original evidence is not tampered with in any way, that the actions of the investigator are properly audited, and that data integrity checks are available.
As a starting point for best practice, the U.K.'s Association of Chief Police Officers' (ACPO) Good Practice Guide for Computer based Electronic Evidence is widely held as the keystone of IT forensic practice. There are plenty of white papers and guidelines around that deal with IT forensics, and it is worth building up a library of those particularly relevant to your organization, but start with this one.
And best practice is absolutely vital: commercial forensic experts warn that a vast number of cases are brought down by over-eager internal administrators "just taking a quick look" and unwittingly damaging evidence. With more and more cases (both criminal and civil) coming to court, the expertise of judges and defense attorneys is now at the point where any small flaw in the chain of evidence or the procedures followed might result in a summary dismissal, even if the evidence is overwhelming in your favor. Any member of staff working in incident response or investigating possible abuse should be trained in basic forensics, and be familiar with the process.
Ideally, incident response would start with suspect systems taken offline immediately, their drives mirrored and investigations starting from there. But mission-critical systems cannot just be summarily disconnected, and data on live systems, such as the memory state and network activity, can be just as important as what is on the hard drive. We looked at products that could cover the range of tasks, acquiring and investigating evidence in hard drives, memory, system logs and on the wire.
What we found was that no one product really covers every base. Some go further than others, but there will always be cases where a special-purpose tool accomplishes a specific task more quickly or effectively. But again, be wary of tools that might not maintain the chain of evidence.
There are many open source tools for specific forensic tasks, such as acquiring data, creating and comparing hash sets and investigating files for specific patterns. Opensourceforensics.org offers an extensive list of these, although some are no longer supported. Probably the best-regarded tools are the Sleuth Kit, and its separately maintained web front-end, Autopsy.
There are promising "live CDs" available: software collections that are booted off a CD to conduct data analysis and collection or other security tasks. But be aware that many will mount the local systems automatically, and might touch local data, leaving it forensically unsound. Live CDs are great for incident response or analysis of previously imaged data, but may be risky for live forensic investigations.
Finally, a valuable tool in tracing illicit behavior on a compromised system is a set of hashes – file signatures – of files known to be valid (like default OS files) or bad (like rootkits). The National Institute of Standards and Technology (NIST) has a collection of hash sets, the National Software Reference Library. Sets can be downloaded as a set of ISO images and converted into various formats using tools also provided by NIST, and many forensics tools will make use of these or other hash sets.
