Product Details
Product Rating
AccessData Ultimate Toolkit
EnCase Forensic Edition
Freeware and open-source tools
NetWitness Professional Edition
ProDiscover Incident Response
Vogon Investigation Software
Wiebetech Forensic ComboDock
EnCase from Guidance Software gets our Best Buy, because we felt that its depth of third-party support and active user forums still retains an edge over the competition. Vogon gets the Recommended award for its combination of hardware and software, which stood out for speed and modularity, and its ability to retrieve data from a wide range of hardware.
Forensic tools (2004)
Catching the culprits of cybercrime is a complex issue, which is why Ian Parsons believes that forensic testing should be a key part of your security package
Computer security is generally focused on preventing intruders from misusing or subverting your systems. But it is just as important to prevent the misuse of systems by those on the inside.
The earliest known computer crimes were committed on mainframe systems, but there were no direct legal precedents available at the time, so it was very difficult to use evidence taken from the IT systems to prosecute criminals.
While a paper document can be examined to see if it has been altered, there were no similar procedures for computer data. This changed as more cases came to light, and legal systems developed rules for the collection and admissibility of evidence from IT systems, but the need to demonstrate that the evidence has not been altered in any way still remains.
The problem has become more complex with the spread of networking, and forensic investigation now extends into obtaining evidence of computer misuse as it happens. The range of forensic products has grown to keep pace with the problem, providing network monitoring, analysis tools and disk drive investigation software.
Some form of forensic software should be part of the security toolkit, and since a system crash may be the result of an attempt to destroy evidence, the business continuity plan should allow for the possibility of forensic investigation as part of the recovery process.
No forensic investigation should be carried out without being aware of the legal requirements. The legal issues are complex and vary from country to country. Most law enforcement agencies have published guidelines on the procedures and considerations involved. Being able to show that the accepted procedures were followed during the examination will add weight to the evidence, while failing to do so could easily render it inadmissible. Even if company policy is to hand the case over to an external agency, the initial internal investigations should still be conducted under the appropriate guidelines.
It is crucial to demonstrate that the evidence has not been altered, and some form of write-blocking hardware is generally used when investigating hard drives. Even if the drives are imaged copies of the originals, and the forensic software does not write to the drive at any time, the OS may do so for its own reasons. Whatever imaging process is used, it must produce forensically sound identical copies. Using a program to "wipe" a drive to ensure that no alien data "shows through" in the new image can also help to reinforce the evidence.
For this test, we created a fresh Windows XP Professional system – using NTFS for its security features and then creating some examples of hidden and encrypted files, emails and web pages. We included some password-protected archives and Word documents, hid programs in various ways, and created alternate data streams in text files (see panel). We tested the network monitoring tools by using Microsoft's WAS to generate a lot of network traffic, and we intermixed other network activities, such as log on attempts and port scans on a random basis.
Some of the tools, such as file viewers and keyword search programs, have equivalent programs available either as part of the OS or from the internet. However, these are not necessarily suitable for forensic examinations.
Any analysis system can produce "false positives," so the results need to be examined and interpreted in context and not taken at face value. For example, when we ran a keyword search using word lists provided by enforcement agencies, the results indicated drug-related content in our system page file, which contained a word list. The rest of the hits were traced to a number of files in the Java SDK that happened to include words such as "hash" and "hash table" – all completely legitimate programming terms.
All the products tested proved to be useful and informative. They often approached the same issues from different directions, and where one product would content itself with a simple hex or text display, another would format the same information into a highly detailed list. The final choices will be influenced by the intended use.
Where this tends towards a support role, the freeware tools will more than repay the time and effort needed to discover their capabilities. But if the primary use is to be in forensic investigation, then the commercial tools, with their technical support resources, would be the obvious choice.
