While a tool may implicitly provide very useful forensic functions, it may not provide case management features. If this is the case, the investigator will have to take specific care in maintaining all requirements if they’re using the tool in that manner.
Gone are the days in which conducting a forensic analysis meant pulling the plug and imaging the hard drive. We now know that valuable investigative data resides in a large variety of locations throughout the digital continuum. A successful investigation may rely on the ability to find and interpret a variety of data from these multiple locations.
As a result, the number of tools being designed and marketed with forensic capabilities is growing. The traditional media analysis tools definitely still have a firm place in the investigative process, but they now often include the ability to carry out all the traditional tasks over the network. Adding to those traditional tasks, some of these tools also include the ability to complete a live analysis of a target system over the network as well. Once you've moved past the more traditional products, they become more specialized, and in some cases, less obvious.
On the media front, one category of specialized tools we tested is mobile device forensics. The most obvious application for these tools is to analyze cell phones and PDAs, but devices such as GPS units and digital cameras are also gaining support. These tools can acquire data, such as deleted SMS messages, call logs, stored media, contacts, etc.
Additionally, we tested some tools with specialized memory forensics applications. This type of functionality could be useful in analyzing instances of malware or network intrusions.
We also tested products that provide a wide range of network-based forensics capabilities. Many of these are focused on log aggregation, correlation and analysis, with other features spread throughout. The ability to actively monitor and receive alerts based on criteria, such as link analysis and system status, could also be considered a defensive mechanism. While ironing out the normal event levels, system states and statistics can be an intensive task, the final result can be extremely beneficial.
What to look for
In order to determine what you must look for, you need to examine what you already have. Your answer will help determine which type of forensic tools you should consider purchasing next.
Acquiring different tools over time will help you build a comprehensive forensics solution. Not only will this help ensure that you resolve your investigations, but you will be able to do so more quickly and efficiently with a large toolset at your disposal.
Knowing how you plan on using your new tool is one of the most important aspects of making a decision. If you have special analysis tasks that will need to be performed, then you may move in the direction of a specialized tool. On the other hand, more general purpose tools will provide a wider range of features. Deciding on one product may be difficult, but your decision should be based on whether or not the tool meets all of your data analysis requirements within its respective genre.
While many of the media forensics tools often have a clear purpose and selection criteria, this isn't always the case with the network tools. It's even more important to know how you plan on using the product in this category. Depending on your needs, you'll have to choose between an over-the-network forensic tool, a network forensic tool, and the more specialized log aggregators.
One important thing to think about with the network forensics category is whether or not the primary function of that tool is forensics. While a tool may implicitly provide very useful forensic functions, it may not provide case management features. If this is the case, the investigator will have to take specific care in maintaining all requirements if they're using the tool in that manner.
How we tested
Our testing this month varied considerably because each category of tool required a different method of testing. The network log-based tools were attached to a test network and fed a standard set of logs that we use to test similar equipment. The mobile device forensics software was tested using either a BlackBerry smart phone or Garmin nüvi GPS device. The software packages that focused on over-the-network forensic analysis were tested on a target machine within our test bed.
It is important to keep in mind the variety of tools that we tested. Our ratings were not based on how each product performed within our group, but rather how well that product performed against our product criteria.