The world of digital forensics has become increasingly complicated. This, of course, is owing to several reasons. The fact that the FBI has declared cyber crime as the nation's number one threat - even ahead of terrorism - is one important reason. The rise of cyber crime has been both astronomical and rapid. This is coupled with terrorism on many levels, so solving one may lead inevitably to solving the other. The problem is that because there is a lot of money to be made in cyber crime and the risks are very low it has attracted an entire underground industry.
Recently, a report by McAfee suggested that there was an underground economy developing based on crimeware development. Crimeware is software that can be used by criminals who do not have significant computing skills. However, the developers are creating products that are every bit as sophisticated as many legitimate commercial products and, in many cases, even include technical support and help-desk services. The cost of these products is rather high, but considering the plunder that they can extract for their users, the price by any standards is quite reasonable. Some customers, of course, are terrorist groups. With these unsettling facts in mind it is no wonder that the defenders need tools as sophisticated to put up a fight.
Major intrusions, such as the vastly over-hyped Target breach, serve a positive purpose in raising awareness. We recently had a conversation with an advocate for wider-ranging computer and network security. She took the position that Target was a good thing from the perspective of raising awareness. I am not sure that Target would agree with her, nor might the victims whose information was stolen. However, there is something to be said for increasing awareness in both the general public and in those organizations that might opt for the easy way out when it comes to security.
That said, breaches and cyber crimes will continue. They will increase in frequency and level of damage so if we cannot be proactive at least we can clean up the mess after the attack is over. The attack may not be just a simple attack or breach, either. It may be a wide-ranging fraud, for example, or it may be a large-scale DoS conducted by hacktivists. Whatever the nature of the attack - fraud, cyber terror or other nefarious cyber activity - at the end of the day it is the forensic specialist who is left with the task of figuring out what happened.
Those forensic specialists are increasingly at the mercy of their tools. Sophisticated attacks require sophisticated responses and sophisticated responses require sophisticated tools. The nature of today's computer systems is sufficiently complicated that there are few, if any, tools that can do everything. Most cyber forensic labs have substantial tool sets at their disposal and many of the tools in the kit duplicate each other's functionality. So there may be two or more computer forensic tools, for example. Having multiple tools of similar functionality allows a more thorough analysis of a suspect piece of evidence than one alone.
This month we have a handful of some of the best tools available for various aspects of cyber forensics. To be sure, there are some with similar functionality, but we caution that having functionality that is similar does not necessarily mean that one is superior - though, of course, it may be. Rather, it often means that the two tools offer the same functionally while having individual strengths.
In our monthly Group Test reviews we never compare products against each other. This is not and never has been a shoot-out or bake-off. Rather, we assess the product with what it claims to do and we do that in the context of the market it serves. For this selection of products, never was any standard truer. There are few direct competitors here and each one has something special about it. If we were to make a broad recommendation it would be that a really good lab might have all of the products we are looking at this month.
With that said, there is one disturbing trend we observed this month. We have seen this before, but it was particularly obvious in some of the forensic vendors. In order to get any useful information - beyond marketing and sales hype - you must sign up with the website. Only then can you access such things as FAQs, discussion forums, spec sheets and documentation, all of which are legitimate sources of information that can help a prospective buyer make a decision. We assume that this is to force shoppers to receive a sales call, unwelcomed by many potential customers. We believe this is inappropriate and wherever we found it we reflected it negatively in the star ratings.