In this group test, we decided to break the mold. Rather than limit ourselves to one type of forensic tool, we approached the challenge of incident response.
Essentially, incident management is a forensic problem. We want to know what might be on various computer media as well as what has travelled over the network, what the configurations of various networked devices are and how all the disk images, network logs and other valuable data hooks together. That challenge demands a serious toolkit of computer forensic, network-enabled forensic, network forensic and analytical tools.
We examined the leading commercial and open-source computer forensic tools, network-enabled tools and auditing software, network forensic/log analysis tools, and the market leader in link analysis tools. We grouped our selections into three incident-response toolkits based upon price (see panel, right) and because we examined a wide range of product types for this review, have designated three Best Buys. Overall, this collection consisted of very good products.
An amazing number of excellent open-source tools for various forensic tasks are available and, for those organisations that cannot afford big price tags or which simply want a second tool, these are excellent. We tested three such tools and they are available in a variety of configurations from the original programs to collections on Live-CD.
In the world of IT forensics, expert digital forensic analysts generally recommend multiple tools as a best practice. We found that results from the various computer forensic tools we tested were inconsistent. One would expect agreement from tool to tool but, for a variety of reasons, this is not often the case. The case for using multiple tools is clear: you don’t want to miss important evidence just because your tool has a glitch.
We tested the computer forensic tools on a standard image that we created with several glitches in it to test the analysis and acquisition capabilities of the computer forensics tools. These included a restored operating system on top of a different, larger, OS without deleting the original OS.
We used each tool to image the disk both in the tool’s native imaging format and, where available, dd. We then analysed the image looking for certain artifacts. Finally, we analysed a standardised dd image using those tools that could take a raw dd file as input.
We tested the log aggregators/ analysers using a standard set of snort logs compiled over an 18-month period. We extracted about six month’s worth of data and used that as the test case.
We looked for ease of import, number of file source types the device could handle, whether it needed security logs or could take anything, and ease of set up and configuration.
Finally, we exported data from each tool to the link analyser and attempted to build a case that could explain various events using link analysis. Virtually all the products we tested were capable of generating an output that was useful to the link analyser.
Link analysers are not used widely by IT professionals, but they should be. If used properly, they can cut weeks off the chore of making sense out of large amounts of information.
Metadata from the computer forensics tools can provide input for the link analyser, and logs can provide network analysis input. As a result, using the link analyser, the investigator can “connect the dots” and get a much better understanding of the interactions that caused the incident. If you once use a link analyser for an incident investigation, you will never want to be without one.
The bottom line for the forensic connection to incident response is that your ability to clear an incident, get back to production, recover lost or damaged data and arrive at an explanation will probably depend upon your successful use of the types of tools we have reviewed here.
We awarded Best Buy to three products in different categories because of the differences between the types of products on test. For that same reason, we have not selected Recommended awards.
However, as well as our three Best Buys, we do commend the following for their strong capabilities that were strongly demonstrated throughout our testing: AccessData’s Forensic ToolKit, for its completeness, affordable price and excellent court track record; Mandiant First Response, as a first-response tool for gathering a snapshot of the network with very limited intrusiveness prior to a detailed forensic examination; and SleuthKit & Autopsy Browser, as a great second forensic tool for those users who are comfortable in the Unix/Linux environments.