This month we looked at a wide variety of digital forensic tools. This category has been growing rapidly, diversifying and maturing in the past two years. However, there are some interesting aspects to those growth phenomena. First, we are beginning to see real innovation in tool sets, but virtually none of it is in traditional computer forensics tools. In that class, we saw, essentially, nothing new since we reviewed them last year. If anything, they are becoming more alike.
In many respects, the computer forensics product leaders are indistinguishable from each other. Advances that have come at all have been in areas that are intended to keep pace with emerging forensic requirements, such as the increasing number of media types that need to be analyzed. In fact, the old designation of "computer forensics" almost seems to be giving way to a newer and more relevant class of "media forensics."
This year our observation is that there really is very little difference among the leaders beyond a feature here or there. The verdict from the users’ perspective almost always comes down to personal favorites which, if our mail is any indicator, users defend with religious zeal.
Since many organizations use multiple computer forensic tools, which one is "best" almost no longer matters. If you can afford the tool, it meets your needs, it produces acceptable results in the venue in which you are using it, and you have training and experience on it, then that tool probably is your best buy.
Where we are beginning to see real innovation is in what we refer to as digital forensic support tools. These specialized tools really are bringing digital forensics into the mainstream of complicated digital investigation, and investigations with difficult digital elements. We broke that ground last year when we looked at such non-traditional tools as link analyzers. This year we see several products that address specific forensic problems, such as live forensic captures. Innovation, then, is our focus for this year’s Group Test.
We looked at several classes of forensic tools, including traditional computer forensics tools; network forensics analyzers; specialized tools for such things as live forensic capture, PDA forensics, etc.; and tools for performing forensic captures over networks, largely in an incident response environment. Again, this year, the vendor with the most presence in the over-the-network forensic capture and analysis market declined to submit its product. What we found was that vendors are exploring ways to capture forensic data on the media and on the network in very difficult circumstances.
We also found that law enforcement no longer is the force behind forensic tool development. Rather, corporate needs driven by regulatory necessity and incident management are beginning to call the shots in the forensic arena. The traditional logic behind that emerging approach is that law enforcement does not have the money or resources to go much beyond media forensics while corporate organizations do. Thus, law enforcement no longer is where the focus is for today’s forensic tool developers.
This calls into question traditional views of digital forensics, such as that its only purpose is to take evidence to court. The emerging perspective is that its purpose is to gather, manage and analyze evidence — whether for a court appearance or not. The real purpose could be an incident post mortem, an analysis of a particularly difficult technical problem on a network, or the implementation of security and the subsequent analysis of the effectiveness of the implementation, to name just a few possibilities.
In all cases, the forensic analyst must collect, preserve and analyze evidentiary material appropriately. These things matter whether you are going to court or going to the boardroom. Credibility of the findings depends on the credibility of the way the evidentiary material was gathered, preserved, analyzed and managed. Following traditional and emerging rules of digital forensic analysis helps ensure that all of these burdens are met.
With all of that in mind, we took a broadly holistic view of this year’s batch of digital forensic tools. Our testing methodology varied widely depending on the type of tool we were testing and its purpose. We based our Best Buy and Recommended ratings on how well the product performed within its particular genre, not how well it performed against other forensic tools.
- Mike Stephenson contributed to this Group Test.