This was a very interesting group this year. We noticed some significant changes in how forensic tools are packaged. Mostly, we had the same players that we have had in prior years and that gave us an opportunity to gauge their progress over the past 12 or so months. Probably the biggest trend we saw was moving away from individual tools and the processes that go with them to investigation-centered approaches. In this method, the investigation determines which tools to use and the process becomes more global.
In most cases, our vendors have tied together a suite of tools that can share data. They present their products in the context of an investigative process, using each tool in its turn to accomplish a step in the process. Since that is the way most digital forensic investigators work, it makes a lot of sense.
Since these vendors took the investigative approach, that was how we tested those products. Therefore, this year you will see suites of products in some cases, instead of individual tools.
The other trend we observed was significantly increased functionality. This was so pronounced in one case that we pulled the product from the group reviews and made it this month's First Look. Overall, though, we think that this shift in focus bodes well for the digital forensic space. The bad guys keep getting badder, so it is up to us to meet the challenge.
Traditionally, in digital forensics, the practice has been driven by vendors. Although there now are a significant number of colleges, community colleges and universities stepping up to educate, train and do research, the fact is that the vendor community still is a - if not the major - driving force in digital forensics. Seeing new ways to solve digital forensic problems is still a big responsibility, and the vendor community needs to be a full participant. Happily, that is exactly what we are seeing.
Another set of digital forensic drivers is the shift from the government sector - police, military, etc. - as the home of the digital forensic community to the private sector. Teaching CCFP classes for the International Information Systems Security Certification Consortium, or (ISC)2, we saw that shift and when we look at how digital forensic products are priced we can be assured that the move toward the private sector is well underway.
While it is true that most of the market leaders are relatively small, they also tend to be very creative and efficient. Size does matter, though, and we are seeing vendors partnering with schools and outside researchers to cover the territory. While that never has been unusual, lately it seems to be more pronounced. amd think that is a very good thing.
Testing this month was challenging because we had such a diversity of products. In some cases, there were a couple of vendors that made the same product, but in most we had unique offerings from each vendor. Sticking with the investigative process paradigm, though, we lined up the products as they might appear in a forensic lab. We started with imaging and moved on to analysis. The analysis took varying forms depending on the product suite we were analyzing, but we were able to move smoothly between products. This suggests that there is increasing standardization in the important issues surrounding the conduct of a digital forensic investigation - whether it involves computers, mobile devices, social media or, as usually is the case, some combination.
Overall, the products we tested played very well, both separately and together. So, as you go through these reviews, bear in mind that you likely will want to mix and match and, of course, most competent labs and practitioners have more than one product for a particular task. Consistency in the things that matter - forensic images, for example - is clearly observable in these products. The competitive edge comes in the depth and breadth of the analysis functionality.
Because we had such a variety, this year as in past years, you will see multiple distinguished products. There still will be only one "Best Buy," though. Additionally, we will have one or more "SC Lab Approved" products. That is our highest rating and to attain that level the product must be of the quality of a Best Buy or better (usually better) and the vendor must be willing to leave the product in our lab for a year. Over the course of that year we use the product in production and report on it in next year's forensic tools issue.
Specifications for forensic tools
| Product | CRU | ADF | Guidance Software | AccessData | Cellebrite | IntaForensics | MSAB | Distil Networks | PacketSled |
| Provides | ○ | ● | ● | ● | ● | ○ | ○ | ○ | ○ |
| Provides refined search capabilities | ● | ● | ● | ● | ● | ● | ● | ● | ● |
| Provides over-the-network imaging | ● | ○ | ● | ● | ○ | ○ | ○ | ● | ○ |
| Includes | ○ | ● | ● | ● | ● | ● | ● | ● | ● |
| Provides | ● | ● | ● | ● | ● | ○ | ○ | ● | ● |
| Provides | ○ | ○ | ● | ● | ● | ○ | ○ | ● | ● |
| Includes a | ● | ○ | ● | ● | ● | ○ | ● | ● | ● |
| Includes case management features | ● | ○ | ● | ● | ● | ● | ○ | ○ | ● |
| Includes | ○ | ○ | ● | ● | ● | ○ | ○ | ● | ● |
| Offers | ○ | ○ | ● | ● | ● | ○ | ● | ● | ● |
