When you're thinking about the elements of a digital forensics technology that companies need, they may be somewhat different from those of other institutions, like law enforcement. For corporate users, there are many factors at play, but customization and flexibility are key. Does the forensics toolkit have built in capabilities to automatically run custom scripts so that, if a particular scenario happens at an endpoint, it will trigger the collection of data as well as the disconnection of the suspect endpoint from the network and stop the transmission of unauthorized data? Will it also trigger the processing of data to determine how the attack occurred from its origin? If capabilities like these had been in place, attacks such as those on Palo Alto Networks might have had a different outcome.
Criteria Number 1: Defensibility
Data defensibility is one of the most critical elements of a forensic investigation. It represents the handoff from the organization’s IT investigators to the legal teams who will be using this digital evidence in court. To have value in the legal context, data from an investigation must be defensible – teams must be able to prove the data they started with during an investigation is the exact same data they ended with – otherwise it will never be admissible under the law.
Investigators must therefore demonstrate a clear chain of custody, showing that the data presented has not been altered in transit, whether by human error or reviewer bias or malicious interference. Forensic toolsets should factor this in by including checks throughout the process - even down to low level imaging of an endpoint - to demonstrate that nothing has been changed. This avoids the potential of challenge to your evidence.
Criteria Number 2: Scalability
Scalability is another key attribute. Without high-capacity tools, there’s no way to manually manage the threat vectors at sufficient scale to cover all endpoints in a mid-sized or large organization. To be effective, the toolset must scale to allow analysis of all potentially affected endpoints with a single click.
Criteria Number 3: Accuracy
All these features count for little unless organizations have confidence in the results of their forensic investigations. There is no room for doubt about the accuracy of the data; IT pros need to be sure they are looking at the right information when time is at a premium. So, when seeking a digital forensics tool, choose one that has demonstrated minimal false positives over a substantial period of time.