In testing forensic tools, we decided to break the mold. Rather than limit ourselves to one type of forensic tool, we approached the challenge of incident response.
Essentially, incident management is a forensic problem. We want to know what might be on various computer media, as well as what has traveled over the network, what the configurations of various networked devices are, and how all the disk images, network logs and other valuable data hooks together. That challenge demands a serious toolkit of computer forensic, network-enabled forensic, network forensic and analytical tools.
We found that results from the various computer forensic tools we tested were inconsistent. One would expect agreement from tool to tool but, for a variety of reasons, this is not often the case. The case for using multiple tools is clear: you don't want to miss important evidence just because your tool has a glitch.
The bottom line, your ability to clear an incident, get back to production, recover lost or damaged data, and arrive at an explanation will probably depend on your successful use of these types of tools.
Product: i2 Analyst's Notebook
Vendor: i2 Inc.
Verdict: Intuitive, powerful analysis tool for complex incidents.
Product: LogLogic LX 2000
Vendor: LogLogic, Inc.
Verdict: High-powered; generally intuitive operation and high functionality.
Product: ProDiscover Incident Response
Vendor: Technology Pathways
Verdict: Fully functional, network-based IT forensics tool with the ability to gather evidence remotely.