Last year we included all types of forensic tools in our annual digital forensics reviews. Everything fit into a single category. That was then and this is now. We took the position that the field was both wide and increasingly deep so we included all sorts of interesting point-solution tools that solved individual forensic challenges. This year we are doing a similar set of reviews with the exception that the market has matured sufficiently to allow us to break the genre into two groups: media forensics and network forensics.
On the media side we looked at any tool used to perform forensic analysis on some form of computer media or device. That included phone/PDA forensics, traditional computer forensics and media acquisition tools.
Network products included computer forensic tools that acquire and analyze over the network as well as network traffic/log analysis tools. These tools include log correlators and detailed analysis tools. Taken together, the products we looked at this month support the process of End-to-End Digital Investigation (EEDI). EEDI is a set of techniques that take into account all of the possible devices and paths in a digital incident. In order to perform an EEDI procedure one must have tools that operate ate a variety of levels. This month's products fill that bill.
Testing this month was a hodge-podge of techniques customized to the individual product types. However, it was an interesting exercise because there was so much functionally available to us in a wide variety of products. To me that indicates an increasing level of maturity. I have been using many of these products myself for years. The industry often has found itself in a defensive position relative to other areas of forensic practice. That is, less and less, the case today.
Many colleges and universities, including a high percentage of NSA/DHS Centers of Academic Excellence in Information Assurance, are offering digital forensics programs. There are multiple certifications and more coming. The breadth and depth of digital forensic product offerings are increasing rapidly and sophisticated techniques are developing rapidly.
Last year the Department of Defense DC3 Forensic Challenge was the toughest I have seen yet. Moreover the individual tasks required significant research to complete and were at the cutting edge of digital forensic practice. In addition to the usual CD repair and image analysis, the challenge added forensic on Vista Bit Locker, mixed image analysis (where part of the image is a genuine digital photo and part is a computer-generated alteration) and other sophisticated analyses. Today's tools reflect the increasing need for sophisticated, yet simple to use, tools for solving sophisticated problems.
Before I close for the month, just a word or two about the products you won't see here. I get a couple of emails per month asking why we left out some of the market leaders. The answer to that is a bit complicated but it usually comes down to scheduling. For example, we invited one of my favorite companies to submit their brand new product. The timing was excellent since it had been released recently. It was too good, in fact. The vendor had run out of demo units and had nothing to send us. Another roadblock is that when a company is getting ready to retire one version and introduce a new one it may not want to submit the old one. We are clear that we only accept production versions in our group reviews. That sometimes kills the opportunity for this round.
We send out more than twice the invitations of the ones who actually submit. So we try, but still, we want to hear what we're missing. That helps us encourage vendors to work something out.
This month the network products were in Mike's lab and the media and device products were in Justin's The results are interesting and I think you'll enjoy this issue.