The interface is completely browser-based and it has a very simplistic feel. Despite this, the majority of tools required to conduct an investigation are present, and all are easy to use. Its design sets the tool apart and made us feel that it is much more suited to incident response as opposed to criminal forensic investigation.
In our test, we conducted a preliminary examination on a networked host running Windows 2000. The initial acquisition of event logs, services and processes running, open ports, and other live data lasted only 47 seconds. Additionally, the services used were named inconspicuously and did not use much computing power. However, when attempting to browse the registry, directory structure, or take an image, the program began to slow considerably. Most notably, taking an image of the suspect PC resulted in a substantial amount of processing power being used. This is most likely mitigated by using the tool's ability to schedule batch jobs during a time of inactivity.
Installation went smoothly and activation is required before use. An admin account is the default, and you must add individual investigator accounts as well. The admin account is also used to configure any network settings that may be required. The installation also adds firewall exceptions to the local firewall, but network exceptions may have to be configured in some environments.
OnlineDFS comes with a large PDF manual, but its structure can be confusing at times. However, it does provide a quick 10-minute tour in order to get familiarized with the basic flow of a case within the tool. Despite this, a novice investigator will likely have to read the majority of the document or experiment with the tool before beginning a live case.
At $9,000 for a single user, OnlineDFS is at the top of the spectrum for a software solution.
Strengths Very quick and non-invasive live analysis.
Weaknesses A boost in performance and a wider range of support options would be nice.
Verdict A viable solution for organizations that need incident response, without having to disable the host.