Network Security

Forensic tools

This is my favorite section. Each year, we look at the burgeoning field of digital forensics and try to figure out which companies are doing the heavy lifting in terms of innovation. We have had several excellent teams in this section in the past, and some moved on to the Hall of Fame last year. This year, we have picked two exceptional forensic tool innovators: One from the world of computer and small devices, and one from the network.

Digital forensics is a difficult field to analyze because there are a couple of philosophies to which reviewers must pander. First, there is what I refer to as the “Swiss Army Knife” philosophy. This is the “every-tool-in-one-box” approach. Everything forensic is in a single program. There are some advantages to that in terms of cost and ease of use, since everything the analyst needs is integrated together. 

There are some disadvantages, as well. For example, it is unlikely that a computer forensic tool will have all of the capabilities needed all the time. That usually means adding third-party tools into the mix.

The second philosophy is an individual tool for each function. Besides the obvious impact of cost, there also is the problem of analysts becoming proficient in all tools needed to conduct a digital forensic analysis. On the other hand, one might argue that the individual tools were purpose-built and, therefore, more appropriate. This does not take into account the difficulty of integrating disparate forensic findings into a coherent investigation/report.

The two Innovators we selected this year in our forensic category take a middle-of-the-road approach. Both have extensive product lines, but those solutions integrate their outputs well for case-level analysis. Also, both have multiple functions in their flagship products, with a roadmap for increasing that functionality. We anticipate that at some point there will be some overlap in these two products and, naïve though it may seem, they will be able to form the core of one's digital forensic tool box. To a certain degree, they do that now.

NetOmni Alpine from NIKSUN

These guys, in the vernacular of some in the right-hand coast, are wicked smart. To be sure, there is a lot of technology in what they do, but what makes them Innovators is not so much what they do, but how they do it. Their flagship product, NetOmni Alpine, is delivered on a hardware platform (up to 2U form-factor) that is deployed in a customer's network or security operations center, or a similar central location. 

All distributed NIKSUN appliances deployed in the customer network need to be accessible from the NetOmni system so data can be exchanged. With this approach, the user achieves pervasive network forensic captures that can be analyzed in real time or after the fact. That is a very important point, by the way. Some forensic tools may claim to be network forensic tools when they mean that they are network aware and can capture platform data over the network. True network forensic tools, however, must be able to capture and analyze network traffic, reconstruct network sessions and provide tracing capabilities for attribution purposes.

All that is interesting, and it certainly has made NIKSUN an innovator, but what comes next? To be an innovator, a company must continue creating better products. When we asked the visionary to whom we were talking, what's next, he told us that the next challenge is to have a global view of data presented in a user-friendly manner. That means one to two clicks to the data. Also high on the list is improving the efficiency of workflow, looking at how users attack problems, and seeking to make it smoother and more intuitive.

It takes curious and knowledgeable people to get these difficult tasks accomplished, so NIKSUN relies on a motivated staff. It doesn't spend a lot of money advertising, rather it focuses on doing the products right. 

Its next step is to make workflow more efficienct through automation. The company needs to handle lots of data and leverage lower-level people in the customer's operation. This is a more efficient way to do network forensics than forcing all of the analysis to be performed manually by experts. 

Next step is to leverage the data to be predictive and then feed that back into the cycle. Sounds pretty ambitious, but I'm betting this team will pull it off.


Vendor: NIKSUN 

Flagship product: NetOmni Alpine

Cost: $46,580, basic list price

Innovation: The first, serious, real-time network forensic analysis tool.

Greatest strength: Pure, raw creativity and drive to be the best no matter what.

Forensic Toolkit (FTK) from AccessData Group 

Here's another one of the forensic good guys. But, they are substantially different from some of their competitors. For starters, they are one of the oldest companies in the game with a pedigree going back more than 20 years. Last year, we recognized AccessData as a mainstay in the forensic business and, to be sure, they are. But when one has been around a long time, it gets harder and harder to come up with new things. Nowhere is that more obvious than in the digital forensic marketplace.

True, there are some fine companies that are doing very interesting things. Some are quite small. Others are larger, but have focused on continuous improvement in what they have – a notable approach. But true innovation is a tough beast to find, and the folks at AccessData seem to have found it. More and more, they are creeping up on a more comprehensive approach to digital forensic analysis.

One of the powerful things about the AccessData strategy is its view of digital forensic data. It always is about the case at hand. Data collected using other AccessData tools usually slots right into the case so that the analyst can consider the whole picture. We have found that view to be most useful when using the AccessData suite of products.

So, where do you go when you need to develop innovation in what looks like a mature market? First, you acknowledge that it is anything but mature, no matter how other vendors treat it. Then you set about to prove the thesis. One starts by identifying weaknesses in the current crop of products. One major weakness is how relationships between digital forensic data may be visualized. These can be seriously important because they point out subtleties that help solve the case. 

Malware analysis always has been delegated to third-party tools, and some very good ones at that. But what if one could add that analysis into computer forensics directly? OK, add that to the list. Finally, we'd like to be able to access computers over the network like some other folks do. We can do that. Add it to the next release. And on it goes. Find the problem by listening to the customer, and go find a solution for it.


Vendor: AccessData Group 

Flagship product: Forensic Toolkit (FTK)

Cost: $2,995

Innovation: Vision to see what the forensic tool industry really needs, and developing a holistic suite of products to provide it.

Greatest strength: Vision, creativity and drive.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.