Page 1 of 2
Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools.
Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance..
Forensics tools are often confused with other classifications of tools, such as incident management, e-discovery and data recovery. But while they can be used for those purposes, the difference is that they abide by formal evidence processing protocols such as maintaining a chain of custody and avoiding the alteration or compromise of evidence, enabling any findings to be successfully used in a court of law.
In short, while you can apply forensics tools to nonforensics work, it can be risky to use nonforensics tools. "If the evidence you've collected is not defensible in court, you've severely limited its later applicability," says Jay Heiser, research VP and analyst at Gartner.
Digital forensics tools generally provide three main capabilities:
- Acquisition/collection/preservation: Make a sector-by-sector copy of the hard drive and run checks against those images to verify it's an exact copy of the original.
- Search/analysis: Identify, analyze and keyword-search all relevant data, including deleted, encrypted, hidden, protected and temporary files, as well as virtual memory, application settings, printer spools, etc. Some packages can also detect which Web ports are open and which processes are running.
- Reporting: Create a detailed report, including a full audit log. This can help address compliance with Sarbanes-Oxley and other regulations.
The 800-pound gorilla of digital forensics is Guidance Software, which released its EnCase Forensic software in 1998. However, most investigators work with a variety of tools, and there are many commercial and open-source tools and utilities available, from suites to specialized point products. Main competitors are AccessData's FTK and AD Enterprise; Paraben Software's P2 suite; and Technology Pathways' ProDiscover suite. Others include New Technologies' suite of tools, X-Ways Software Technology's WinHex utility, StepaNet Communications' DataLifte and ASR Data's Smart utility. On the open-source side is Sleuth Kit and E-fense's Helix.
In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are "survey tools" that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, "sliding-window" systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.George Socha, founder of Socha Consulting, compares digital forensics to woodworking. "No one tool will build a piece of furniture," he says. "Same here—what tools you use depend on what objectives you have in mind."
Key Decisions
Should you use a service or buy software? There are hundreds of forensics service providers, including many of the vendors that sell forensics tools. So the question becomes whether to outsource this work or invest in software. It stands to reason that if you anticipate several incidents per year or are in an industry with heavy governmental regulations, it may be worth investing in an in-house solution, especially if you can also put the tool to other uses, such as e-discovery, data recovery and incident management. According to Gartner, by 2010 the most litigious companies in financial services, energy, utilities, pharmaceuticals and high-tech will decrease their spending on outsourced e-discovery services by 75 percent and increase their enterprise software spending by 100 percent.
For Affiliated Computer Services, it was less expensive to purchase AD Enterprise than to hire outside help because the software enables the company to respond more quickly to requests, according to Curtis Gatterson, director of digital forensic and e-discovery support at the company. With 58,000 employees in the U.S., the centralized collection network helps him provide litigation support and respond to internal inquiries into policy violations or complaints related to privacy or ethics. "Any Fortune 500 company is going to constantly have inquiries," he says. "With the amount of cases we process a month, it would be five to 10 times the cost of what we spend with our more proactive approach."
Should you buy single-workstation software or a tool that works over the network? Traditionally, investigators used manual forensics tools, requiring them to be physically present at the workstation from which they were extracting data. However, more vendors now offer software that works over the network, using remote agent technology to preview and collect evidence without users being aware of it. "It's much more efficient than sending someone to every single office that might be involved in a discovery request," Heiser says.
Network-based solutions are more expensive but should be considered by large or distributed environments. For instance, Gatterson upgraded to AD Enterprise after using EnCase Forensic, Access Data's FTK and other tools for many years. Previously, "we had to put folks on a plane to do collection, which was resource-intensive and time-consuming," he says. Now, from a central location in Dallas, he can log in to the network, do some quick searches and identify the inquiry subject within a six-hour period.
Are you purchasing the tool to do more than forensics work? According to John Patzakis, vice chairman and chief legal officer at Guidance, customers are increasingly justifying the cost of its EnCase Enterprise product by targeting it not just at forensics but also at e-discovery. "They realize they're spending $30 million to $40 million on outsourcing their e-discovery function and another $10 million to $20 million in investigations, so the business case is more compelling when they combine [the two processes]," he says.
Both Guidance and Access Data offer an e-discovery module that automates keyword searching around the network to look for relevant documents in pending civil litigation suits or for regulatory compliance.
"If you're trying to collect all the files having to do with the XYZ merger, you may or may not need to do that in a forensically sound way. But, it's tough to make that decision, which is why many companies are simply buying products like EnCase," says Jason Priebe, Of Counsel in the Chicago offices of Seyfarth Shaw.