Page 2 of 2Evaluation Criteria for Digital Forensics Software
Here are some key criteria to include in your search for the best tool:
Courtroom admissibility. If there's any chance of needing to use the evidence you collect in court, you should look carefully at which tools have been tested in a courtroom and how much success they've had there, according to Rhodes-Ousley. "One of the most important factors to keep in mind is courtroom admissibility of evidentiary data," he says.EnCase is not the only tool to fit that bill, but because it's used extensively by law enforcement, it's gained a lot of familiarity with judges, Priebe says. "It's stood the test of experts challenging its sufficiency," he says. "It's a little harder when you have to have the IT person saying, Let me tell you how the tool works."
Ability to preserve only relevant data. Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. "It's not the blunt instrument that grabs everything and then you sort through it later," Priebe says. "You can stage it on the storage device and de-duplicate it right then and there." E-discovery costs rise quickly during the attorney review stage; "Getting data from 2 terabytes to 5GB can save a company millions on one case," Patzakis says.
Case management capabilities. Especially when running multiple investigations, it's important to maintain a record of your activities, as well as all the data objects associated with each investigation.
Integration. Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool's capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.
Digital Forensics Dos and Don'ts
DON'T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection—three steps of its overall model, which also includes information management, review, analysis, production and presentation. Vendors such as Guidance and AccessData also sell e-discovery modules.
When using an e-discovery module, the tool doesn't make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. "It can scan 500 computers in three or four days, which would take three or four months with EnCase Enterprise," he says.
But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite—using nonforensics tools for forensics work. "There are plenty of companies that think if you use something like Norton Ghost or the WinZip file utility that it's an adequate job," Priebe says. "And it may be, but not against a more skilled opponent who starts questioning the adequacy of what you did in court."
DO train staff before using these tools. The process related to a forensics investigation is more important than the product you use, Gartner says. And you can't just learn it on the job—you need to undergo formal training. "There are always stories of clients who say, I've captured the data; now you tell me what happened," he says. "But at that point, the admissibility of the data in a court of law might be totally gone."
"People will, in good faith, think they're using a tool and following a process that's appropriate, but they're not sufficiently informed sometimes," Socha says.
DON'T forget PDAs. With increasing use of handheld tools, chances are you'll someday need to investigate data held on a PDA or cell phone. Software that supports PDAs include Palm DD, Pilot-link and Palm OS Emulator, all open-source software; PDA Seizure from Paraben; and Guidance's Duplicate Disk utility.
DO prepare for sticker shock. EnCase Enterprise Version 6 starts at $25,000. You can spend considerably less by purchasing a workstation-based tool, a less scalable remote-collection tool or one that limits its feature set, for instance, a tool that's strong in forensics data collection and not internal policy and compliance investigations, or one that eliminates the analysis and reporting capabilities.
"Other methods are great for smaller cases, but when many computers are involved or it's a serious criminal matter involving something like the SEC, EnCase is the gold standard," Priebe says. "You don't want to cut butter with a chainsaw, but sometimes you need a chainsaw."
Others contend you can get similar functionality for far less. Gatterson says it cost him about $2 million to implement AD Enterprise, about half what he would have paid for EnCase Enterprise.
DO expect to use more than one tool. Although the trend is for software vendors to try to be a one-stop shop, most investigators use more than one tool. In fact, NIST compares forensics tools to a Swiss army knife, where many tools specialize in certain functionality that needs to be augmented by others.
By Mary Brandel
Rules of Evidence and how to
