Rules of Evidence - Digital Forensics Tools

Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools

June 04, 2008 — Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.

Forensics tools are often confused with other classifications of tools, such as incident management, e-discovery and data recovery. [For a quick look at the major forensic software providers, see The Usual Suspects.] But while they can be used for those purposes, the difference is that they abide by formal evidence processing protocols such as maintaining a chain of custody and avoiding the alteration or compromise of evidence, enabling any findings to be successfully used in a court of law.

In short, while you can apply forensics tools to nonforensics work, it can be risky to use nonforensics tools. "If the evidence you've collected is not defensible in court, you've severely limited its later applicability," says Jay Heiser, research VP and analyst at Gartner.

Digital forensics tools generally provide three main capabilities:
Acquisition/collection/preservation: Make a sector-by-sector copy of the hard drive and run checks against those images to verify it's an exact copy of the original.
Search/analysis: Identify, analyze and keyword-search all relevant data, including deleted, encrypted, hidden, protected and temporary files, as well as virtual memory, application settings, printer spools, etc. Some packages can also detect which Web ports are open and which processes are running.
Reporting: Create a detailed report, including a full audit log. This can help address compliance with Sarbanes-Oxley and other regulations.

The 800-pound gorilla of digital forensics is Guidance Software, which released its EnCase Forensic software in 1998. However, most investigators work with a variety of tools, and there are many commercial and open-source tools and utilities available, from suites to specialized point products. Main competitors are AccessData's FTK and AD Enterprise; Paraben Software's P2 suite; and Technology Pathways' ProDiscover suite. Others include New Technologies' suite of tools, X-Ways Software Technology's WinHex utility, StepaNet Communications' DataLifte and ASR Data's Smart utility. On the open-source side is Sleuth Kit and E-fense's Helix.

In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are "survey tools" that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, "sliding-window" systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.