Rules of Evidence - Digital Forensics Tools

Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools

George Socha, founder of Socha Consulting, compares digital forensics to woodworking. "No one tool will build a piece of furniture," he says. "Same here—what tools you use depend on what objectives you have in mind."

Key Decisions
Should you use a service or buy software? There are hundreds of forensics service providers, including many of the vendors that sell forensics tools. So the question becomes whether to outsource this work or invest in software. It stands to reason that if you anticipate several incidents per year or are in an industry with heavy governmental regulations, it may be worth investing in an in-house solution, especially if you can also put the tool to other uses, such as e-discovery, data recovery and incident management. According to Gartner, by 2010 the most litigious companies in financial services, energy, utilities, pharmaceuticals and high-tech will decrease their spending on outsourced e-discovery services by 75 percent and increase their enterprise software spending by 100 percent.

For Affiliated Computer Services, it was less expensive to purchase AD Enterprise than to hire outside help because the software enables the company to respond more quickly to requests, according to Curtis Gatterson, director of digital forensic and e-discovery support at the company. With 58,000 employees in the U.S., the centralized collection network helps him provide litigation support and respond to internal inquiries into policy violations or complaints related to privacy or ethics. "Any Fortune 500 company is going to constantly have inquiries," he says. "With the amount of cases we process a month, it would be five to 10 times the cost of what we spend with our more proactive approach."

Should you buy single-workstation software or a tool that works over the network? Traditionally, investigators used manual forensics tools, requiring them to be physically present at the workstation from which they were extracting data. However, more vendors now offer software that works over the network, using remote agent technology to preview and collect evidence without users being aware of it. "It's much more efficient than sending someone to every single office that might be involved in a discovery request," Heiser says.

Network-based solutions are more expensive but should be considered by large or distributed environments. For instance, Gatterson upgraded to AD Enterprise after using EnCase Forensic, Access Data's FTK and other tools for many years. Previously, "we had to put folks on a plane to do collection, which was resource-intensive and time-consuming," he says. Now, from a central location in Dallas, he can log in to the network, do some quick searches and identify the inquiry subject within a six-hour period.