Rules of Evidence - Digital Forensics Tools

Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools

Case management capabilities. Especially when running multiple investigations, it's important to maintain a record of your activities, as well as all the data objects associated with each investigation.

Integration. Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool's capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.

Digital Forensics Dos and Don'ts
DON'T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection—three steps of its overall model, which also includes information management, review, analysis, production and presentation. Vendors such as Guidance and AccessData also sell e-discovery modules.

When using an e-discovery module, the tool doesn't make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. "It can scan 500 computers in three or four days, which would take three or four months with EnCase Enterprise," he says.

But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite—using nonforensics tools for forensics work. "There are plenty of companies that think if you use something like Norton Ghost or the WinZip file utility that it's an adequate job," Priebe says. "And it may be, but not against a more skilled opponent who starts questioning the adequacy of what you did in court."

DO train staff before using these tools. The process related to a forensics investigation is more important than the product you use, Gartner says. And you can't just learn it on the job—you need to undergo formal training. "There are always stories of clients who say, I've captured the data; now you tell me what happened," he says. "But at that point, the admissibility of the data in a court of law might be totally gone."

"People will, in good faith, think they're using a tool and following a process that's appropriate, but they're not sufficiently informed sometimes," Socha says.

DON'T forget PDAs. With increasing use of handheld tools, chances are you'll someday need to investigate data held on a PDA or cell phone. Software that supports PDAs include Palm DD, Pilot-link and Palm OS Emulator, all open-source software; PDA Seizure from Paraben; and Guidance's Duplicate Disk utility.