• United States



Contributing Writer

Rules of Evidence – Digital Forensics Tools

Jun 04, 200811 mins
ComplianceData and Information SecurityInvestigation and Forensics

Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools

Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.

Forensics tools are often confused with other classifications of tools, such as incident management, e-discovery and data recovery. [For a quick look at the major forensic software providers, see The Usual Suspects.] But while they can be used for those purposes, the difference is that they abide by formal evidence processing protocols such as maintaining a chain of custody and avoiding the alteration or compromise of evidence, enabling any findings to be successfully used in a court of law.

In short, while you can apply forensics tools to nonforensics work, it can be risky to use nonforensics tools. “If the evidence you’ve collected is not defensible in court, you’ve severely limited its later applicability,” says Jay Heiser, research VP and analyst at Gartner.

Digital forensics tools generally provide three main capabilities:Acquisition/collection/preservation: Make a sector-by-sector copy of the hard drive and run checks against those images to verify it’s an exact copy of the original.Search/analysis: Identify, analyze and keyword-search all relevant data, including deleted, encrypted, hidden, protected and temporary files, as well as virtual memory, application settings, printer spools, etc. Some packages can also detect which Web ports are open and which processes are running.Reporting: Create a detailed report, including a full audit log. This can help address compliance with Sarbanes-Oxley and other regulations.

The 800-pound gorilla of digital forensics is Guidance Software, which released its EnCase Forensic software in 1998. However, most investigators work with a variety of tools, and there are many commercial and open-source tools and utilities available, from suites to specialized point products. Main competitors are AccessData’s FTK and AD Enterprise; Paraben Software’s P2 suite; and Technology Pathways’ ProDiscover suite. Others include New Technologies’ suite of tools, X-Ways Software Technology’s WinHex utility, StepaNet Communications’ DataLifte and ASR Data’s Smart utility. On the open-source side is Sleuth Kit and E-fense’s Helix.

In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are “survey tools” that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, “sliding-window” systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.

George Socha, founder of Socha Consulting, compares digital forensics to woodworking. “No one tool will build a piece of furniture,” he says. “Same here--what tools you use depend on what objectives you have in mind.”

Key Decisions

Should you use a service or buy software? There are hundreds of forensics service providers, including many of the vendors that sell forensics tools. So the question becomes whether to outsource this work or invest in software. It stands to reason that if you anticipate several incidents per year or are in an industry with heavy governmental regulations, it may be worth investing in an in-house solution, especially if you can also put the tool to other uses, such as e-discovery, data recovery and incident management. According to Gartner, by 2010 the most litigious companies in financial services, energy, utilities, pharmaceuticals and high-tech will decrease their spending on outsourced e-discovery services by 75 percent and increase their enterprise software spending by 100 percent.

For Affiliated Computer Services, it was less expensive to purchase AD Enterprise than to hire outside help because the software enables the company to respond more quickly to requests, according to Curtis Gatterson, director of digital forensic and e-discovery support at the company. With 58,000 employees in the U.S., the centralized collection network helps him provide litigation support and respond to internal inquiries into policy violations or complaints related to privacy or ethics. “Any Fortune 500 company is going to constantly have inquiries,” he says. “With the amount of cases we process a month, it would be five to 10 times the cost of what we spend with our more proactive approach.”

Should you buy single-workstation software or a tool that works over the network? Traditionally, investigators used manual forensics tools, requiring them to be physically present at the workstation from which they were extracting data. However, more vendors now offer software that works over the network, using remote agent technology to preview and collect evidence without users being aware of it. “It’s much more efficient than sending someone to every single office that might be involved in a discovery request,” Heiser says.

Network-based solutions are more expensive but should be considered by large or distributed environments. For instance, Gatterson upgraded to AD Enterprise after using EnCase Forensic, Access Data’s FTK and other tools for many years. Previously, “we had to put folks on a plane to do collection, which was resource-intensive and time-consuming,” he says. Now, from a central location in Dallas, he can log in to the network, do some quick searches and identify the inquiry subject within a six-hour period.

Are you purchasing the tool to do more than forensics work? According to John Patzakis, vice chairman and chief legal officer at Guidance, customers are increasingly justifying the cost of its EnCase Enterprise product by targeting it not just at forensics but also at e-discovery. “They realize they’re spending $30 million to $40 million on outsourcing their e-discovery function and another $10 million to $20 million in investigations, so the business case is more compelling when they combine [the two processes],” he says.

Both Guidance and Access Data offer an e-discovery module that automates keyword searching around the network to look for relevant documents in pending civil litigation suits or for regulatory compliance.

“If you’re trying to collect all the files having to do with the XYZ merger, you may or may not need to do that in a forensically sound way. But, it’s tough to make that decision, which is why many companies are simply buying products like EnCase,” says Jason Priebe, Of Counsel in the Chicago offices of Seyfarth Shaw.

Evaluation Criteria for Digital Forensics Software

Here are some key criteria to include in your search for the best tool:

Courtroom admissibility. If there’s any chance of needing to use the evidence you collect in court, you should look carefully at which tools have been tested in a courtroom and how much success they’ve had there, according to Rhodes-Ousley. “One of the most important factors to keep in mind is courtroom admissibility of evidentiary data,” he says.

EnCase is not the only tool to fit that bill, but because it’s used extensively by law enforcement, it’s gained a lot of familiarity with judges, Priebe says. “It’s stood the test of experts challenging its sufficiency,” he says. “It’s a little harder when you have to have the IT person saying, Let me tell you how the tool works.”

Ability to preserve only relevant data. Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. “It’s not the blunt instrument that grabs everything and then you sort through it later,” Priebe says. “You can stage it on the storage device and de-duplicate it right then and there.” E-discovery costs rise quickly during the attorney review stage; “Getting data from 2 terabytes to 5GB can save a company millions on one case,” Patzakis says.

Case management capabilities. Especially when running multiple investigations, it’s important to maintain a record of your activities, as well as all the data objects associated with each investigation.

Integration. Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool’s capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.

Digital Forensics Dos and Don’ts

DON’T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection--three steps of its overall model, which also includes information management, review, analysis, production and presentation. Vendors such as Guidance and AccessData also sell e-discovery modules.

When using an e-discovery module, the tool doesn’t make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. “It can scan 500 computers in three or four days, which would take three or four months with EnCase Enterprise,” he says.

But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite--using nonforensics tools for forensics work. “There are plenty of companies that think if you use something like Norton Ghost or the WinZip file utility that it’s an adequate job,” Priebe says. “And it may be, but not against a more skilled opponent who starts questioning the adequacy of what you did in court.”

DO train staff before using these tools. The process related to a forensics investigation is more important than the product you use, Gartner says. And you can’t just learn it on the job--you need to undergo formal training. “There are always stories of clients who say, I’ve captured the data; now you tell me what happened,” he says. “But at that point, the admissibility of the data in a court of law might be totally gone.”

“People will, in good faith, think they’re using a tool and following a process that’s appropriate, but they’re not sufficiently informed sometimes,” Socha says.

DON’T forget PDAs. With increasing use of handheld tools, chances are you’ll someday need to investigate data held on a PDA or cell phone. Software that supports PDAs include Palm DD, Pilot-link and Palm OS Emulator, all open-source software; PDA Seizure from Paraben; and Guidance’s Duplicate Disk utility.

DO prepare for sticker shock. EnCase Enterprise Version 6 starts at $25,000. You can spend considerably less by purchasing a workstation-based tool, a less scalable remote-collection tool or one that limits its feature set, for instance, a tool that’s strong in forensics data collection and not internal policy and compliance investigations, or one that eliminates the analysis and reporting capabilities.

“Other methods are great for smaller cases, but when many computers are involved or it’s a serious criminal matter involving something like the SEC, EnCase is the gold standard,” Priebe says. “You don’t want to cut butter with a chainsaw, but sometimes you need a chainsaw.”

Others contend you can get similar functionality for far less. Gatterson says it cost him about $2 million to implement AD Enterprise, about half what he would have paid for EnCase Enterprise.

DO expect to use more than one tool. Although the trend is for software vendors to try to be a one-stop shop, most investigators use more than one tool. In fact, NIST compares forensics tools to a Swiss army knife, where many tools specialize in certain functionality that needs to be augmented by others.