AccessData Forensic Suite
Strengths: Well-integrated suite of tools that can be used together or separately following the investigator’s preferences for developing digital forensic evidence.
Weaknesses: None that we encountered.
Verdict: Our hands-down overall favorite forensic tool set. We make this suite a SC Lab Approved tool set for the coming year.
These products are not sold as a kit - but in keeping with our theme of focusing on the investigation instead of the tool - we are grouping them together. We have been using AccessData tools for years and they never disappoint. This year's products under review are no exception. Taken as a suite, these tools provide complete coverage from the field to the lab, and from the first responder to the forensic analyst.
To put that into perspective, suppose that you were going onsite to where a breach occurred and your client suspected a particular insider. As a first responder, you have the ability to gather and view enough evidence from computers with AD Triage to eliminate obviously uninvolved machines. But if you find something in the report that is provided by the tool, you can seize the hard disk and take it back to the lab for a detailed analysis using FTK.
Similarly, if you want to check the mobile devices associated with suspects, you can use nFIELD to dump the phones or tablets and give a quick triage - either eliminating the device or suggesting that it should be seized. All of this can be done by a first responder and the data collected is portable to other tools. So the nFIELD data could go to Mobile Phone Examiner Plus (MPE+) or FTK for detailed analysis.
If you decide that it should go into FTK along with the computer images of disks that you seized, you have a complete picture of all of the evidence that you collected and it shows up under a single pane of glass with the ability to analyse the disparate devices together as a single case.
AD Triage is a simple-to-use forensic data acquisition tool. It is set up in the lab for a particular type of testing - for example, child pornography - and a USB stick is formatted to triage the computers and collect a limited set of evidence. The first responder simply boots suspect computers from the USB and collects the evidence called for by the profile set up by the lab. A quick look at the resulting reports lets the first responder know what, if anything, should be seized.
FTK is as good as it always has been. We used FTK at Norwich University in the forensic classes because it is so easy to learn and use that we could concentrate on teaching computer forensics instead of teaching tools. The addition of Cerberus adds a forensic malware discovery and analysis tool to the brand. One interesting side note: At the university, we ran AD Lab, the network version of FTK, from our virtual environment for our classes with excellent results.
MPE+ is a strong mobile device forensic tool. It covers a wide range of mobile devices - more than 7,000 at this writing - and can extract data particularly related to social media use. With the optional VELOCITOR add-in, 95 percent of Chinese knock-off phones can be analysed. The tool includes 1,300 unique profiles for analysis of devices that often cause difficulties for analysts. Using SQL Builder and PythonScripter, users can create custom queries that be run automatically.
Finally, nFIELD is a mobile device triage tool much as AD Triage is for computers. It has all of the data collection capabilities of MPE+ without the analytics. It can save device images in AD1 format for import into other AccessData tools. It is the ideal tool for first responders since the training required is minimal.
Support and documentation are what you would expect from a company such as AccessData and we have watched the website improve over the years. Everything is there you could want to assist AccessData tools.