Product Group Tests
Digital forensics (2010)
Paraben's Device Seizure v3.3 is one of the best mobile phone forensics solutions available for its price. It is the Best Buy this month.
We rate Niksun NetDetector and NetVCR v4.0 Recommended for its wide range of excellent features.
ProDiscover Incident Response 6.1 is rated Approved for SC Labs, due to its excellent features and interface.
Full Group Summary
Digital forensics continues its evolution towards the perfect product for investigators. By Keith Gilbert
Digital forensics is a field that never stops evolving and there is a need for constant research. This often results in new products suited for a specific purpose. The forensic tool market has been growing quickly in order to meet the needs of investigators. This year's group test is largely composed of these specialised products, with a notable exception or two.
Some investigators may not like the idea of having a specialised tool for each specific problem that needs to be solved. More products mean you could potentially spend more time in court explaining how each one works, which most likely is not anyone's idea of fun. It could also require more resources from your organisation. However, there are also benefits to many of these specialised tools. Since they are designed for one specific purpose, many offer more robust options than an all-in-one solution. Similarly, many are very efficient, and therefore do not require the computing resources that some larger solutions do. That also makes them very well suited for field use.
We tested a couple of all-in-one solutions, as well as a selection of specialised tools for analysing mobile devices. These quickly and easily collect volatile data and analyse the use of peer-to-peer (P2P) software, real-time network surveillance and reconstruction and network-based drive mapping. It is likely that many of these products were created to answer an express need of some segment of the forensics community. The ability of these to complement traditional forensic solutions is exemplary and can often speed up an investigation greatly.
An examiner should always understand how a tool that he or she uses works. Testing products before using them in a production environment is always of great importance.
How we tested
Testing varied greatly due to the wide range of products reviewed. The larger tools were tested in our standard test bed. Additionally, we were able to use this for several of the specialised solutions, with minor modifications. For example, we generated live traffic for use with the network reconstruction tool and we installed various P2P applications on some of our machines to test out the P2P detection tool.
As always, the products were not pitted against each other. Instead, they were rated based upon how well they carried out the functionality advertised by the manufacturers.
Buying a digital forensic solution
For some organisations, the decision of which product to purchase next may result from whichever problem most recently surfaced. If an urgent case would benefit from the acquisition of a certain tool, then that is what the organisation buys.
However, a more likely scenario is that you will need to go through a lengthy purchasing process. If this is the case, a cost-benefit analysis will help determine which product should come next. If your organisation is mainly dealing with policy violations, a network reconstruction or peer-to-peer analysis tool may save time and money in the future.
Of course, this all assumes you already have a general forensics tool. If you do not, or you are in the market for a new one, then you have to prioritise your need for a specific solution or the ability to carry out several different tasks with one tool. Most of the general products are very mature, as they have had several years to integrate new functionality, get court-tested and become very stable.
The acquisition of digital forensic tools requires a bit of thought and the decision as to whether you should go with a one-size-fits-all general purpose one or add some specialised products will depend upon your situation.
Besides this writer, the testing/reviewing team from Norwich University in the US this year consisted of: Boulat Chainourov, Cory Cunningham, Cameron Davis, Eric Knopf, Gary Leavenworth, Katherine Ly, George Maxfield, David Nicklas, Chris Pashley, Chris Swanson, Nick Talcott, Travis Tyler, Gianpaolo Wible, Emily Wivell and Kevin Zittritsch. All of these students, now graduated, performed the testing of the products assigned to them, as well as producing the reviews. All of the testing was performed in the digital forensics laboratory in the Norwich University Advanced Computing Center (NUACC) under the supervision of Dr. Peter Stephenson, technology editor for SC Magazine and director of the NUACC.