Product Group Tests
Forensic tools (2007)
We liked WetStone Technologies' Gargoyle Investigator Forensic Pro Edition v. 2.6.1 a lot for its utility, value and ease of use. We award it our Best Buy.
For its very high value, ease of use and solid functionality we give Technology Pathways' ProDiscover IR v 4.9 our Recommended rating.
WetStone Technologies' LiveWire Investigator v. 3.1.1C is an extremely powerful tool for analysing computers without taking them offline. We award LiveWire our Approved for SC Labs rating for its utility, performance and extremely strong documentation.
Full Group Summary
Vendors are targeting corporate budgets as regulatory requirements and incident managements replace law enforcements as the driving force for development. Peter Stephenson reports.
This month we looked at a wide variety of digital forensic tools. This category has been growing rapidly, diversifying and maturing in the past two years. However, there are some interesting aspects to those developments.
First, we are beginning to see real innovation in tool sets, but virtually none of it is in traditional computer forensics tools. In that class, there was essentially nothing new since we reviewed them last year. If anything, they are becoming more alike.
In many respects, the computer forensics product leaders are indistinguishable from each other. The few advances that have been made are in areas intended to keep pace with emerging forensic requirements such as the increasing number of media types that need to be analysed. In fact, the old designation of "computer forensics" almost seems to be giving way to a newer and more relevant class of "media forensics".
This year our observation is that there really is very little difference among the leaders beyond a feature here or there. The verdict from the user's perspective almost always comes down to personal favourites.
Since many organisations use multiple computer forensic tools, which one is "best" almost no longer matters. If you can afford the product, it meets your needs, produces acceptable results in the venue in which you are deploying it, and you have training and experience using it, then that tool probably is your best buy. Since we saw no major differentiators in the traditional computer forensics leaders, we could not award a best buy to any of them.
Where we are beginning to see real innovation is what we refer to as digital forensic support tools. These specialised offerings really are bringing forensics into the mainstream of complicated digital investigation. We broke that ground last year when we looked at some non-traditional tools such as link analysers.
This year we looked at several products that address specific forensic problems such as live forensic captures. Innovation, then, is our focus for this year's reviews in this group.
We looked at several classes of forensic tools including traditional computer forensics tools, network forensics analysers, specialised solutions for live forensic capture, PDA forensics etc and tools for performing forensic captures over networks, largely in an incident-response environment.
Again, this year, the vendor with the most vocal presence in over-the-network forensic capture and analysis market declined to submit its product. What we found was that vendors are exploring ways to capture forensic data on the media and on the network in very difficult circumstances.
We also found that law enforcement is no longer the driving force behind forensic tool development. Rather, corporate needs driven by regulatory requirements and incident management are beginning to call the shots in the forensic arena.
The reasoning behind this emerging approach is that law enforcement does not have the money or resources to go much beyond media forensics, while corporate organisations do.
This calls into question traditional views of digital forensics, such as that its only purpose is to produce evidence that can be used in court. The emerging perspective is that the purpose of forensic tools is to gather, manage and analyse evidence, regardless of whether the material will be used for a court appearance.
The real purpose could be an incident post mortem, an analysis of a particularly difficult technical problem on a network, or the implementation of security measures and the subsequent analysis of the effectiveness of the implementation, to name just a few possibilities.
In all cases, the forensic analyst must collect, preserve and evaluate evidentiary material appropriately. These things matter whether you are going to court or going to the boardroom. The credibility of the findings depends upon the reliability of the way the evidentiary material was gathered, preserved, analysed and managed. Following traditional and emerging rules of digital forensic analysis helps ensure that all of these burdens are met.
With all of that in mind, we took a broadly holistic view of this year's batch of digital forensic tools. Our testing methodology varied widely depending upon the type of tool and its purpose. We based our Best Buy and Recommended ratings on how well the product performed within its particular genre rather than how well it performed against other forensic tools.
- Mike Stephenson contributed to this Group Test.