Product Group Tests

Media forensics (2008)

Group Summary

Our Best Buy goes to Access Data's Forensic Toolkit 2.0, a great product that is well put together and worth several times the price.

We rate Gargoyle Investigator Enterprise Recommended for being a unique product that can be used to search for some of the most difficult-to-find malware.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Computer forensic tools have evolved into several specialised strands as data is stored on a wider variety of devices, from PCs to mobile phones and PDAs. Justin Peltier reports.

Forensics has become a much-maligned discipline in the information security realm. To quote forensics expert Thomas Rude: "have dongle, am expert". As tools get more advanced, the need for true understanding appears to become less but, in reality, there is no substitute for knowledge and experience. Many vendors are offering certifications on their products, but this often requires purchasing the tools and the certification is not just based on knowledge alone.
There are several vendor-neutral certifications coming on to the market, led perhaps by the Certified Hacking Forensic Investigator from the EC-Council. However, the crucial need here is not for certification but for knowledge of forensics. There is a shortage of qualified investigators as college campuses, local police departments, and even private citizens in civil lawsuits all need to have forensic analysis performed. This has led to a growth in available tools, which have become much easier to use.

This review focuses not on the knowledge of the investigators but the quality of the tools they use. Another twist in the world of forensics is the multitude of changes in where data resides. The smartphone of 2008 was the laptop of 2001. Storage in the GB range can come in various formats.

As phones and PDAs continue to increase in processing power and storage capacity, the need for forensic analysis of these devices becomes more critical. There are several challenges to performing forensics on a hand-held device, and most of the trouble is due to the difficulty of capturing data in a way that is forensically sound. Most forensic packages now include - or are planning to in their next release - capabilities to analyse hand-held devices. When it comes to gathering forensic data from a phone you might wonder how much data there can possibly be on this type of device. Mobiles store data of interest to the forensic analyst in places such as contacts, call history, calendar, SMS, images and videos, expansion cards and SIM cards.

Since most of these non-computer devices use dynamic storage, one of the most critical steps is to block USB write access from your forensic machine. A little unheralded change, which was part of Windows XP Service Pack Two (SP2), can make the process of performing forensic analysis of hand-held devices easier. With SP2, Windows XP has the ability to change USB ports from the standard read/write mode to a new read-only mode. This feature is simple to integrate and only requires a registry change.

This process helps protect the evidence from modification and allows you to use less expensive digital media readers to collect evidence. Software takes greater configuration than a hardware device write blocker. For more information about the Windows XP SP2 USB write block, check out the knowledge base entry located at:

A graphical interface USB write blocking tool is available at If you prefer hardware blockers there are several on the market.

How we tested
To truly test the software packages that were specific to mobile phone forensics we used either a Palm Treo 755p or a Motorola RAZR V3. To test hard-drive forensic machines we used a 1GB flash drive loaded with office files, zip files, pictures and executables. We password-protected some zip files, as well as some of the Office files, and also deleted files and directories. In addition we used steganographic tools to hide an image in another image file and to hide text inside a picture file.

Buying media forensic tools
As always, the first step to buying tools is deciding how they will be used. In this case, the task is relatively easy. If you need to analyse mobile phones and PDAs, you need a specific tool
to do that. The tools should be comprehensive and should cover all the data capture and analysis tasks that you will need to perform. In that regard, you will need to compare general-purpose tools and specific offerings for these small devices.

In some cases you may benefit financially from putting all your forensic eggs in one basket and buying a generic tool with lots of capabilities. That may or may not be a good idea depending upon the product. We recommend purchasing specialised tools even if the general purpose ones cover most of your bases.

It never hurts to have more than one computer forensic tool. Many organisations are opting
for a commercial tool and an open-source tool. We cover both in this review.

- For details on how we test and score products, visit

All Products In This Group Test