OnLine Digital Forensic Suite
Strengths: Very quick, non-invasive analysis
Weaknesses: A boost in performance and a wider range of support options would be nice
Verdict: A viable solution for organisations that need incident response, without disabling the host
OnLine Digital Forensic Suite (DFS) by Cyber Security Technologies provides a centralised method for investigators to collect a wide variety of data from a suspect machine over the network. The tool does not require an agent to be installed on the target, and a detailed log of the investigation is maintained automatically.
The interface is browser-based and it has a simplistic feel, but most tools required to conduct an investigation are present and all are easy to use. Its design sets the tool apart and we feel it is more suited to incident response than criminal forensic investigation.
We conducted a preliminary examination on a networked host running Windows 2000. The initial acquisition of event logs, services and processes running, open ports and other live data was very quick - just 47 seconds. The services used were named inconspicuously and did not use much computing power.
However, when we tried to browse the registry, directory structure or take an image, the program began to slow considerably. Most notably, taking an image of the suspect PC resulted in a substantial amount of processing power being used. This will be mitigated by using the tool's ability to schedule batch jobs during a time of inactivity.
Installation went smoothly and activation is required before use. An administration account is the default and you must add individual investigator accounts. The administration account is also used to configure any network settings. The installation adds firewall exceptions to the local firewall, but network exceptions may have to be configured in some environments.
OnLine DFS comes with a large PDF manual, but its structure can be confusing at times. However, it does provide a "10-minute tour" in order to get familiarised with the basic flow of a case within the tool.
Despite this, a novice investigator will likely have to read the majority of the document or experiment with the tool before beginning a live case.
At £7,000 for a single user, this product is at the top of the spectrum for a software solution. Free support is only included for the first year, and it is available by phone or email only.