Top Forensics Tools for Business

computer forenics tools for businessComputer or digital forensics is an extremely fast growing and important industry. Digital crimes are becoming more and more commonplace, and organizations need quick and reliable tools to gather and provide digital evidence. Computer forensic teams, whether they are from an organization’s internal team, or from a law enforcement unit, require certain items in their forensic toolkits.

Drive acquisition is a fundamental process in the field of digital forensics, but the acquisition of an entire hard drive must be a forensically sound image that is a flat file bit stream image. Volatile data is extremely valuable evidence that can easily be lost, as it is data that is stored in RAM, a Window’s page file, or other repository that is wiped clean when a computer is shutoff. Both of these items need to have their accuracy guaranteed through hashing, which is basically a digital signature from the original hard drive or volatile data that is matched to the exact mirror image backup of that data. If these hashes do not match, the copy of the data is not considered to be a true, forensically sound copy of the original data.

The following table summarizes details of a handful of the top forensic tools on the market today.

Forensic Tool

Type of Data Searched

Features

Cost
Forensic Toolkit (FTK) by AccessData
  • Passwords
  • Computer data and files
  • Steganography
  • E-mail
  • Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify steganography, and build a report all with a single solution.
  • Recover passwords from over 80 applications; harness idle CPUs across the network to decrypt files and perform robust dictionary attacks.
  • KFF hash library with 45 million hashes.
  • Supports the largest, most complex datasets.
  • Never lose case data due to a crash.
  • True multi-processor and multi-threading support that takes advantage of hardware advancements.
  • Automated recovery during pre-processing ensures the job gets done.
  • Easy-to-understand and easy-to-use GUI with pre-defined and customizable data views, advanced filtering, dockable windows and automated data categorization.
  • Multi-data views allowing users to analyze a given file in a number of different ways, such as native, hex, text and filtered.
 $2,995 as of 5/1/2008
Helix3 Enterprise by E-fense Carpe Datum
  • Hard drives w/in the enterprise
  • Any data on enterprise computers or servers
  • Defined data criteria
  • Electronic data discovery (EDD) and computer forensics, including imaging and examination of hard drives
  • Information Security personnel can monitor each computer or server on the network from a central administration tool when a tiny agent is installed.
  • Helix3 Enterprise simplifies the issues by allowing information security personnel to search for defined data criteria, and either copy the data to a central store or report its presence.
  • Allows you to quickly detect, identify, analyze, preserve and report giving you the evidence to reveal the truth and protect your business.
 Former versions were free and open-source, version 3 requires users to contact for individual quote.
EnCase Forensic by Guidance Software
  • Computer data and files
  • Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide.
  • Works on Windows, Linux, AIX, OS X, Solaris and more.
  • Save days, if not weeks, of analysis time by automating complex and routine tasks with prebuilt modules, such as Initialized case and event log analysis.
  • Find information despite efforts to hide, cloak or delete.
  • Easily manage large volumes of computer evidence, viewing all relevant files, including deleted files, file slack and unallocated space.
  • Transfer evidence files directly to law enforcement or legal representatives as necessary.
  • Review options allow non-investigators, such as attorneys, to review evidence with ease.
  • Reporting options enable quick report preparation.
 $3,600 for a corporate license, plus support.

$2,850 for a government/law enforcement license, plus support.
EnCase Enterprise by Guidance Software
  • Computer data and files
  • Allows teams to securely investigate and analyze multiple machines simultaneously over a network, at the disk and memory level.
  • Acquires data in a forensically sound manner, with bit-stream imaging and more.
  • It has an unparalleled record in courts worldwide.
  • Allows for immediate response, limiting impact and system downtime.
  • Works on Windows, Linux, AIX, OS X, Solaris and more.
  • Proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections.
  • Silently and invisibly helps to identify fraud, security events and employee integrity issues wherever they are taking place.
  • Finds and corrects zero-day events, injected dlls, rootkits and hidden/rogue processes.
 From $25,000 for 1,000 workstations
P2 Enterprise Shuttle Edition by Paraben Corporation
  • Reactive: all typical functions of a forensics suite
  • Allows for complete examination and investigation over any network.
  • Drive acquisition, volatile data acquisition, network searching, client snapshot, reporting and more.
  • All monitoring and data acquisition activities are completely invisible to the user, as they run silently and with complete stealth on Windows 2000, XP, 2003, Vista, and 2008 machines.
  • Works with other forensic suites on a network to allow organizations to fully watch over their systems and provide digital evidence when needed.
  • Adheres to strict forensic practices, Sarbanes-Oxley, and many other laws and requirements by ensuring that data integrity is maintained.
 $6,995, plus support, as of 4/1/2007
P2 Enterprise Edition by Paraben Corporation
  • Proactive: all typical functions of a forensics suite, in real-time
  • Reactive: all typical functions of a forensics suite
  • Live network forensic tool for proactive protection of digital evidence to guard against risks of intellectual property theft, embezzlement, employee lawsuits, or any general insider threat.
  • Drive acquisition, network monitoring, volatile data acquisition, telnet (through the secure proxy server), network searching, client snapshot, P2 Navigator, reporting and more.
  • Rather than waiting to learn of an incident requiring forensics, proactive forensics actually constantly monitors for the occurrence of an incident with an immediate forensic response to ensure evidence is preserved.
  • Proactive capabilities include the ability to monitor and track system logins, running processes, file activity, event logs, network sniffing, hardware monitoring, application installs/uninstalls, data copied to internal systems, deleted activity, and more.
  • Also provides reactive forensics in case the protection was breached, allowing organizations to automatically acquire images, take snapshots, or mount systems.
  • All monitoring and data acquisition activities are completely invisible to the user, as they run silently and with complete stealth on Windows 2000, XP, 2003, Vista, and 2008 machines.
  • Works with other forensic suites on a network to allow organizations to fully watch over their systems and provide digital evidence when needed.
  • Adheres to strict forensic practices, Sarbanes-Oxley, and many other laws and requirements by ensuring that data integrity is maintained.
 Requires users to contact for individual quote.
ProDiscover® Investigator by Technology Pathways, LLC
  • Reactive: all typical functions of a forensics suite
  • Remotely investigate the disk contents of systems over a network.
  • Stealth operation to avoid detection by users.
  • Preview and search suspect files to find evidence quickly and without altering any data or metadata.
  • Create a bit-stream image of the target system disk and physical memory to preserve evidence and restore the system quickly with MD5, SHA1, or SHA256 hashes of evidence files to prove data authenticity and integrity.
  • Captures volatile data images of RAM, Bios, and CMOS memory to find evidence.
  • Examines multiple disk formats such as any FAT or NTIFS file systems.
  • Integrated viewers for graphics, Internet history, registry, email, documents, and more.
  • Quick and easy to use.
 $ 9,995.00 for a single user license, law enforcement and government receive a discount upon contacting.

Based on the various features and types of data searched, if a company were to purchase just one of these tools, it would have to be P2 Enterprise Edition (P2EE) by Paraben Corporation. P2EE offers all of the required functions and features for most forensic teams, while also giving an organization the tools it needs to be proactive in monitoring and storing digital evidence.

However, if an organization truly had no budget limitation, it should purchase:

  • P2 Enterprise Edition by Paraben Corporation
  • Forensic Toolkit (FTK) by AccessData
  • EnCase Enterprise from Guidance Software

FTK provides numerous features that P2EE does not, such as recovering passwords from a plethora of applications, as well as steganography, which many terrorist and child pornography rings use to avoid detection. EnCase Enterprise is very similar to PS Enterprise Edition, so it may simply be overkill to have both, but a larger company should definitely consider it since the cost of running both would be minimal compared to the consequences of one missing something that the other may catch.

By combining these three forensic suites, a digital forensic team would be able to accurately track, monitor, gather, and report digital evidence to any law enforcement or organization that requires it, both proactively and reactively.

Sources:

  1. http://www.accessdata.com/forensictoolkit.html
  2. http://www.e-fense.com/h3-enterprise.php
  3. http://www.guidancesoftware.com/products/ef_index.aspx
  4. http://www.paraben-enterprise.com
  5. http://www.paraben-enterprise.com/p2es.html
  6. http://www.paraben-enterprise.com/p2ee.html
  7. http://www.techpathways.com
  8. http://www.techpathways.com/prodiscoverin.htm
  9. http://www.scmagazineus.com/Forensic-Toolkit-v20/Review/2380/
  10. http://www.scmagazineus.com/Paraben-P2-Enterprise-Shuttle/Review/78/
  11. http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=369&osCsid=2ba225bcdf31dd81d958f939efd173d3
  12. http://www.techpathways.com/order.htm
  13. http://www.scmagazineus.com/Guidance-Software-EnCase-Forensic-v-6/Review/159/
  14. http://findarticles.com/p/articles/mi_m0EIN/is_2002_August_1/ai_89956939/


Bookmark and Share

This entry was posted on Thursday, April 29th, 2010 at 8:22 pm and is filed under Computer Forensics, Computer Security, Security Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Top Forensics Tools for Business”

  1. london computer repair Says:
    April 30th, 2010 at 1:10 am

    Forensic tools are necessary to recover data back. It’s real use to solve cyber mysteries and cyber crime. Thanks for providing all the sources.

  2. admin Says:
    May 4th, 2010 at 5:37 pm

    Thanks for the input and kind words. I checked out your site and it has some really good articles on computer security. -365

Leave a Reply