Saturday, October 9, 2010

The Future of Digital Forensics Tools?

Access Data released the newest version of it’s popular FTK Imager tool this week which incorporates a variety of new features including the ability to mount images as a drive or physical device.  A key feature of FTK Imager is that it can be used as a very basic file system analysis program.  By adding the mounting feature, Access Data has taken another step in moving this tool beyond being just a nice acquisition tool towards something that will commonly be used in examination work.

I think this small event could signal the beginning of the end of forensic software manufacturers charging high prices for comprehensive digital forensics suites such as EnCase and FTK.   This doesn’t mean that digital forensics tools are going to be cheap in the future, but I think the future is starting to become clearer.

The way I see the evolution of digital forensics tools goes something like this:

The Zero Generation: The Mesozoic era

In the beginning, there was nothing.  Seriously, nothing. This was before I entered the field, but I know enough people who started in this era to have a good feel for it.  Examiners during this time had to use tools like hex editors and system administration type tools because of the lack of tools specifically designed for digital forensic purposes.  As the market expanded for digital forensics tool, we entered…

The First Generation: The Enhanced Hex Editor Era

We had tools like Expert Witness (which later became known as EnCase) created in this era that were designed to be digital forensics tools.  The dominant tool of this era was EnCase.  The core of EnCase was the ability acquire forensic images in a court defensible manner and to examine the resulting images. When being used for analysis, EnCase was essentially an very specialized read-only hex editor that could parse file systems.  Guidance Software’s innovation path was to increasingly add useful features that parsed different types of artifacts.  Users had the ability to create their own features through the EnScripting language. 

Access Data’s FTK became a very popular tool to use alongside of EnCase because it handled email very well and also incorporated the DtSearch indexing engine.  However, FTK was generally not considered to be as good as EnCase when it came to disk level examination functions so it tended not to be used as replacement to EnCase.   This was fine for tactical level digital forensics work, but for eDiscovery and for larger data set digital forensics cases, the hex editor model didn’t scale well which brought us to…

(Okay, I have to stop here because I know I’m going to have people screaming at their monitors shortly if they haven’t already started.  I know I’m grossly oversimplifying this, but I don’t intend for this post to be a comprehensive history of digital forensic and eDiscovery tools.  Sleuth Kit rocks and the price is right, you also have great tools from this era like ProDiscover, X-Ways, and SMART. However, at high level, they all are essentially the same type of forensic software. I’m also assuming that the people reading this blog post have a working knowledge of how all of these tools work.)

The Second Generation: The Database Era

The eDiscovery people really pushed this and were the first people to develop tools that used databases to manage data and allow for scalability. On the digital forensics side, Access Data was the first traditional digital forensic company to really embrace this by releasing Oracle based FTK 2.  As we know, FTK 2 was an abomination (it didn’t actually work), but FTK 3 followed shortly and has become a dominant second generation digital forensics tool.  There are plenty of eDisco tools that aggressively use database technology as well as other unique technologies such as concept analysis, but most digital forensics companies are still largely in the first generation era.

Access Data and Guidance Software have been aggressively involved in the enterprise level eDiscovery and digital forensics market for quite some time.  Guidance still appears to approach things from a first generation view which I think is one the reasons why Access Data has gained so much traction recently.  Access Data has embraced the explosion of innovation in the eDiscovery market up to and including merging with CT Summation.  They understand that scalability is going to be a key issue that digital forensics companies will have to face and they clearly understand that first generation digital forensics tools are not the future.

This is why I think the release of FTK Imager 3 is a small, but key event.  If a company like Access Data can be profitable with second generation tools and enterprise focused strategies, they may decide to put downward pressure on their first generation-centric competitors by offering up their own first generation technology tools for free or very low cost.  We may very well be seeing the beginning of the end of paying thousands of dollars for first generation style hex editor tools because…

The Third Generation: Digital Forensics Software as a Service

The eDisco people have already been here for awhile so it’s logical that the digital forensics world will follow.  I bet you see Access Data start moving to this model at some point in the near future.  They’re already pushing the limits of what a database layman can do and one of the consistent complaints I hear about FTK 3 is that it’s very resource intensive.  Access Data already sells expanded versions of it’s FTK suite to customers who need more horsepower and capabilities, but this requires additional hardware resources and personnel to administer it.

The next logical step will be for a company like Access Data to embrace the cloud based SaaS model for digital forensics tools.  In this model, Access Data would manage all of the hardware and software and also act as the custodian of the data for a case.  The customer’s analysts would work with the data remotely without having to manage forensic hardware or software.

I’m not saying third generation digital forensics tools will replace first and second generation tools.  For example, I think we will have the enhanced hex editor type tools with us for a very long time because they work well for cases with small data sets.  However, the increasing size of data sets coupled with the need for advanced features like data analytics and more powerful forensics software will usher in this generation of digital forensics tools.

Access Data gained a competitive advantage by beating Guidance to the second generation. If were Guidance Software, I’d be working on third generation of digital forensic tools so that I could return the favor.

8 comments:

  1. Bravo, Eric! I admire someone who's willing to poke the sleeping bear.

    I agree FTK3 is ideally positioned to offer cloud services. FTK3-LAB has some fantastic features that would definitely increase my lab's efficiency and effectiveness. However, I don't need multiple examiners working on one case simultaneously for every case and an investigative review isn't always appropriate. Yet, there are plenty of times each year I could certainly use them! It wouldn't be difficult to justify an SaaS expense on a case-by-case basis. If, eventually, it makes more business sense to bring FTK-LAB in-house, you would have demonstrable proof of it's value to your business or government entity.

    The SaaS business concept has proven cost-effective. The data pipe is likely a non-issue assuming you have x Mb per second throughput. But what would constitute sufficient bandwidth? I lack sufficient information to render an opinion.

    That leaves the argument of trusting sensitive corporate/government data with someone else. Businesses and the federal government are overcoming this concern. Will the government start contracting SaaS for classified material? Probably not. Insert WikiLeads joke here. How about child porn? Again, not - due to insurmountable legal issues if nothing else. But remember, the digital forensic world does not revolve around child pornography. It just seems that way when you're working in a purely law enforcement capacity. Been there, done that.

    In my opinion it's a matter of when, not if this will happen. I'd love to have FTK3-LAB in house and all the backend big iron to support it but that's not a responsible business decision right now. However, when FTK3-LAB SaaS is offered as a solution you can bet I'll be knocking on their door.

    ReplyDelete
  2. Thanks for the kind words, Mike. The post was meant to be thought provoking, but not provocative.

    As data sets become larger and technology in areas such as data analytics increase and cause tools to be more complicated and expensive to run, it will be harder to meet customer requirements for speed, cost, and quality using traditional digital forensic tools.

    I think investigative managers like myself will have to do a cost benefit analysis when it comes to issues like hardware, software and staffing costs. It may end up being cheaper to outsource the administration of enterprise sized digital forensic tools so that limited resources can be spent on hiring more examiners.

    There has been a tremendous amount of innovation in the eDisco space and I think that's going to strongly shape the future of enterprise level digital forensic tools.

    ReplyDelete
  3. It seems to me that the major issue with offering this as a cloud service is getting your image data to the place where the processing is going to happen. Even with massive dedicated bandwidth, latency is still a factor. If you move physical hard drives around, there's still going to be the cost of copying the data (because you're not going to send your original or best evidence copy to the cloud provider) and ensuring that it hasn't been tampered with in transit.

    It seems to me that the more likely scenario is selling "tin wrapped software": a forensic analysis "appliance" if you will. This allows the vendor to provide an easier to manage platform, but locate it where the customer needs it.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I'm not much of a cloudmonger who sees information technology utopia in the clouds.

    Sure, bandwidth is going to increase, but so will this size of data sets. Acquisition is going to be a significant and expensive challenge no matter how and where you are doing the end processing.

    ReplyDelete
  6. The cloud is a platform - 4n6 will be the same, only the implementation is different.

    It didn't work for database based forensics, now the cloud?

    If the platform on which your product is implemented is changed, does that make a new generation of your product? I don't get that. The 4n6 will be the same.

    ReplyDelete
  7. Thanks for the comments, Paul!

    It does work for database based forensics. FTK 3 is a nice product that scales well for what we're seeing right now. I think we'll have the first and second generation tools with us for quite some time. We're not talking about clean and neat generational cut offs here.

    What I'm guessing will happen in the future is that as data sets get larger and we add more advanced features to our digital forensic tools (eDisco will lead the way on this, I think, just look at all of the innovation in that space), the idea of outsourcing the administration of enterprise class digital forensic tools will become attractive.

    As a digital forensics manager, I would rather spend money on headcount, for example, that is devoted to doing analytical work rather than having to spend money on system administrators, database analysts, developers, etc. There might be a business plan in there for someone who can provide access to advanced enterprise digital forensics tools that can handle increasingly large data sets better than the current generation of tools, but take away the administrative burden associated with those tools.

    I learned very early in my eDisco career that the advanced eDisco tools needed a certain amount of care and feeding to do the advanced things that they were designed to do and that you could't just take them out of the shrink wrap and have them perform optimally. If we are heading in that direction with our digital forensic tools (and that may very well just look like a convergence with eDisco tools), people like me have to make some tough decisions on how were to spend limited resources.

    ReplyDelete
  8. Hello Eric,
    I am student at University of Glasgow studying Computer Forensics and E-Discovery.
    Your post is an excellent contribution to the issue of compuet forensic investigations of large data volumes. The cloud service by accessdata sounds like a potential solution to tackle this problem. The only problem of involving cloud in forensic data analysis seems from a legal perspective, with regards to its admissibility being questioned due to the possibility of the data being tampered with during its duration within the cloud.

    ReplyDelete