Digital Forensics Christmas in September?

by Rob Fitzgerald

Excitement is running high over at The Lorenzi Group (www.thelorenzigroup.com).  Access Data Corporation (www.accessdata.com) has just released FTK 3.0 – and this is BIG news.  FTK 3.0 is publicly taking digital forensics main stream.  FTK 3.0 is promising new features that have been needed by digital forensics analysts for years.  At the same time, Access Data is putting themselves and their product out on a limb.  If FTK 3.0 doesn’t work like it’s supposed to, Access Data will have a second FTK PR nightmare on their hands, and that could spell disaster for the company.

After re-upping our licenses yesterday afternoon, we downloaded the FTK 3.0 software.  Jason Dana, at Lorenzi, is preparing to install the software later today.  We are excited about FTK 3.0 because of where we see Access Data taking digital forensics.  One of the most frustrating things for analysts in our industry is the lack of functionality within vendor solutions.  If we tell clients that data is data (which we do), why don’t vendors treat data like data?  Vendors have historically built solutions around “platforms” – Windows, Mac, Linux, UNIX operating systems.  I am not talking about a solution built to run on operating systems, I mean historically, computer forensics software vendors have built:

·         Windows Forensics tool

·         Linux Forensics tools

·         Mac Forensics tools

·         iPhone Forensics tools

Why?  Data is data, right?  1’s and 0’s look like 1’s and 0’s, no?  Why can’t a Windows forensics tool interpret a UNIX file or iPhone file? 

E-Fense (www.e-fense.com) has a nice package.  The Helix product has worked well.  It has been a field agents’ friend for many years.  The new Helix Pro product can even handle some mobile phone forensics (very cool).  ASR Data (www.asrdata.com) has SMART.  I have been both an Andy Rosen and SMART fan for a long time, and still am.  Andy continually comes up with new ways to view, manage, and conduct digital forensics, and has been the closest I’ve seen to true digital forensics.  BTW: What’s the difference between computer forensics and digital forensics?  In my opinion, it is how the data is seen, understood, and utilized.  I have held multiple discussions with Andy on creating an all-encompassing solution.  We also utilize Paraben (www.paraben) forensics tools in our lab.  Paraben has been able to stay on the cutting edge with mobile phone and network forensics.  The new FTK 3.0 could prove a challenge, moving forward, though.  For Mac forensics, Blackbag Technologies (www.blackbagtech) just sent us some updates to try out on Mac drive free space.

Access Data is now in a unique position.  They had a difficult time with 2.0.  In fact, The Lorenzi Group has continued to rely on FTK 1.8, even though we have a 20TB SAN network that could be utilized.  Any time new software is released, we like to test it first.  Our current plan is to load the new FTK software on machines that run FTK 1.8 and run some comparisons.  One of the neat things I am looking forward to is testing the Mac forensics capabilities.  To run our tests, we will be using a test case and a live case in running in parallel with FTK 1.8.  Our plan is to also load and run FTK 2.2 and compare results with FTK 1.8 and FTK 3.0.  Additionally, we will be running our results by the other software packages we have to compare findings and ease of use.  The time has come for vendors to offer complete solutions, to move from COMPUTER Forensics into DIGITAL Forensics.  Have we arrived?  Is it Christmas in September?  I don’t know, but we are going to find out.