Saturday, October 9, 2010

The Future of Digital Forensics Tools?

Access Data released the newest version of it’s popular FTK Imager tool this week which incorporates a variety of new features including the ability to mount images as a drive or physical device.  A key feature of FTK Imager is that it can be used as a very basic file system analysis program.  By adding the mounting feature, Access Data has taken another step in moving this tool beyond being just a nice acquisition tool towards something that will commonly be used in examination work.

I think this small event could signal the beginning of the end of forensic software manufacturers charging high prices for comprehensive digital forensics suites such as EnCase and FTK.   This doesn’t mean that digital forensics tools are going to be cheap in the future, but I think the future is starting to become clearer.

The way I see the evolution of digital forensics tools goes something like this:

The Zero Generation: The Mesozoic era

In the beginning, there was nothing.  Seriously, nothing. This was before I entered the field, but I know enough people who started in this era to have a good feel for it.  Examiners during this time had to use tools like hex editors and system administration type tools because of the lack of tools specifically designed for digital forensic purposes.  As the market expanded for digital forensics tool, we entered…

The First Generation: The Enhanced Hex Editor Era

We had tools like Expert Witness (which later became known as EnCase) created in this era that were designed to be digital forensics tools.  The dominant tool of this era was EnCase.  The core of EnCase was the ability acquire forensic images in a court defensible manner and to examine the resulting images. When being used for analysis, EnCase was essentially an very specialized read-only hex editor that could parse file systems.  Guidance Software’s innovation path was to increasingly add useful features that parsed different types of artifacts.  Users had the ability to create their own features through the EnScripting language. 

Access Data’s FTK became a very popular tool to use alongside of EnCase because it handled email very well and also incorporated the DtSearch indexing engine.  However, FTK was generally not considered to be as good as EnCase when it came to disk level examination functions so it tended not to be used as replacement to EnCase.   This was fine for tactical level digital forensics work, but for eDiscovery and for larger data set digital forensics cases, the hex editor model didn’t scale well which brought us to…

(Okay, I have to stop here because I know I’m going to have people screaming at their monitors shortly if they haven’t already started.  I know I’m grossly oversimplifying this, but I don’t intend for this post to be a comprehensive history of digital forensic and eDiscovery tools.  Sleuth Kit rocks and the price is right, you also have great tools from this era like ProDiscover, X-Ways, and SMART. However, at high level, they all are essentially the same type of forensic software. I’m also assuming that the people reading this blog post have a working knowledge of how all of these tools work.)

The Second Generation: The Database Era

The eDiscovery people really pushed this and were the first people to develop tools that used databases to manage data and allow for scalability. On the digital forensics side, Access Data was the first traditional digital forensic company to really embrace this by releasing Oracle based FTK 2.  As we know, FTK 2 was an abomination (it didn’t actually work), but FTK 3 followed shortly and has become a dominant second generation digital forensics tool.  There are plenty of eDisco tools that aggressively use database technology as well as other unique technologies such as concept analysis, but most digital forensics companies are still largely in the first generation era.

Access Data and Guidance Software have been aggressively involved in the enterprise level eDiscovery and digital forensics market for quite some time.  Guidance still appears to approach things from a first generation view which I think is one the reasons why Access Data has gained so much traction recently.  Access Data has embraced the explosion of innovation in the eDiscovery market up to and including merging with CT Summation.  They understand that scalability is going to be a key issue that digital forensics companies will have to face and they clearly understand that first generation digital forensics tools are not the future.

This is why I think the release of FTK Imager 3 is a small, but key event.  If a company like Access Data can be profitable with second generation tools and enterprise focused strategies, they may decide to put downward pressure on their first generation-centric competitors by offering up their own first generation technology tools for free or very low cost.  We may very well be seeing the beginning of the end of paying thousands of dollars for first generation style hex editor tools because…

The Third Generation: Digital Forensics Software as a Service

The eDisco people have already been here for awhile so it’s logical that the digital forensics world will follow.  I bet you see Access Data start moving to this model at some point in the near future.  They’re already pushing the limits of what a database layman can do and one of the consistent complaints I hear about FTK 3 is that it’s very resource intensive.  Access Data already sells expanded versions of it’s FTK suite to customers who need more horsepower and capabilities, but this requires additional hardware resources and personnel to administer it.

The next logical step will be for a company like Access Data to embrace the cloud based SaaS model for digital forensics tools.  In this model, Access Data would manage all of the hardware and software and also act as the custodian of the data for a case.  The customer’s analysts would work with the data remotely without having to manage forensic hardware or software.

I’m not saying third generation digital forensics tools will replace first and second generation tools.  For example, I think we will have the enhanced hex editor type tools with us for a very long time because they work well for cases with small data sets.  However, the increasing size of data sets coupled with the need for advanced features like data analytics and more powerful forensics software will usher in this generation of digital forensics tools.

Access Data gained a competitive advantage by beating Guidance to the second generation. If were Guidance Software, I’d be working on third generation of digital forensic tools so that I could return the favor.

Wednesday, October 6, 2010

Work For Lenny

I had the good fortune to attend Lenny Zeltzer’s introductory malware analysis presentation at the HTCIA Northeast chapter meeting today.  I have been looking forward to attending this presentation ever since I learned about it.  Lenny is an accomplished instructor and did a remarkable job explaining a complex topic like malware analysis in terms that made it very approachable for the layperson.

Lenny breaks down malware analysis into two main parts. The first part is behavioral analysis.  This is where the examiner works with the malware in a safe environment to learn about it through interaction and observation.  The second part is code analysis which involves using tools like debuggers to examine malware at an assembly language level.  It’s important to note that knowing assembly language is not a prerequisite  to becoming a malware analyst or attending Lenny’s training.   That said, if you want to be excellent at it, you’ll need to add knowledge of assembly language to your skill set. 

Lenny is going to be teaching his SANS malware analysis course in New York this month and there are seats still available. COINS-LZ is a discount code that will reduce the cost of the class by ten percent. 

Lenny is also in the market for a security architect to come to work for him. If you are interested in a great job in the NYC metro area, this is a fantastic opportunity.