Survey of Evidence and Forensic Tool Usage in Digital Investigations

This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10 respondents). The key findings of the survey are given, with a link to the full document provided.

Key observations:

  • Every country has a different definition of digital crime
  • Every country has different laws relating to digital crime
  • INTERPOL fights international crime by managing resources between countries
  • INTERPOL provides facilitation rather than direct operational capabilities
    • ‘Outsource’ operational needs from member countries

Requirements for Digital Forensic Tools

Out of 30 surveys submitted, 10 were returned. Along with these surveys, informal discussions with practitioners were conducted.

Through the survey and discussions it was found that three primary factors investigators are taken into account when purchasing forensic software:

  1. Feature set
  2. Cost
  3. Ease of use

Cost was found to be a common complaint, and a major concern for almost every practitioner spoken to. However, the most expensive forensic software, Encase, was the primary software chosen by 80% of the organizations. FTK, X-Ways Forensic, and miscellaneous tools were also used, but not nearly as often.

The average percentage of cases in which only the chosen primary software was used is 77.9%. Which suggests that the cost of more expensive software is justified if it can handle the majority of needs the investigator may have. It appears that Encase does, in fact, meet the majority of requirements of the investigator, however, there is still approximately 20% of the cases in which an investigator would need additional features.

This 20% is covered by various secondary software, with FTK being the secondary software of choice. WinHex, Password Recovery/Decryption, Automated Analysis tools, and various Linux-based tools were also used.

The majority of the time an investigator is looking at user documents. Internet traces, passwords and log analysis are a close second.

The group also indicated that they would be more likely to buy a plug-in to their current software-set than to buy a third-party stand alone software. Fitting into their current workflow is a topic of importance.

Timelines of user actions are important to investigators. Some investigators indicated that a timeline of user activities would be useful in up to 70% of their cases.

Also interesting is that currently only 31% of cases involve Windows Registry Analysis. This low number was not shown to correlate with knowledge of the Windows Registry. Responders who claimed to be “very familiar” or “expert” in Windows Registry analysis, employed it just as often as those who were only “somewhat familiar”.

Finally the types of evidence investigators are seeing still consist primarily of Windows computers (87%) with Linux a far second (7%) and Mac last (6%). Of the Windows machines, Windows XP is still the most common OS (58%) with Vista (28%) and Windows 7 (4%) growing, but still not the majority.

For more information and the raw data, please see:
James, J.I. (2009) “Survey of Evidence and Forensic Tool Usage in Digital Investigations”. University College Dublin. [PDF]


Posted

in

by

Comments

One response to “Survey of Evidence and Forensic Tool Usage in Digital Investigations”

  1. Mikolaj Rutkowski avatar

    That’s a useful resource, it’s a pity I haven’t came across it earlier.
    Though I believe it should be clearly marked with the fact that major source of information was law enforcement – I’ve noticed that tools selection differs between commercial computer forensics practitioners and law enforcement officers (there are some tools dedicated majorly for LE like iLoox and for others they receive special discounts).

Leave a Reply

Your email address will not be published. Required fields are marked *