This work is in regards to a 2009 project about research into real-world digital forensic practices for the development of highly automated tools to increase speed and efficiency of forensic investigations. A survey was conducted of 30 Law Enforcement officers from different countries in Europe (with 10\u00a0respondents). The key findings of the survey are given, with a link to the full document provided.<\/p>\n
Key observations:<\/p>\n
Requirements for Digital Forensic Tools<\/b><\/p>\n
Out of 30 surveys submitted, 10 were returned. Along with these surveys, informal discussions with practitioners were conducted.<\/p>\n
Through the survey and discussions it was found that three primary factors investigators are taken into account when purchasing forensic software:<\/p>\n
Cost was found to be a common complaint, and a major concern for almost every practitioner spoken to. However, the most expensive forensic software, Encase, was the primary software chosen by 80% of the organizations. FTK, X-Ways Forensic, and miscellaneous tools were also used, but not nearly as often.<\/p>\n
The average percentage of cases in which\u00a0only<\/i>\u00a0the chosen primary software was used is 77.9%. Which suggests that the cost of more expensive software is justified if it can handle the majority of needs the investigator may have. It appears that Encase does, in fact, meet the majority of requirements of the investigator, however, there is still approximately 20% of the cases in which an investigator would need additional features.<\/p>\n
This 20% is covered by various secondary software, with FTK being the secondary software of choice. WinHex, Password Recovery\/Decryption, Automated Analysis tools, and various Linux-based tools were also used.<\/p>\n
The majority of the time an investigator is looking at user documents. Internet traces, passwords and log analysis are a close second.<\/p>\n
The group also indicated that they would be more likely to buy a plug-in to their current software-set than to buy a third-party stand alone software. Fitting into their current workflow is a topic of importance.<\/p>\n
Timelines of user actions are important to investigators. Some investigators indicated that a timeline of user activities would be useful in up to 70% of their cases.<\/p>\n
Also interesting is that currently only 31% of cases involve Windows Registry Analysis. This low number was\u00a0not<\/b>\u00a0shown to correlate with knowledge of the Windows Registry. Responders who claimed to be \u201cvery familiar\u201d or \u201cexpert\u201d in Windows Registry analysis, employed it just as often as those who were only \u201csomewhat familiar\u201d.<\/p>\n
Finally the types of evidence investigators are seeing still consist primarily of Windows computers (87%) with Linux a far second (7%) and Mac last (6%). Of the Windows machines, Windows XP is still the most common OS (58%) with Vista (28%) and Windows 7 (4%) growing, but still not the majority.<\/p>\n