What Distinguishes Good Tools for IT Forensics?

What Distinguishes Good Tools for IT Forensics?

Digital forensics tools and processes help with fast and targeted responses after cyberattacks.

Cyberattacks are an everyday occurrence. There is no such thing as 100 per cent protection against cyberattacks. It is only a matter of time before a company is affected. This is when forensic tools come into play to help investigation teams examine the incidents, secure evidence, and initiate countermeasures. It is therefore important for companies to prepare for emergencies and set up coordinated processes for analysing security incidents and restoring normal business operations.

“When responding to security breaches, manual processes and poorly integrated forensics solutions inevitably lead to chaos. Companies need tools that fit well into their system landscapes and where the technologies complement each other perfectly, so that they can carry out investigations that are largely automated and respond to threats quickly and in a targeted manner,” says Jens Reumschüsse from the forensics provider Exterro. Manual investigations are usually too time-consuming and complex, meaning that investigation teams have to rely on digital forensics tools to check a multitude of spatially distributed systems and quickly gather all the information they need. Exterro gives tips on what companies should look out for and how they should proceed in case of an incident:

• Wide range of functions
Nowadays, cybercriminals rely on very sophisticated attack methods and cleverly cover their traces to avoid detection. Forensic tools therefore need extensive capabilities to detect a wide range of malware and hacker activities. Regardless of the systems used and the software running on them, they must be able to secure, retain and analyse user and system data. User data includes, for example, information from hard disks, from the main memory and from peripheral devices, while system data includes, among other things, information on access to programmes, data and network connections. The spectrum is extremely broad and goes well beyond the capabilities of endpoint detection and response (EDR) solutions, which are only suitable for forensic investigations to a very limited extent. Good forensic tools detect manipulations of data and settings on a wide variety of systems and are also able to retrieve deleted data.

• Automating manual processes
When cyberattacks occur, rapid response and immediate preservation of evidence are essential to prevent major damage. However, the manual investigation of thousands of computers at globally distributed locations and of systems in the public cloud is very time-consuming and resource-intensive, which is why forensics tools should have extensive automation functions. This way, they quickly provide facts about what happened and what needs to be done now, and reliably document all findings and evidence.

• Adaptability and flexibility
Good forensics tools fit seamlessly into a wide variety of system and application landscapes and allow very individual customisation to investigate specific security incidents in detail. One of the keys to this is scripting capabilities, which allow many processes to be made more efficient and predefined scenarios to be processed automatically. For example, a script could automatically disconnect a suspicious endpoint from the network to prevent data leaks and directly start collecting evidence and searching for the origin of the attack. This saves security and investigation teams valuable time.

• Legal protection
Forensics tools not only help to detect and contain attacks and determine their origin and affected systems. They also protect companies in legal disputes by helping to prove that at the time of the attack, data protection laws, compliance requirements and other regulatory requirements were met. Furthermore, they secure all investigation results in an evidentiary way so that they stand up in court and cannot be challenged. To do this, forensics tools perform regular checks throughout the investigation process, even taking a full image backup of endpoints if required, so that organisations can consistently prove that results have not been altered either deliberately or inadvertently.

• Scalability
For large enterprises with thousands or tens of thousands of endpoints, forensics tools must scale seamlessly. After a security incident, this is the only way they are able to investigate a large number of potentially affected systems with a single click.