No tool is perfect. The problem for digital / multimedia forensic analysts has always been one of "does Tool X support the types of files that I see in my lab." Tool manufacturers do their best to support their customers, but there are just so darned many file types to keep track of.
Early on, we saw this in Los Angeles with mobile phones. California, being a CDMA state, wasn't well supported by the mobile forensics tools. We found a Korean company with an office in Los Angeles that made an amazing parsing tool that could find things in the physical that no one else could. I still rely upon FinalMobile and the staff at FinalData to help me with the processing and analysis of the most difficult files.
The same problem exists in the processing of evidence from DVRs. In Los Angeles, we were seeing DVRs from China that weren't being sold elsewhere in the US. Thus, for the tool makers that were building acquisition templates based upon what was around their developers, their tools never seemed to work well on the DVRs that I encountered in LA. I found a Chinese company that had SDK access to the Chinese DVR manufacturers ... and thus a more comprehensive support for the types of DVRs that I was seeing in LA. They're not one-at-a-timing DVRs. They work directly and cooperatively with the manufacturers to assure that they support the DVRs that are produced in China.
In terms of image / video processing, as innovation from Italy winds down and their prices in the US and Canada increase (in some cases quite dramatically), some really cool developments are happening in south-eastern Washington state. Do I believe that you should only have FIVE, or only have Input-Ace? Certainly not. There are things that each does really well, and things that each does poorly or not at all. If you can afford to, get both. If you can't afford both, look at the type of work that you're doing and see which is the most appropriate for you.
I've always preached a "fusion-based" approach to digital / multimedia forensic analysis - otherwise known as "buy one of each tool" if you can. In doing so, you'll have the greatest coverage possible for the evidence that arrives at your lab. With DVRs, there are things to like about SalvationData's Video Investigator Portable (that Chinese company mentioned above) and there are things to like about DVR Examiner. SalvationData's VIP can acquire NTFS discs - like those from Exacq Vision (we see those a lot in California). It can also perform the acquisition over the network (even over WiFi) for those cases where seizing the DVR isn't practical or legal (as is the case in California with the new digital privacy laws). It can find file fragments and organize them logically. On the other hand, not everyone can purchase software direct from China. DVR Examiner comes from Colorado - where there are people to pick up the phone when you're working (not in the central Asian time zone). It's convenient. It's also available as a package deal with Input-Ace and the whole universe of tools and services from Cellebrite.
Gone are the days of doing everything in Photoshop. A fusion-based approach just makes sense in today's world. With this in mind, you'll see more product reviews and deep dives on fusion-based workflows around some complex cases in future posts as well as in our on-line learning portal. Stay tuned. It's going to be fun.
No comments:
Post a Comment