Step 2. Tool cost of ownership

I am sure we all have a dream car that we always wanted. I always wanted an MG Midget. Then I talked to my mechanic, who told me if I wanted that car, I needed to quit my job and plan on putting all my efforts into maintaining that car. You need to know the cost of the ownership of the tool. For example, Paraben’s E3:Universal costs $5495.00, which includes one year of SMS. Additional years of SMS cost $999.99 per year. After learning the cost and what is included, you need to look at the equipment required to have the technology run well. The average machine can run E3:Universal with just 16 GB of RAM, so I know I do not need to invest in additional machines to have that up and running in my lab. After considering the raw costs, you should go back to step 1 and make sure the tool will fulfill the needs you have. For example, E3:Universal can process computer data, email data, chat data, smartphone data, IoT data, and cloud data, so you get a lot of overlap value in your purchase. The final part I evaluate in the total cost of ownership is regarding support. Do I have to pay to get support services over the phone, online, etc.?

Step 3. Who is the company you buy from?

When I buy something, I have chosen to work with a company, and I want them to work with me. I don’t want to have hidden fees for support or have an unpleasant support experience. I have preferences in my support that I have found give me faster response times, so I try to make sure the company of my choice has those options. I also need to make sure they are not an untrustworthy company or not going to be able to support my commitment to them. It is not ever about the size of the company; it is about the people behind the company. I do not want to work with a company that will not work with me. Owning a tool is the start of a relationship, and I’m looking for commitment.

Step 4. What is the feature?

This is my pet-peeve point when it comes to DFIR tools in general. In my opinion, with any tools, there should be transparency on what they do and do not support. I don’t want a sugar-coated marketing pitch – give me the needed information. Keep it simple and give me a chart of what your tool does. I don’t expect a tool to do everything, but vaporware sucks when you have invested your hard-earned money in it, and the tool doesn’t perform as expected. If the company doesn’t have a list of what they can do, I honestly move on. I take the time to ask the sales team for these details just in case they are not on their website, but if they can’t produce a chart, I move on. I need to know that the company understands its strengths and weaknesses. It should not be a mystery for me to solve with my money. I also look for what others have said about tools and check out things like the list ‘Best Mobile Forensic Tools’ (https://cybericus.com/best-mobile-forensic-tools/) to see how they came to their results when rating tools. If you want to see some of the “Best Computer Forensic Tools” take a look at (https://www.esecurityplanet.com/products/digital-forensics-software/).

After the steps are completed, I get a good understanding of what tool I need and its capabilities. I will have had time to work with someone at the company and hopefully gotten a demo of the technology shown to me, and most of the time completed a trial of the technology. It is important to remember that when using a trial of a tool, you are not technically licensed, so it should not be used with active casework to produce results. Have some test data you run your tools through to make a fair comparison. You can’t make an accurate comparison of the tool if you use different test data. Once it is time to hit the buy button, you should feel good about the relationship you are starting. You should want to follow the company on social media and subscribe to their newsletter. It’s not a good sign if the first thing you do after a new tool purchase is unsubscribe from their emails. Hearing from the company that makes your tool is all part of the process to keep up to date on exciting new features and releases for your tool.

As you search for the perfect holiday gifts and perhaps think about expanding your lab capabilities, remember there is always room for one more tool. Don’t let your team get caught in a rut with technology! If your lab is not using different tools, it may be missing important data. Labs need to fill the data gaps with multiple tool use. There is no room for any lab to be dedicated to one tool. Total tool dedication guarantees missed data. Be a fan not a fanatic.