Due Diligence of Tool Selection

Written by Amber Schroader

December 14, 2021

In the season of shopping, many of you might be considering shopping for new tools for your labs. I stepped back to put this together because as I shop for tools for our lab, I don’t judge on the same standard that I do as a tool producer. I, however, always do my due diligence. Listed below are the steps for the due diligence I put into my tool selection.

Step 1. Isolate what you need to do

When considering a tool, you need to know what need you are trying to fill. Not every lab on the planet can buy tools just for the heck of it (wouldn’t that be nice?)! The tool must fulfill a need and a purpose in the lab. I usually shop for a tool that can do more than one function in the lab. That is always a budget-friendly option. If one tool can process email and chat, it can knock two things off my list. You can do the same by looking for multifunction tools. That doesn’t mean specialty tools are off the table, but in consideration of budgets, it is better to have a tool that can do more than one thing. As you might guess, I passed on the car and went for something that fit my life better. When purchasing tools and technology for your lab, some of those same principles come into play.

Step 2. Tool cost of ownership

I am sure we all have a dream car that we always wanted. I always wanted an MG Midget. Then I talked to my mechanic, who told me if I wanted that car, I needed to quit my job and plan on putting all my efforts into maintaining that car. You need to know the cost of the ownership of the tool. For example, Paraben’s E3:Universal costs $5495.00, which includes one year of SMS. Additional years of SMS cost $999.99 per year. After learning the cost and what is included, you need to look at the equipment required to have the technology run well. The average machine can run E3:Universal with just 16 GB of RAM, so I know I do not need to invest in additional machines to have that up and running in my lab. After considering the raw costs, you should go back to step 1 and make sure the tool will fulfill the needs you have. For example, E3:Universal can process computer data, email data, chat data, smartphone data, IoT data, and cloud data, so you get a lot of overlap value in your purchase. The final part I evaluate in the total cost of ownership is regarding support. Do I have to pay to get support services over the phone, online, etc.?

Step 3. Who is the company you buy from?

When I buy something, I have chosen to work with a company, and I want them to work with me. I don’t want to have hidden fees for support or have an unpleasant support experience. I have preferences in my support that I have found give me faster response times, so I try to make sure the company of my choice has those options. I also need to make sure they are not an untrustworthy company or not going to be able to support my commitment to them. It is not ever about the size of the company; it is about the people behind the company. I do not want to work with a company that will not work with me. Owning a tool is the start of a relationship, and I’m looking for commitment.

Step 4. What is the feature?

This is my pet-peeve point when it comes to DFIR tools in general. In my opinion, with any tools, there should be transparency on what they do and do not support. I don’t want a sugar-coated marketing pitch – give me the needed information. Keep it simple and give me a chart of what your tool does. I don’t expect a tool to do everything, but vaporware sucks when you have invested your hard-earned money in it, and the tool doesn’t perform as expected. If the company doesn’t have a list of what they can do, I honestly move on. I take the time to ask the sales team for these details just in case they are not on their website, but if they can’t produce a chart, I move on. I need to know that the company understands its strengths and weaknesses. It should not be a mystery for me to solve with my money. I also look for what others have said about tools and check out things like the list ‘Best Mobile Forensic Tools’ (https://cybericus.com/best-mobile-forensic-tools/) to see how they came to their results when rating tools. If you want to see some of the “Best Computer Forensic Tools” take a look at (https://www.esecurityplanet.com/products/digital-forensics-software/).

After the steps are completed, I get a good understanding of what tool I need and its capabilities. I will have had time to work with someone at the company and hopefully gotten a demo of the technology shown to me, and most of the time completed a trial of the technology. It is important to remember that when using a trial of a tool, you are not technically licensed, so it should not be used with active casework to produce results. Have some test data you run your tools through to make a fair comparison. You can’t make an accurate comparison of the tool if you use different test data. Once it is time to hit the buy button, you should feel good about the relationship you are starting. You should want to follow the company on social media and subscribe to their newsletter. It’s not a good sign if the first thing you do after a new tool purchase is unsubscribe from their emails. Hearing from the company that makes your tool is all part of the process to keep up to date on exciting new features and releases for your tool.

As you search for the perfect holiday gifts and perhaps think about expanding your lab capabilities, remember there is always room for one more tool. Don’t let your team get caught in a rut with technology! If your lab is not using different tools, it may be missing important data. Labs need to fill the data gaps with multiple tool use. There is no room for any lab to be dedicated to one tool. Total tool dedication guarantees missed data. Be a fan not a fanatic.

Forensic-Impact Articles

What is Android ADB with smartphone forensics?

What is Android ADB with smartphone forensics?

There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition....

Forensically Imaging Bitlocker

Forensically Imaging Bitlocker

Guest Blogger, Michael Zinn with Micro Systems Management BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]...

The Role of Psychology in Digital Forensics

The Role of Psychology in Digital Forensics

 Written by Riley Anne JohnsAs more people depend on technology for both personal and professional endeavors, digital forensics has never been more important. Digital forensics is a branch of forensic science specifically focused on cybercrime, using computer evidence...