I often get asked how Autopsy and Cyber Triage are different and I started to use the terms general-purpose vs specialized digital forensics tool to answer that question. This post outlines how I am using those terms, pros and cons of example tools in those categories, and uses Autopsy and Cyber Triage as examples (because I’m most familiar with them).
Digital Forensics Tool Basics
Let’s start with the basics.
Digital investigators are tasked with answering a set of investigative questions and different types of data are needed depending on the question. Such as:
- Many law enforcement investigations rely on communications
- Child exploitation cases focus heavily on pictures and movies
- Intrusion cases focus more on user logins and malware
The role of a digital forensics tool is to give the investigator access to digital data so that they can view and find the data. The tools often:
- Parse file systems, memory and file formats to make the data useful
- Provide search and analytical features to find the subset of data that is relevant
- Display the data in a generic way (i.e. hex) or with a specialized viewer (i.e. movie playback)
To be effective, your forensics tools need to give you efficient access to the data you need to answer your investigative question.
General Purpose vs Specialized Digital Forensics Tool
The key difference between a general purpose digital forensics tool and a specialized digital forensics tool is how focused it is for your investigation. Both types of tools can be used for a given type of investigation, but the specialized tool will do more of the work.
- A general purpose digital forensics tool focuses on parsing and displaying data. It relies on you to figure out what kinds of data are relevant to the investigation (i.e. do we care about what programs were run in the past?) and what makes data suspicious. These tools are designed to help in nearly any kind of investigation as long as you know where you should be looking.
- A specialized digital forensics tool is focused on a certain kind of investigation and knows what kinds of questions you are looking to answer. They have the parsing and display features, like general purpose tools, but will also use analytics to help you answer your investigative questions. They require less work from the user because they are doing some of the work for them.
The easiest analogy is a swiss army knife vs a power tool. Swiss Army Knives have knives, scissors, screw drivers, corkscrews, and much more.
You could probably build a house with ones that have a saw blade, but it will take a while. Your house will be completed faster with some more specialized saws and drills that were built for the job.
Forensic tools are similar. You can use a general purpose tool and apply more of your time and energy. Or, use a specialized tool and let it do more of the work.
General Purpose Pros/Cons
General purpose is the most popular category of digital forensics tools and many of the popular tools are, such as:
Let’s look at the Pros and Cons.
- Provide basic coverage to nearly all types of investigations.
- Could be the only option for some types of investigations.
- Requires the user to have extensive training to know where to look and what values are relevant.
- Critical data could be missed if the user forgets to look for it.
In our toolset, Autopsy is a general purpose tool. It supports a range of file systems for computers and mobile devices.
- If your investigation involves geo coordinates, there are KML, GPS, and EXIF modules and map viewers for that.
- If your investigation involves web artifacts, then there are modules for common browsers and UIs for that.
- If your investigation involves pictures, then there are EXIF, object detection, and hash set modules for that
Autopsy is used around the world for a variety of investigations by users who know what types of data they need to answer their investigative questions. For example, you will need to review the communications and websites to know if they are relevant.
There are fewer specialized end-to-end tools. The most obvious ones that come to mind are:
- Cyber Triage: Collects and analyzes artifacts needed for questions about intrusions.
- Volexity Surge and Volcano: Collects and analyzes memory to answer questions about intrusions.
There are integrations or partial solutions that focus on a specific investigative question, such as:
- Project Vic: Is integrated into numerous tools to answer questions about known child exploitation material.
- IOC Scanners: There are several tools that have an indicators of compromise (IOC) scanner that answers questions about known attack traces.
- Incident Response Collection Tools: There are specialized collection tools for incident response that will save select artifacts instead of a full disk or memory image, but they do not do analysis of the data.
I think that most of these tools are focused on intrusions because those types of cases have the most complexity and biggest scale. Intrusion investigations can impact dozens or hundreds of computers and attackers are constantly changing their techniques to evade detection. This makes automation and specialization critical.
- Faster: Can more quickly focus on the relevant data because the software is doing the analytics without user intervention.
- Comprehensive: Can collect and process more data because the computer can analyze data in parallel and can be updated to know where to collect from.
- May not be useful for all of your investigation types. Consultants and law enforcement often have to deal with a variety of investigation types and many specialized tools will be required.
In our toolset, Cyber Triage is a specialized forensics tool. It collects only artifacts and files that are likely relevant to an intrusion and applies analytics to each to give them a score. Artifacts scored as Bad or Suspicious are likely to be involved with an intrusion and the user can start with those tens of artifacts instead of the thousands of collected artifacts.
Our users tell us that Cyber Triage shaves hours off of their intrusion investigations, which is what you’d expect for a specialized tool. But, it is not going to be useful for all types of investigations, such as a child exploitation case.
What Should Be In Your Tool Kit
Unless you are on a team with a single mission, such as a Security Operations Center (SOC), then you should probably have a combination of general purpose tools and specialized tools.
- A general purpose computer/laptop tool
- A general purpose cell phone tool
- Specialized tools / plugins for your most common and time-consuming investigations
As data sets become bigger and investigations rely on access to more types of data, the need for specialized digital forensics tools becomes more obvious. Especially when you consider the complicated data types involved with intrusions and attackers covering their tracks.
The main difference between Autopsy and Cyber Triage is that Autopsy is a general-purpose forensics tool and Cyber Triage is a specialized intrusion forensics tool. Both serve critical roles in examiner’s toolboxes.
If you want to try Cyber Triage, you can fill out the evaluation form here.