forensics and incident response

  • MARKET - Market Analysis - Science and Technology - Security SOTA - Forensics and Incident Response

    Context: Post incident forensics examination tools implement techniques that enable an investigator to develop an insight of past events, and prove or disprove allegations relating to the use of computers to perform criminal acts. Such support is often built on top of audit and monitoring tools deployed on a given infrastructure. Two key strands of forensics tools that can collectively support an incident response investigation include (1) computer (system) forensics tools supporting functionality such as evidence acquisition, analysis of file systems, event logs, retrieval of contents of interest, deleted items, application/browsing history etc; (2) network forensics tools include applications for data packet capturing, network server log analysis (time of connection, originator’s address etc), deep packet inspection etc. Some forensics tools can also be equipped to deal with live acquisition in real time (often dealing with memory contents acquisition), whereas others are more oriented towards static post-event analysis. Ability to securely preserve evidence in a tamperproof format is also essential.

    Challenges – Technology Gaps: Several domain challenges exist, particularly the juxtaposition between investigation practices vs. privacy, and the related increased use of encryption as a barrier to supporting forensic efforts, recent widening of encryption use in Apple iOS 8 being one example [ARS14]. Also, the development of tools that adhere to relevant privacy laws; also issues around dealing with growing volumes of evidence, via techniques such as predictive coding for certain evidence categories, and the ability to elastically step up evidence gathering in line with escalated events; issues around managing cross-jurisdictional and cross-lingual investigation gathering are also providing strong research avenues of enquiry, particularly in supporting LEAs in developing new procedures for cross border evidence management and sharing.



    [ARS14] "Apple expands data encryption under iOS 8, making handover to cops moot",, Sept 18th 2014.

    Return to SOTA

Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries