Practitioners working in the fields of forensics, eDiscovery and IT security are faced with several issues when dealing with multiple endpoint processing. If the typical eDiscovery/forensics approach is adopted then this has a significant negative impact on network infrastructure, due to the collection of massive amounts of (mostly useless) index data to a central point. Notwithstanding the unreliability of indexing, this is also a very slow process and requires network administrators to allow ‘agents’ to be installed on the targeted endpoints. A further problem with this approach is that the tools interact directly with the host operating systems and therefore may be denied access to certain files being used by the system or other applications.
Hybrid Forensics is an approach designed to address these problems. It combines the ability to process multiple endpoints as a single task together with the ability to target system and application artefacts, without interference by the operating system, e.g. registry information, locked files (such as email containers) and unknown executable files.
A key aspect of the Hybrid Forensics approach is to run a collection tool with the capability to undertake literal string searches at a disk level (rather than an operating system level), with the code running entirely in memory on each custodian, i.e. it is not installed…Click here to read full article.
