Online Training Summer Special: Get a 12.9" iPad Pro, Surface Pro, or $350 Off with OnDemand or vLive


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Announcing the SANS 2013 Digital Forensics and Incident Response Survey Results!

New technologies are challenging professionals in the areas of digital forensics and incident response, and policies and tools must catch up.

  • Bethesda, MD
  • July 8, 2013

SANS announces the results of its first-ever survey on digital forensics and incident response, sponsored by Bit9, Cellebrite, FireEye and Guidance Software. The survey results will be previewed at the SANS Digital Forensics and Incident Response Summit in Austin, TX, June 9 and the full results will be released during a SANS Analyst Webcast on July 18 at 1 PM EDT.

In the survey, 54% of respondents indicated their digital forensic capabilities are reasonably effective. Although the majority of their investigations still take place on company-issued computers and laptops and internal networks and systems, participants also conduct forensic investigations on virtual and cloud-based systems and other unconventional endpoints. When it comes to investigating these new media types, participants are nearly equally divided among several challenges inherent to such investigations--including a lack of specialized tools, standards and training, and visibility into potential incidents.

"The landscape of digital forensics has changed dramatically over the last several years while in many cases our tools and techniques have lagged behind. This survey illustrates the technical and policy challenges faced with mobile and BYOD investigations, while highlighting the need for additional response and investigative capabilities. It also shows that overwhelmingly, respondents do not have SLAs with cloud providers that cover forensic investigations. The results of this survey should help organizations understand how they compare to others in industry and is a useful planning tool for those looking to increase their capabilities," says Jacob Williams, a forensics consultant and SANS co-instructor who is co-authoring the survey report.

The respondents for this survey were numerous and diverse, with more than half representing organizations of 2,000 employees or more. Smaller operations were also well represented; organizations with fewer than 500 employees comprised almost one-third of all responses. Respondents also came from a range of industries; the largest group (almost one-quarter of survey respondents) was government professionals. Education, financial, consultants in forensics and incident response, and technology were the next most represented industries, with approximately 10% of responses each.

"Digital investigations are rapidly assuming a larger role in our system of justice and in our greater society. This survey informs us that digital investigations are changing as technology changes. The experts and the authorities who conduct and rely upon digital investigations are scrambling to catch up. They need better tools, new practices, updated education and more savvy professional guidance," says Ben Wright, a SANS senior instructor and attorney who is also co-author of the survey report. "This survey demonstrates that investigators need to review policies and practices with knowledgeable legal counsel, to ensure that evidence is managed effectively and that investigations are not derailed by surprises such as privacy law."

New technologies bring complications as well as convenience, as Paul Henry, a SANS senior instructor who is also co-author of the report explained: "Although the community has long recognized the benefit of performing a physical analysis of a mobile device in recovering deleted data, device vendors are not making such analysis any easier by implementing mandatory encryption of storage media. In just one example, this caused a delay of several weeks while law enforcement waited for Apple to unlock and decrypt an iPhone; sometimes such requests take months. Meanwhile, forensics in the cloud requires an updated skill set--in many respects it can be more technically difficult, as traditional forensic procedures can potentially destroy the evidence you are trying to collect."

Those who register for the July 18 webcast where we release our results will be given access to the full report developed by Jacob Williams, Paul Henry and Ben Wright.

During the webcast, attendees will learn:

  • Who uses digital forensics
  • How and why investigations take place
  • The challenges of investigations at the cutting edge of technology

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (