Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Announcing the SANS 2013 Digital Forensics and Incident Response Survey Results!

New technologies are challenging professionals in the areas of digital forensics and incident response, and policies and tools must catch up.

  • Bethesda, MD
  • July 8, 2013

SANS announces the results of its first-ever survey on digital forensics and incident response, sponsored by Bit9, Cellebrite, FireEye and Guidance Software. The survey results will be previewed at the SANS Digital Forensics and Incident Response Summit in Austin, TX, June 9 and the full results will be released during a SANS Analyst Webcast on July 18 at 1 PM EDT.

In the survey, 54% of respondents indicated their digital forensic capabilities are reasonably effective. Although the majority of their investigations still take place on company-issued computers and laptops and internal networks and systems, participants also conduct forensic investigations on virtual and cloud-based systems and other unconventional endpoints. When it comes to investigating these new media types, participants are nearly equally divided among several challenges inherent to such investigations--including a lack of specialized tools, standards and training, and visibility into potential incidents.

"The landscape of digital forensics has changed dramatically over the last several years while in many cases our tools and techniques have lagged behind. This survey illustrates the technical and policy challenges faced with mobile and BYOD investigations, while highlighting the need for additional response and investigative capabilities. It also shows that overwhelmingly, respondents do not have SLAs with cloud providers that cover forensic investigations. The results of this survey should help organizations understand how they compare to others in industry and is a useful planning tool for those looking to increase their capabilities," says Jacob Williams, a forensics consultant and SANS co-instructor who is co-authoring the survey report.

The respondents for this survey were numerous and diverse, with more than half representing organizations of 2,000 employees or more. Smaller operations were also well represented; organizations with fewer than 500 employees comprised almost one-third of all responses. Respondents also came from a range of industries; the largest group (almost one-quarter of survey respondents) was government professionals. Education, financial, consultants in forensics and incident response, and technology were the next most represented industries, with approximately 10% of responses each.

"Digital investigations are rapidly assuming a larger role in our system of justice and in our greater society. This survey informs us that digital investigations are changing as technology changes. The experts and the authorities who conduct and rely upon digital investigations are scrambling to catch up. They need better tools, new practices, updated education and more savvy professional guidance," says Ben Wright, a SANS senior instructor and attorney who is also co-author of the survey report. "This survey demonstrates that investigators need to review policies and practices with knowledgeable legal counsel, to ensure that evidence is managed effectively and that investigations are not derailed by surprises such as privacy law."

New technologies bring complications as well as convenience, as Paul Henry, a SANS senior instructor who is also co-author of the report explained: "Although the community has long recognized the benefit of performing a physical analysis of a mobile device in recovering deleted data, device vendors are not making such analysis any easier by implementing mandatory encryption of storage media. In just one example, this caused a delay of several weeks while law enforcement waited for Apple to unlock and decrypt an iPhone; sometimes such requests take months. Meanwhile, forensics in the cloud requires an updated skill set--in many respects it can be more technically difficult, as traditional forensic procedures can potentially destroy the evidence you are trying to collect."

Those who register for the July 18 webcast where we release our results will be given access to the full report developed by Jacob Williams, Paul Henry and Ben Wright.

During the webcast, attendees will learn:

  • Who uses digital forensics
  • How and why investigations take place
  • The challenges of investigations at the cutting edge of technology

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (