Geography and participants
People from 74 countries took part in the survey
The geography of our survey was very diverse. This diversity not only reflected the global reach of our research but also underscored the widespread relevance of the Digital Forensics and Incident Response (DFIR) field.
Our survey participants work in law enforcement and government organizations as well as other industries, such as corporate security, private DFIR laboratories, and education.
Workload and challenges
Workload: actual vs desirable
We expected to see a considerable gap between the actual and desirable workload. Surprisingly, the results revealed that many figures were remarkably close, indicating that overall, most examiners are comfortable with the number of tasks on their plates.
The most frequently highlighted challenges included tasks like bypassing passcodes, decryption, coping with limited hardware and software resources, and managing tight timeframes.
In addition to these, respondents also highlighted less-known yet equally significant challenges, such as cross-checking cases for similarities, adhering to strict ISO and legal compliance, and dealing with skill shortages.
An expert from the United Kingdom articulated a common concern among law enforcement workers quite effectively:
"Not enough software and hardware resources for the number of analysts that need to use them at any one time. For example, we have twice as many mobile phone analysts as we do licenses, leading to an inevitable bottleneck and frustration.
The need to release licenses to another analyst means that processing can be rushed and that the time to really, really deep-dive into an exhibit just isn't available. At some point, something pivotal will be missed and that will cause major issues in court, with reputational risks following."
If some tasks beyond one's capabilities are repeated from time to time, there is one interesting case worth mentioning that we see for the first time:
"I've been asked to deal with game machines. Also, I had to reverse engineer a device whose main task was to work with a thermal camera."
Have you ever been challenged with tasks beyond the capabilities of your DFIR stack? Could you share what they were?
"Yes. Surprisingly often! We commonly see new devices well in advance of any vendor support for them, and quite often, we just have to do the best that we can using the techniques and experience available to us. The adoption of ISO will make this non-standard way of working largely redundant, I suspect, leaving us in a situation where if a device isn't supported by an approved tool, then we'll have to just leave it until it's officially supported, which is utterly ridiculous."
"Things get complicated when multiple devices are involved. Most tools are seen happiest dealing with one device at a time. Building that cross-device narrative always feels like you're doing a lot manually, otherwise, things get confusing or missed," shares another expert from the United Kingdom.
How do you stay up-to-date with the latest industry trends and technological advancements?
In this part of the survey, our objective was to find out how DFIR specialists gain the necessary skills to stay current with rapidly evolving technology. The findings demonstrate that free training and articles stand out as the most preferred options, which unequivocally validates Belkasoft’s commitment to creating quality courses and content.
There are numerous DFIR blogs and websites that respondents follow. In fact, the number of unique resources exceeds a hundred. We have listed the majority of them at the end of the report.
We were especially glad and proud to read notes like these one:
"One of my favorites is Belkasoft's Newsletter. Other than that, I am also following DFIR.blog, Medium.com, and Hackernews.com for more content related to forensics and others. SANS publication is also a good resource to update yourself for forensics," wrote a security engineer from India.
"I follow Yuri. However, I also utilize SWGDE for best practices and some other cybersecurity authors," wrote an expert from the USA.
How often do you take training?
Despite demanding workloads and busy schedules, a substantial number of survey participants manage to carve out time for enhancing their DFIR expertise. They do so by regularly enrolling in various training courses.
Sharing / Mingling
Moving forward, we explored the main "watering holes" where DFIR specialists come for knowledge sharing, learning, and social interaction. At the forefront, we found LinkedIn taking the lead. However, the fact that YouTube secured a strong second position sends a clear message—don’t miss this source of knowledge! Your industry peers find this platform very useful.
Digital forensics tools
How satisfied are you with your current toolkit?
In the dynamic world of DFIR, perfection is elusive, and no toolkit reigns supreme in every aspect. Yet, the data paints an interesting picture—nearly half of our respondents lean towards contentment rather than dissatisfaction, and a select few are happy with their toolkits. Meanwhile, a quarter of peers describe their experience as neutral.
What specific features or benefits attract you to new DFIR products or services?
What sets DFIR products apart? According to participant responses, it is not necessarily unique features but rather product quality, pricing, and versatility that matter most in today's DFIR landscape.
Belkasoft, in line with these priorities, focuses on three key aspects:
Ensuring High-Quality Products: We understand the critical importance of the findings derived from DFIR tools, and we are committed to delivering high-quality products.
Affordable and Transparent Pricing: Having worked with both government-funded and business organizations, we know the budget constraints you face. Hence, we always aim to provide cost-effective and transparent pricing for Belkasoft products. You can compare Belkasoft X pricing with your current toolkit by requesting the quote HERE.
Versatile Capabilities: Our flagship product, Belkasoft X, supports a wide range of devices and operating systems, empowering users to perform various tasks such as acquisition, triaging, analysis, and more.
Belkasoft user experience
We didn't miss the chance to gather insights on our peers' experiences with Belkasoft X, and here are the answers we received:
Belkasoft has already started a new short survey titled "DFIR Lab Security Requirements."
Do you conduct your investigations in a strictly offline environment?
Currently, you can view the intermediate results on the left side of the pie chart, but we are still in the process of conducting this research. We encourage you to participate and influence the development of the Belkasoft X product. This mini-survey will take only 3 minutes. Participate HERE.