Home > Computer forensics > The high cost of computer forensics software, your tax dollars NOT at work

The high cost of computer forensics software, your tax dollars NOT at work

Finding quality tools is tough, particularly if you’re an independent practitioner or a small company. One tool at $1,000 to $2,500 is affordable, but we need an entire toolbox full of tools and they’re all trending towards $1,000 and 20% per year maintenance. Pretty soon you’re out $20,000 up front and then $4,000 per year to stay current. OSS and free tools are awfully welcome.

Thankfully, if you’re a US citizen, your tax dollars paid for the development of an OS X forensics tool called MEGA. (paper) Quoting from the paper: “This project was supported by Award No. 2007-DN-BX-K020 awarded by the National Institute of Justice….” Very cool, right? Alas, MEGA morphed into Mac Marshal and went commercial. (And when did this happen? The MEGA paper includes screenshots of the tool with the label “Mac Marshal” rather than “MEGA”.)

So go to the Mac Marshal web site where you find:

“Because of a special arrangement with the U.S. National Institute of Justice, Mac Marshal is available free of charge to U.S. Law Enforcement personnel. If you qualify, please use the instructions below.

Mac Marshal is available for purchase by the private sector, and law enforcement agencies outside of the United States, from Cyber Security Technologies.”

So, if you’re in law enforcement, you can get a copy of it for free. If you’re not LE, you get to pay $995 to Cyber Security Technologies for it. (order form)

Wait, didn’t I already pay for at least some of this tool through my tax dollars? I can see a private developer deciding to give their product away for free to LE, and corporations discounting the product to the government on GSA schedules. But in this case, the tool was developed using US tax dollars, and the price to the public isn’t just recovering costs, it is making a substantial profit.

It gets more interesting….

I got onto this because I was working on vfcrack (Google Code link, OpenCiphers link), a tool to brute force the encryption on DMGs. It’s a bit out of date, and I thought I’d bring it up to speed. Turns out that this has already been done – as part of Mac Marshal.

“Mac Marshal also include a modified version of vfcrack [11], which enables fast dictionary-based brute-force password cracking of FileVault sparseimage and sparsebundle images, as well as other encrypted Apple disk image formats (the original distribution of vfcrack does not support sparseimage and sparsebundle images).” (citation)

So there is open source code in Mac Marshal that may have been updated at the taxpayer’s expense but not been returned to the public domain. The vfcrack license doesn’t explicitly prohibit this, but MacMarshal’s developer’s refusal to put the updated code back in the public domain certainly seems to be in bad form.

A couple of suggestions if you accept tax dollars to support the development your tools:

  1. Price the resulting product so that the independent practitioner can afford to buy it without having to really think about it too much. A range of $200 – $300 I can see, but $995 is getting greedy. $200 covers distribution costs, the web site, answering questions, and the like.
  2. If you use open source code in your tool and update it, put the updated code back in the public domain for the rest of us to use. It costs you nothing to do so, it earns you good will, and we (the taxpayers) paid for some of that development.
  3. Remember that we are all working for the public, not just law enforcement. These tools are obviously used in civil matters, civil matters involving the same taxpayers.

And suggestions to tool vendors in general:

  1. Price your tools so they are affordable. We (small companies) aren’t going to drop $1,000 on a tool without thinking about it, much less $2,500 or $5,000. My gut (biased, I’ll admit) says that if some vendors dropped their prices significantly, they’d get a boost in sales that covers the decreased per-unit profit, and they’d get their product into more peoples’ hands, which would lead to more sales. (Or am I being idealistic?)
  2. Don’t discount the influence of someone who appears “small”. Many of us have clients in larger firms, and all of us talk (a lot) amongst ourselves. Check the CCE and HTCIA lists, look at Forensic Focus, go to the forensics conferences and talk to the smaller companies.
  3. Invest in the long term. The small customers you win over now, and who you help do better work so they can be more profitable in the future, will be your beta testers, promoters, and recurring customers in the future.

None of what I describe here is against the letter, or even the spirit, of the law. It probably even falls under “good business practices”. But in charging a premium for a tool that was funded in part by US tax dollars, and in taking public domain code and not returning the changes to the public, the pricing and failure to publicly update code borrowed from the public domain seems contrary to the spirit of the digital forensics community.

  1. April 9, 2010 at 4:38 pm

    We work in a highly charged ethical environment. Should we really chose to purchase tools and participate with companies that trod unsparingly over ethical issues, especially those regarding the public trust? Yes, I’m an idealist, too. But idealism matters and we should hold the vendors and suppliers of products we need and use to higher standards of ethics and behavior.

    Just because they manage to get the wink and nod from law enforcement when the provide the tools to them for free, doesn’t mean they aren’t either breaking the law themselves or skirting serious ethical issues in the process.

  2. Mike
    April 15, 2010 at 4:18 pm

    What’s wrong with products like Helix?

  3. john
    April 15, 2010 at 7:15 pm

    You couldn’t be more wrong.
    When contracting for the development or purchase of computer forensic tools, the price the government pays, in many cases, includes a specific number of licenses, in other cases the licensing agreement allows for the tools to be shared within or among different government entities… it’s a matter of how the product is licensed. Additionally, some companies have a social conscience and CHOOSE to provide their product at a discount to those who work in the public domain. Most, like your employer, Guidance Software, do not. [Ed note: This post was written before I joined GSI. Employer aside, there are a number of independent practitioners and smaller firms that find it very difficult to afford the tools, training, and maintenance costs required to stay current, particularly given the wide range of tools necessary to fully investigate some cases.] In some cases, the law requires that capabilities developed for one part of the government be made available to other parts at no additional cost.
    By your reasoning, you, as a taxpayer, should also get a discount on any other tool developed or improved at government expense. Should Colt (AR-15), or General Motors (Hummer) be expected to provide reduced pricing for tax payers because they developed their products with public monies?
    The value of your tax contribution is returned to you in the security you enjoy and the services rendered to you by the government agencies that purchase these tools with your tax dollars (and deploy them for your benefit.)
    If you, a tax payer, were employed as a stone mason, would you expect a discount on stone from the local quarry because it was originally opened to provide materials to the government for the construction of the interstate highway system? because the associated startup costs were subsidized by your tax dollars?

    Mr. Pace, your scurrilous suggestion that there is some sort of “wink and nod” arrangement between law enforcement and the few software companies that provide these tools is insulting, unfounded and libelous.

  4. May 4, 2010 at 11:35 pm

    As one of the original authors of VileFault, I’d love to see some patches to make vfcrack work with the newest FileVault disk image formats.

    If you’d like to submit a patch or to start an email thread to the authors of the above mentioned software, I’d be happy to help however I am able…

  1. November 18, 2010 at 2:40 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: