Initially, digital forensics in the enterprise context mainly applied to resolving human resources issues, assessing policy violations, and investigating malicious insiders. However, in recent years, the tools and techniques of digital forensics have been applied to a wider range of use cases and incident types.
This report, our third in an annual series, draws upon a comprehensive survey of corporate digital forensics & incident response (DFIR) professionals in North America (NA) and Europe, the Middle East, and Africa (EMEA), and aims to provide intelligence with analysis, interpretation, and insights, rather than just data tailored to the needs of enterprise decision makers, particularly those involved with IT, cybersecurity, and governance.
Taking a broad perspective on the nearly 500 survey responses reveals three key findings:
Digital forensics is increasingly about incident response
Automation is needed
DFIR leaders have a real opportunity now to shape the future of their labs First, digital forensics in the corporate world is increasingly about incident response (IR), within the broader context of enterprise cybersecurity programs.
First, digital forensics in the corporate world is increasingly about incident response (IR), within the broader context of enterprise cybersecurity programs. 60% of survey respondents are part of the Security Operations (SecOps) organization, where their expertise is applied to investigate ransomware attacks, data exfiltration / IP theft, and business email compromise (BEC) scams.
Unfortunately, investigating such incidents is becoming more challenging: 42% of survey respondents report that evolving cyberattack techniques are either a large or extreme problem for their investigations, as adversaries continue to invest in more tactics, techniques, and procedures (TTPs). One very real consequence is that it’s taking too long to identify the root cause of attacks. This can lead to costlier and more drawn-out consequences for organizations while also making it more difficult to learn from these attacks and prepare for future incidents.
of survey respondents are part of the Security Operations (SecOps) organization.
Second, in addition to investing in modern tooling that can help DFIR practitioners investigate incidents more deeply, enterprises need to embrace automation in the specific context of digital forensics.
54% of respondents are feeling burnt out, and nearly two-thirds report that recruiting, hiring, and onboarding qualified professionals is a major challenge. A leading contributor to burnout is a lack of automation. While security automation (e.g., SOAR) is in place in many organizations, this is distinct from forensic automation, which executes a data transformation pipeline (e.g., collecting and processing evidence) by orchestrating,automating, performing, and monitoring forensic workflows. Without solutions like these, DFIR practitioners are often forced to switch between different tools and manually execute time-consuming and repetitive tasks—wasting valuable expertise and unnecessarily drawing out investigation timelines.
Third, DFIR leadership has never been more valuable. 37% of practitioners point to a lack of a cohesive IR strategy and 36% cite a lack of standardized processes as major contributors to waste. Respondents also indicate that they are struggling to interpret and adapt to the array of ever-changing regulatory requirements impacting their roles. It falls upon leaders to secure budget for the right mix of in-house capability and access to specialized third parties (e.g., forensic service providers, or FSPs), to ensure DFIR practitioners are equipped with actionable legal opinions, and to set a clear strategy.