Electronic data discovery tools come in several forms, typically based on the type of monitoring tool their developer has been selling. Most are outgrowths of security event monitoring (SEM) tools, which sometimes go by the acronyms SIM (for security information management) and SIEM (for security information and event management). These tools are usually deployed as software and/or appliance monitors within a specific system, such as in a network to monitor for intrusions and unusual traffic patterns or in a transaction system to monitor for suspicious transactions such as unusual access to customer records (typically indicating identity theft) or a temporary change of vendor address coincident with unusual payments to that vendor (typically indicating a hijacked account being used to steal money). Most of these systems were developed for the financial services and retail industries to detect fraud in credit card, banking and sales activities. More recently vendors have begun developing tools for other regulated companies, such as health-care providers and public companies, says Amrit Williams, a Gartner security research director.

While the EDD market is fairly small—just $190 million in revenue for 2004, and growing 20 percent to 30 percent a year—large companies such as Cisco Systems, IBM and Symantec have recently joined the many small vendors in this space, hoping to capture the growing security and compliance dollars, says Williams. Those oriented to financial services (mainly for fraud detection) include Actimize, 41st Parameter, Mantas, PassMark Security, RSA Security and SearchSpace. Another set of vendors provides log and transaction analysis for a variety of servers and applications, including ArcSight, Computer Associates, e-Security, Intellitactics, NetForensics, Network Intelligence and SenSage. Other vendors are more focused on network security and monitoring, including Cisco, IBM Tivoli, NetIQ and Symantec. Most offer reporting and analysis capabilities based on historical or stored data in addition to real-time monitoring, and an increasing number provide query tools as well.

Another sort of EDD tool is Guidance Software’s EnCase, which some enterprises and law enforcement agencies use to investigate the contents of a user’s PC to track file histories and data fragments to show evidence of fraud or policy breaches, such as violating corporate policies on viewing pornography at work. BlackBag Technology offers similar investigative tools to examine drive contents without altering them.