ProDiscover Incident Response
July 21, 2005
- Ease of Use:
- Value for Money:
- Overall Rating:
Quick and easy to use, with good incident response features.
Could use more analysis tools, and any sort of documentation.
Pricey for what you get, but a good tool for rapid incident response.
This product is the big brother of its family, including all the forensic capabilities of other versions with the additional ability to conduct investigations over the network and compare live systems to known-good baselines to establish whether a machine has been compromised or tampered with.
ProDiscover might not have the same depth of file and disk forensics features as EnCase in terms of sheer analytical bells and whistles, but it completes all its functions quickly and thoroughly, keeping track of every significant step in a constantly-updated case report, with every piece of data hashed and tagged, and plenty of basic searching tools.
The ability to use the Hashkeeper database (and other hash lists) to identify known files means it is quick and easy to identify modified system files and trace the presence of malware.
Many file systems are supported, including various Unix/Linux types, RAID systems and protected HPA disk areas. RAM can also be captured and imaged the same way, and while none of the file analysis works (obviously, there are no files), direct examination of the data in memory can be a very useful feature. Similarly, the registry can be collected and analyzed. Images are kept in a proprietary format, or in the Unix dd format, and images can also be converted between the types.
We liked the elegant simplicity of the software, especially when creating and comparing systems against baseline images. Remote systems are easily connected and investigated, with Twofish encryption used to keep the link secure. A scripting language, complete with a perl API, is a particularly nice touch.
We received no documentation, and the online help didn't work. Fortunately, there is quite good help at the vendor's website, but we expect better from a product in this space, even if its core features are intuitive to anyone with basic forensic experience.
Overall, we think ProDiscover IR is a good package. It is quick and responsive, and while not as comprehensive as some suites, it knows its job and gets down to business with a minimum of fuss.
And with a tight focus comes other benefits – it shouldn't take long to get a user competent with the software and contributing to forensic cases.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- Same fate befalls Post Office broadband as hit DT?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Former Expedia IT employee admits to hacking execs from the inside
- Cyber-insurance: What will you be able to claim for and is it worth it?
- Levelling the playing field against targeted attacks
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime
- IoTSF conference: EU should become de facto regulator