ProDiscover Incident Response
August 31, 2004
Technology Pathways LLCProduct:
- Ease of Use:
- Value for Money:
- Overall Rating:
The ability to examine a remote system while it is running is useful.
The search options are less comprehensive than those offered by other products.
Although it lacks some of the features found in other offerings, it can still do a useful job as part of a forensic kit.
This product uses a project-based approach to forensic activities that helps to ensure that evidence is gathered in an orderly, presentable fashion.
Its PDServer program, which can also be remotely installed and operated in stealth mode, can be used to monitor and capture information from remote systems using an encrypted link. It also has the ability to examine the running system for hidden files and processes, and to conduct searches for files that are known to be suspicious, such as worms and Trojans.
This remote access feature enables the network administrator to simply investigate systems that may have been misused or that contain information of a sensitive or criminal nature. A more thorough investigation can then be carried out using ProDiscover's disk imaging techniques to preserve evidence.
Disk images can be captured across the network for further analysis, although it would be necessary to remove the physical disk to secure it as evidence and then copy it to another drive for analysis. ProDiscover provides a disk-wiping tool, ensuring the drive to which a disk is imaged does not have old data on it that might contaminate the evidence copied to it.
All discovered information can be added to the project report to provide a detailed audit trail of the investigation. We retrieved data from emails and web pages, and discovered renamed files that were obscuring their true purpose.
We were also able to detect streamed files on the NTFS file system and examine their contents. Microsoft calls these "alternate data streams," and ProDiscover displays their names in the file lists.
We were not able to read the contents of the encrypted archive, and neither key word searches nor signature verification could determine the contents. This was a common problem with these tools, and the only viable solution is to obtain the password, either through a password cracker program or by other investigations.
The program presented its information in a clear and simple interface that was easy to navigate.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report