October 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
Good basic tool set for a low-entry price.
Remote acquisition may be insecure, very Windows-centric.
Not a bad entry-level tool for modest Windows environments wanting basic forensics and incident response capabilities.
ProDiscover is a basic disk image analysis tool, which can acquire and analyze Windows disk partitions. Although light on features, those included are usually only found in more expensive offerings.
Most notable is a remote client that allows online systems to be imaged while they are running, taking 'smears' of a live file system which remains forensically intact, despite the file system being subject to change. This is not unique - Guidance offers a superior version of its EnCase product with remote imaging, although it costs more. For the price, ProDiscover is an impressive achievement.
Although it reads directly off the disk, including from protected areas, ProDiscover can only mount and analyze Windows file systems (FAT and NTFS). Support for Unix, Mac and CD-ROM file systems is an essential component missing from this product.
Cases are set up easily, and disk images (local or remote) are added using the Bates numbering scheme. Image files can be compressed too, which is helpful when large file systems are being examined. Images that contain Windows file systems are mounted and the file system made available for examination. Unallocated clusters and deleted files are readily available.
Only basic text searching is offered - there are no regular expressions and search parameters cannot be saved. This will make running identical queries against a large number of systems a tedious process. Results are noted in an ongoing report, making it easy to track the progress of investigations.
The product makes it easy to create hash sets of files, and the software recognises some 90-odd file types out of the box - a small number compared to the open source tools on trial. It also integrates neatly with the hashkeeper database of known files, making it easy to eliminate files from the investigation, or identify changed files.
Of some concern is the agent, which allows remote systems to be imaged. It can be configured to require a password and use Twofish encryption, but the local binary is wide open to exploitation, making it a pre-installed Trojan for a knowledgeable hacker.
With its limitations, we would not recommend ProDiscover as a front-line forensics tool. But for companies needing a simple forensics tool on a budget, this is a good option.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- The information security implications of M&A deals
- Cyber-security must reflect risk not just regulation
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success