ProDiscover Incident Response
Technology Pathways LLC
The ability to examine a remote system while it is running is useful.
The search options are less comprehensive than those offered by other products.
Although it lacks some of the features found in other offerings, it can still do a useful job as part of a forensic kit.
This product uses a project-based approach to forensic activities that helps to ensure that evidence is gathered in an orderly, presentable fashion.
Its PDServer program, which can also be remotely installed and operated in stealth mode, can be used to monitor and capture information from remote systems using an encrypted link. It also has the ability to examine the running system for hidden files and processes, and to conduct searches for files that are known to be suspicious, such as worms and Trojans.
This remote access feature enables the network administrator to simply investigate systems that may have been misused or that contain information of a sensitive or criminal nature. A more thorough investigation can then be carried out using ProDiscover's disk imaging techniques to preserve evidence.
Disk images can be captured across the network for further analysis, although it would be necessary to remove the physical disk to secure it as evidence and then copy it to another drive for analysis. ProDiscover provides a disk-wiping tool, ensuring the drive to which a disk is imaged does not have old data on it that might contaminate the evidence copied to it.
All discovered information can be added to the project report to provide a detailed audit trail of the investigation. We retrieved data from emails and web pages, and discovered renamed files that were obscuring their true purpose.
We were also able to detect streamed files on the NTFS file system and examine their contents. Microsoft calls these "alternate data streams," and ProDiscover displays their names in the file lists.
We were not able to read the contents of the encrypted archive, and neither key word searches nor signature verification could determine the contents. This was a common problem with these tools, and the only viable solution is to obtain the password, either through a password cracker program or by other investigations.
The program presented its information in a clear and simple interface that was easy to navigate.