Pricey for what you get, but a good tool for rapid incident response. Against:Ĭould use more analysis tools, and any sort of documentation.
PRODISCOVER BASIC FREE
Quick and easy to use, with good incident response features. ProDiscover Free ProDiscover is a powerful computer security tool that enables computer professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
PRODISCOVER BASIC SOFTWARE
It is quick and responsive, and while not as comprehensive as some suites, it knows its job and gets down to business with a minimum of fuss.Īnd with a tight focus comes other benefits – it shouldn't take long to get a user competent with the software and contributing to forensic cases. Overall, we think ProDiscover IR is a good package. Fortunately, there is quite good help at the vendor's website, but we expect better from a product in this space, even if its core features are intuitive to anyone with basic forensic experience. We received no documentation, and the online help didn't work. A scripting language, complete with a perl API, is a particularly nice touch. Remote systems are easily connected and investigated, with Twofish encryption used to keep the link secure.
We liked the elegant simplicity of the software, especially when creating and comparing systems against baseline images. Images are kept in a proprietary format, or in the Unix dd format, and images can also be converted between the types. Similarly, the registry can be collected and analyzed. RAM can also be captured and imaged the same way, and while none of the file analysis works (obviously, there are no files), direct examination of the data in memory can be a very useful feature. Many file systems are supported, including various Unix/Linux types, RAID systems and protected HPA disk areas.
The ability to use the Hashkeeper database (and other hash lists) to identify known files means it is quick and easy to identify modified system files and trace the presence of malware. ProDiscover might not have the same depth of file and disk forensics features as EnCase in terms of sheer analytical bells and whistles, but it completes all its functions quickly and thoroughly, keeping track of every significant step in a constantly-updated case report, with every piece of data hashed and tagged, and plenty of basic searching tools. This product is the big brother of its family, including all the forensic capabilities of other versions with the additional ability to conduct investigations over the network and compare live systems to known-good baselines to establish whether a machine has been compromised or tampered with.