1.1. Quickly verify if your system has been compromised without taking the system down.
1.2. Analyze remote systems over the network eliminating the need to hire expensive staff or travel to remote locations.
1.3. Utilizes remote agent to access suspect system disk at the sector level, revealing all files even if suspect system has been compromised by Trojan or rootkit.
1.4. Create a bit-stream image of the target system disk and physical memory to preserve evidence and restore the system quickly.
1.5. Image shadow copy of remote system disk.
1.6. Remote image copy may be sent out local system port or to a network storage location to improve image capture performance.
1.7. Search entire disk, including unallocated space, slack space, Windows NT/2000/XP Alternate Data Streams, and even HPA section (patent pending), for complete system integrity.
1.8. Powerful search capability using key words or regular expressions.
1.9. Create index of image to allow for nearly instantaneous searches.
1.10. Automatically create and record MD5, SHA1, or SHA256 hashes of evidence files to prove data authenticity and integrity.
1.11. Capture volatile state information such as open ports with connected IP addresses, route tables, ARP cache, logged-on users, etc. to investigate an incident.
1.12. Capture image of BIOS/CMOS memory to find compromises.
1.13. Integrated thumbnail graphics, internet history, event log file, and registry viewers to facilitate investigation process.
1.14. Integrated viewer to examine .pst /.ost and .dbx e-mail files.
1.15. Find files and processes that are being cloaked by rootkits.
1.16. Create system baseline for comparison to uncover altered files.
1.17. Utilize Perl scripts to automate investigation tasks.
1.18. Utilize user provided or National Drug Intelligence Center Hashkeeper hash sets to verify integrity of all system files.
1.19. Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.
1.20. Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
1.21. Maintains multi-tool compatibility by reading and writing images in the pervasive UNIX® dd format and reading images in E01 format.
1.22. Support for VMware to run a captured image.
1.23. Remote agent may be preinstalled or pushed out, installed, and run remotely in normal or Stealth mode (with System Administrator privileges) to avoid detection.
1.24. Linux boot disk provided to image systems without removing hard disk drive.
1.25. User selectable 256 bit AES or Twofish encryption protects data transfers and remote system access.
1.26. Automated report generation in XML format saves time, improves accuracy and compatibility.
2. Summary
2.1. ProDiscover Incident Response enables you to quickly and thoroughly examine a live system operating anywhere on your network. When used as part of an incident response procedure or as part of a routine system audit, ProDiscover Incident Response enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.
2.2. If you suspect that your system has been compromised or if you perform regular system audits, you need to thoroughly examine systems without taking them down. ProDiscover Incident Response will enable you to quickly, and with certainty, determine the integrity of your system while it is still on-line, performing its normal operations. ProDiscover Incident Response utilizes an agent that runs on the suspect system to read the disk and RAM memory at the bit level. This enables ProDiscover Incident Response to work around the suspect system’s o/s and examine all files, even if they are hidden by a Trojan or rootkit. It also prevents any valuable metadata, such as last time accessed, from being altered. ProDiscover Incident Response can search the system for over 1000 known Trojans or rootkits. And, to insure the integrity of the o/s, ProDiscover Incident Response can examine all files and compare their hash signature to the signatures of known good files from a user provided baseline or from the National Drug Intelligence Center Hashkeeper database. ProDiscover Incident Response allows system administrators to be sure that they uncover any compromised files in the least intrusive manner. If the system has been compromised, ProDiscover Incident Response allows the system administrator to make a bit stream image of the disk and memory and capture system volatile state information for later analysis so that the system may be restored to proper working order to get it back on-line quickly. The off-line analysis of the data is easy and allows evidentiary quality data to be provided to law enforcement agencies.
3. GUI interface
3.1. Remote Preview
3.2. Mount any/all Volume Shadow Copies
3.3. Remote Search
3.4. Create Remote Index
3.5. Remote Imaging
3.6. Remote RAM Memory Imaging
3.7. Collect Volatile State Information
3.8. Identify Running Processes
3.9. Find "Unseen" Files
3.10. Find "Unseen" Processes
3.11. Remote Agent Authentication No Additional Servers Required
3.12. Session Encryption
3.13. Performance Tuned Protocol
3.14. Flexible Port Configuration
3.15. Stealth Mode Support
3.16. Scheduled image to SAN/NAS
3.17. Live Volume Shadow Copy Imaging
3.18. Stand Alone Remote Agent for Imaging
3.19. Designed to NIST 3.1.6
3.20. Create Custom CSV Index (load files)
3.21. Custom Evidence Export to ODBC
3.22. Differential Analysis of Win VSC
3.23. ExIF Metadata Extraction
3.24. Native Boolean Search
3.25. NIST Compliant
4. ProDiscover Console System Requirements
4.1. • Windows 2000/2003/XP/Vista • 1.2 GHz or higher Pentium-compatible CPU • 2 GB RAM • 500 MB available hard-disk space • CD-ROM or DVD-ROM drive • VGA or higher resolution monitor • Keyboard and Mouse (or compatible pointing device)
