Q. What is the concept behind ProDiscover®?
A. For many years the tedious task of performing computer forensics has been accomplished by utilizing an array of DOS and Windows based utility applications held together by custom scripts. This approach can be time consuming and jeopardize the case. ProDiscover® integrates the functions of many of these utilities into one simple to use, Windows based application. Examiners using ProDiscover® can expect up to a 35% savings on time required for the computer forensics case life-cycle. This time savings means will pay for its self in 1 or 2 cases.
Q. Why is ProDiscover® based on Microsoft Windows?
A. Microsoft Windows is the most pervasive and easy to use platform available today because of its intuitive graphical user interface. One of Technology Pathways primary objectives when developing ProDiscover® was to develop a tool which was intuitive and easy to use. Microsoft Windows platform was the best fit for our objectives.
Q. What makes ProDiscover® different from other disk forensics tools on the market?
A. ProDiscover® was designed to meet the need for a powerful Windows based forensics tool at an affordable price. Three key criteria were taken into account when designing ProDiscover®: NIST Disk Imaging Tool specifications, the ability to analyze Alternate Data Streams on Windows NT/2000 NFTS partitions and most importantly the ability to provide bit-stream imaging of disk including ATA Protected Areas.
Q. Can you tell me more about the NIST Disk Imaging Tool Specification and ProDiscover®?
A. The NIST (National Institute of Standards and Technology) Disk Tool Imaging Specification is the most recent result of the NIST Computer Forensics Tool Testing Project whose objective is to provide a measure of assurance in the results of investigations based on automated tools used in computer forensics examinations. On October 12th 2001,Disk Imaging Specification 3.1.6 was posted for comment. Technology Pathways incorporated the requirements set forth in version 3.1.6 of the specification into ProDiscover® software requirements specification.
Q. Why is the ability to capture ATA Protected Areas so important?
A. ATA Specifications added the “Protected Area” as a means for PC distributors to ship diagnostic utilities with PCs. Simply put, the ATA protected area is an area of the hard drive that is not reported to the system BIOS and operating system. Because the protected area is not normally seen, most disk forensics imaging tools will not image this area. We have seen an emergence of new utilities available allowing PC users to take advantage of this “Protected Area” to store user data.
Q. Is ProDiscover® training available?
A. Yes. There are two courses available (1 day and 3 day) through our training partner Ahead Training. Both courses were written by Technology Pathways to teach Computer Forensics using ProDiscover®, not to only teach our tool. In many cases these courses can be taught at the customer’s sight. Contact Ahead Training for details.
Q. Does ProDiscover® write to the system disk?
A. No. ProDiscover® provides a complete reimplementation the supported file systems in a way that does not write to the disk. Technology Pathways does recommend using a hardware write blocking device such as the NoWriteTM Hardware Write Blocker on all forensics analysis workstations to prohibit the operating system from writing to the disk.
Q. What Image formats does ProDiscover® support?
A. ProDiscover® supports it’s own compressed or uncompressed image formats as well as non-destructive direct disk analysis. Our latest software version supports Unix “dd” images of all supported disk formats. Additional image formats such as SafeBack support will be driven by customer feedback. ProDiscover® includes an image format conversion utility to convert ProDiscover® images to "dd" formatted images allowing users to perform analysis on a ProDiscover® created image using other popular products. ProDiscover® also includes a utility for converting images collected in the ProDiscover® format to a "dd" image.
Q. My forensics workstation is not connected to the Internet. How do I activate ProDiscover®?
A. ProDiscover® is activated simply by installing a single license file which is emailed to the registered user. Licensing steps are outlined in the registration email, the readme.rtf file located in the installation directory and Quick Start Guide.
Q. Does Technology Pathways make the ProDiscover® source code available?
A. ProDiscover® Enterprise licensing includes the full ProDiscover® source code for agencies to use internally. With ProDiscover® Enterprise licensing organizations are free to modify and use ProDiscover® on as many stations internally within the enterprise. Contact Technology Pathways for licensing details and pricing.
Q. What is the advantage of ProDiscover® using the XML format for its project file?
A. Beginning in version 2.0 ProDiscover® changed its project file format to XML allowing users to easily draw information out into other applications or spread sheets. Many report viewers and applications understand the globally accepted XML format allowing users to automate the information extraction process.
[Back]