ProDiscover® Release 18.104.22.168 is available for download!
ProDiscover 22.214.171.124 contains the following fixes and new features:
Registered ProDiscover® users can download updates by choosing the Customers Tab after logging in from the Technology Pathways home page.
- Added NTFS File ID and Sequence Number fields to work area columns.
- Added NTFS File ID and Sequence Number to EXPORT EOI Wizard for custom reports.
- Added the ability to export the MFT in CSV format via right click when any NTFS Volume is selected.
- Fixed Regex search issue.
ProDiscover 126.96.36.199 contains the following fixes and new features:
- 1. Added Native Viewer capability in the data view area for the following file types: RTF, HTML, JPG, BMP, GIF, PDF, WMF, EMF, TIFF, MS Office Docs. The new native viewer profile can be changed in user preference under “Appearance”. Please note that Adobe Acrobat or Acrobat reader and MS Office must be installed for the “Native View” feature to work.
ProDiscover 188.8.131.52 contains the following fixes and new features:
- Updated date selection control in search dialog box.
- Optimized UI for all search panels.
- Fixed issue prohibiting results in email indexed based search.
- Fixed PDF and office doc extraction issue in idexing.
- Fixed issue with sorting on EventID in Event Log Viewer.
ProDiscover® 184.108.40.206 contains the following fixes and new features:
- ProDiscover is now 64 Bit for Windows Vista, 7 and 8. With enhanced memory usage and multi-processor distribution.
- A new licensing file will be needed for users of ProDiscover IR and Forensic editions. Contact Sales or Technical support for a new license file if your software maintenance is current.
ProDiscover® 220.127.116.11 contains the following fixes and new features:
- Added the ability to verify E01 Image checksums.
- Added the ability to convert ProDiscover Eve images to VHD format.
- Hit counts for each document containing search term results are not included in the project report.
- Added the ability to mount eve and dd images to the local file system in read-only for tier 2 tool processing.
- Fixed issue causing intermittent "Failed to run Perl Interpreter" errors when running ProScript on some systems.
- Fixed cluster view refresh issues.
ProDiscover® 18.104.22.168 contains the following fixes and new features:
- Added AVI metadata viewer.
- Added the ability to conduct a secure wipe from tree-view of an added physical disk.
- Fixed an issue effecting file system display in some E01 images.
- Fixed an issue causing conversion to dd from split eve files to fail.
- Fixed an issue causing incorrect display of FAT cluster data due to over written display area in cluster view.
- Fixed issue where ProDiscover would display the previous clusters hex data in cluster view.
- Fixed an issue with rendering characters of ASCII text in hex view caused by pixels being overwritten in the display.
- Fixed an issue with logical secure wipe of floppy disks.
ProDiscover 22.214.171.124 contains the following fixes and new features:
- Fixed an issue effecting file system display in some E01 images.
ProDiscover 126.96.36.199 contains the following fixes and new features:
- Added the ability push out the Linux Remote Server via SSH.
- Fixed failed file access API’s in ProScript.
- Fixed an issue reading VSC Snapshots on systems with some maintenance partitions.
- Fixed an issue causing ProDiscover to crash during data carving.
ProDiscover 188.8.131.52 contains the following fixes and new features:
- Added the ability to mount any number of VSC Snapshots at once.
- Added an Export EOI Wizard that allows for the exporting of EOI reports for any items selected as evidence of interest.
- Added Smart Agent Package creator for Mac OS X.
- Added the ability for Mac OS X Smart Agent to authenticate to MS Shares.
- Added support for compressed E01 images.
- Added “Stop” button processing support to allow users to stop the processing of remote directories.
- Renamed Action menu’s “Export EOI” menu item to “Export EOI Index”.
ProDiscover 184.108.40.206 contains the following fixes and new features:
- Fixed an issue with remote NFTS striped sets in specific configurations.
- Fixed an issue reading data within remote VSC’s on secondary volumes.
- Added feature to provide “Search Into” capability in search results allowing users to find each occurrence of keyword hits within large documents.
- Added DestList Stream processing to Jump List viewer.
- Added the ability for users extracting Volume Shadow Copy snapshots into Logical File Collections, to choose if they desire to take into account NFTS Entry updated times in the differential evaluation.
- Added the ability to create search index of unallocated cluster and sector data.
- Added support for wider array of IPT large volume disks.
- Fixed issue where two CFTT test images for carving would not be available for carving to ProDiscover’s carving function.
- Added the ability to double-sort columns in ProDiscover. Clicking on a column sorts contents on the column. Using Ctrl + click on another column treats the new column as second column and sorts it accordingly.
- Added seconds to time values in all column views and report.
- Added a tool tip display when hovering over a mounted VSC Snapshot to show the snapshot’s creation date and time.
- Fixed a disk caching issue effecting secure wipe on Windows 7 systems.
- Fixed an issue imaging RAM on Windows 7. Driver files are now digitally cross-signed.
- Added the ability to Push the Mac OSX Remote Agent from the ProDiscover console to Mac OSX systems.
- Added Smart Agent capabilities to Mac OS X Remote Agent. Users can now schedule Mac systems to image out to remote locations autonomously without the need for ProDiscover console interaction.
ProDiscover 220.127.116.11 contains the following fixes and new features:
- Added feature to streamline extraction of all files changed or added in a Volume Shadow Copy Snapshot into an LFC.
- Added support for the new Ex01 Image format.
- Corrected Case-sensitive sorting of the fields of Compare Volume Results dialog.
- Corrected Case-sensitive sorting of fields of Content Search results property page.
- Fixed an issue where UI hangs while recovering deleted files in some NTFS volumes.
ProDiscover 18.104.22.168 contains the following fixes and new features:
- Fixed an issue where columns in the Compare Volume Results Dialog box are initially displayed incorrectly affecting the filter function.
- Fixed an issue where ProDiscover would crash using “select all” in the index based search results of a mounted VSC Snapshot.
- Fixed an issue LFC creation where LFC's with larger files the rewriting of the index file at the end could overwrite one of the clusters at the end of a single file during LFC creation.
ProDiscover 22.214.171.124 contains the following fixes and new features:
- Changed Compare Volume CSV report format to allow and preserve commas in file names.
- Fixed an issue where VSC Snapshot images created from a physical disk with complex partition structure would not show correctly in ProDiscover’s Content View.
ProDiscover 126.96.36.199 contains the following fixes and new features:
- Added the ability to sort, filter and select results from the Volume Compare function.
- Added the ability to verify the hash value of a “dd” image via right-click in the program tree-view.
- Changed the ProDiscover ProScript Perl engine to Strawberry Perl.
- Provided various improvements to search functions.
- Fixed an issue where ProDiscover would crash when processing certain compressed files found in VSC Snapshots.
- Fixed an issue where ProDiscover would not process the contents of certain VSC folders from Vista snapshots.
- Fixed an issue with Windows 7 log file processing.
ProDiscover 188.8.131.52 contains the following fixes and new features:
- 30% performance improvement in VSC processing of live systems and images.
- Fixed an issue with daylight saving time adjustment for April 2006.
- Added CSV to diff report export formats.
ProDiscover 184.108.40.206 contains the following fixes and new features:
- Fixed an issue where imaging from external disks/images to internal storage devices would fail file system size checking in some situations.
- Improved email viewer parsing of large data files.
- Fixed an issue where SHA256 hashes would not be created during imaging.
ProDiscover 220.127.116.11 contains the following fixes and new features:
- Added support for Mac OS HFS+ file system.
- Added support for Mac OS DMG images.
- Added a Mac OS X version of the PDServer remote agent.
- Added “Crash Dump” feature that automatically creates a crash dump whenever ProDiscover crashes. The file will have the .dmp file extension and contain the event date/time under the ProDiscover installation directory.
- Added the ability export customer EOI index reports in CSV and Tab delimited format.
- Added the ability to export custom EOI index reports to any database through ODBC connections.
- Added Support for Windows 7 EVTX Event log format.
- Added a button bar icon to push out the remote agent.
- Added a Linux RPM installation for the PDServer Remote agent.
- A new Linux Boot Disk is now available in the customer download section of the web site offering wider hardware support. This boot disk is based on Ubuntu 11.04.
- Changed connection button bar icon to a multi-use, connect/disconnect button.
- Changed regex support to support a wider range of regex examples and full syntax.
- Fixed issue where users could not load ProDiscover .LFC files formatted exFAT or FAT32 into third-party tools. The ProDiscover .LFC format is now a pure dd image.
- Fixed issue in FAT partitions preventing users from displaying deleted folders in hierarchy.
- Fixed an issue causing intermittent crash while performing the volume compare function.
- Fixed an issue preventing gallery view in UFS partitions.
- Improved PST/OST processing and memory management.
- Migrated build environment to MS VSC++ 2010.
- Technology Pathways provides a Linux live boot disk based on Fedora that will boot to the Linux PDServer Remote Agent. This boot disk is available for download in ISO format form the Technology Pathways Web site in the “Customers” section after logon.
ProDiscover 18.104.22.168 contains the following fixes and new features:
- Added support for Chrome and Firefox browsers to Internet history analysis.
- Changed compare image function to "Compare Volume" and added the ability to compare Volume Shadow Copy volumes mounted from images.
- Added the ability to extract Volume Shadow Copy Volumes into individual images of the logical partition.
- Fixed issue with item flagging that prevented "apply to all" on customer comments.
ProDiscover 22.214.171.124 contains the following fixes and new features:
- Added support for Chrome and Firefox browsers to Internet history analysis.
- Added Windows 7 Jump Lists viewer.
- Added the ability to load sequenced split dd images without creating a .PDS load file.
- Added the ability to export Office 7 and compressed files in native format as well as extracted file components.
- Improved Outlook PST processing performance.
- Fixed an issue causing crash while analyzing deleted files in some images.
- Fixed issue with displaying wrong remote drive size in Capture Image dialog for individual volumes.
- Fixed issue with investigator's comments dialog box being displayed again after checking the “apply to all” check box when no comments were entered in the previous dialog box.
- Fixed issue with displaying ADS file contents in data view.
- Fixed where the drop-down selector box was not showing in the copy Image dialog box.
- Fixed an issue where ProDiscover would crash when shifting to gallery view when the investigators system is low on memory or physical disk space.
- Changed UI font to Verdana.
- Added the Compare Images function to ProDiscover Forensics Edition.
ProDiscover 126.96.36.199 contains the following fixes and new features:
- Added the ability to mount any/all Microsoft Volume Shadow Copies from disks/images at rest. This feature works from the sector level up, on both local at rest disks/images and on remote live systems.
- Added the ability to right-click and display processed date from recycle.bin $I… Meta files.
Fixes and newly added features in version 188.8.131.52 include:
- Improved indexing speed and it wasn't slow before.
- Added full support for Microsoft Bitlocker protected disks on Vista and Windows7. This means that users can add any bitlocker protected disk/image to a project and perform all investigative functions provided that they have the bitlocker recovery key.
- Added support for Linux Ext4 file system.
- Added a Thumbs.db viewer.
- Added the ability for the smart agent to conduct hashing operations on the remote system. This improved the speed of virtually all remote operations.
- Added a data type viewer.
- Added Support for the ICS Write Blockers.
- Various small fixes related to file systems, searching, etc.
Fixes and newly added features in version 184.108.40.206 include:
- Fixed an issue with Zip file processing causing “Private Build” error in some operations.
Fixes and newly added features in version 220.127.116.11 include:
- Added Smart Agent Collector to ProDiscover IR. Users can now create a scheduled, standalone, installable imaging agent allowing for virtually unlimited simultaneous imaging.
- Added the ability to compare one or more images to a base image for differences.
- Added the ability to automatically create CarveConfig.txt file based on scan of image/disks for known file extensions.
- Added eDiscovery feature to provide feedback and control for custodians participating in eDiscovery collections.
- Added more file signatures to default the CarveConfig.txt file.
- Completely re-wrote e01 image file processing to dramatically improve e01 image loading time.
- Added more error checking in deleted file recovery improving performance and stability.
- Fixed issue with “All Files” view.
- Fixed issue with displaying subset data in the project report.
- Fixed issue adding dynamic disks groups.
- Fixed two dialog box typos.
- Fixed search issue related to dd and e01 formatted images.
- Fixed issue with project files related to multiple searches.
Fixes and newly added features in version 18.104.22.168 include:
- Fixed an issue prohibiting searching in compressed files with multiple “.” In filename.
- Fixed column alignment error in PST notes section of email viewer.
- Added date column in email search results.
- Added the ability to filter by date in registry searches.
- Added the ability to capture cluster data to the clipboard via right-click.
- Added a line between each EOI item in the project report.
Fixes and newly added features in version 6.5 include:
- Added support for Microsoft’s VHD image format.
- Added support for VMWare image format to be added directly as an evidence image.
- Added support for CDFS file system support for data CDs and DVDs.
- Added data carving to graphical user interface under tools menu.
- Added the ability to export all free clusters or disk slack to a dd image.
- Added support for Microsoft Office 2007 Document Format in Raw search.
- Added view and search capabilities for compressed files and archives.
- Added the ability to capture split image chunks to different locations.
- Changed E01 temp file logic to prevent program crash when reading E01 files on read-only media.
- Enhanced deleted email recovery features.
- Enhanced E01 image format processing.
- Improved deleted folder processing in FAT images.
- Push dialog box now preserves the last binary installation location.
- Fixed a rounding issue with split size reporting in the split dialog box.
- Fixed issue with clearing recent projects list.
- Fixed issue preventing multiple search terms on indexed based search
- Fixed issue with insufficient disk space error while copying image to disk.
- Fixed issue with alternate path veritable for push dialog box.
- Fixed project file corruption issue with non-partitioned disk images.
Fixes and newly added features in version 6.1 include:
- Added support for Microsoft’s new exFAT file system.
- LFC file format can now be user selected as exFAT or FAT32.
- Modified bates numbering logic to increase character limit to 8 and the number digits to 7.
- Improved numerical formatting of byte data.
- Fixed a byte offset issue with search returns on cluster view.
- Fixed issue with capturing remote time zone information on live systems.
- Fixed issue where search index would not be created when folder in index path is not available.
- Fixed issue where email attachment name is not displayed in report for selected emails.
- Windows 9x systems are no longer supported in ProDiscover version 6.1 and above.
- Disk16.dll and Disk32.dll are no longer needed with ProDiscover or the remote agent.
Fixes and newly added features in version 6.0 include:
- Added the ability to conduct full indexed search of a disks or images full volume or selected folders. Users can select to create an index of all indexable objects or only specific document types.
- Added the ability to side-load or redirect remote memory images.
- Added the ability to detect Tableau write block devices and add detailed device information to the project report.
- Added the ability to choose available remote system shadow copies for imaging.
- Added the ability to image by partition on remote systems.
- Added the ability to directly preview remote systems shadow copies.
- Added the ability to conduct regular expression raw mode searches.
- Fixed issue related to Eastern Time zone selection in user preferences.
- Fixed issue related to PST object search.
- Fixed issue related to loading corrupt Outlook or Outlook Express mailboxes.
- Windows 9x platforms are no longer supported for running the ProDiscover Console.
Fixes and newly added features in version 5.5 include:
- Added the ability to extract selected files of interest to a Logical File Collection (.LFC). Each LFC is a ProDiscover ‘dd’ image containing the selected files protected inside.
- Added “Remote Agent Package Creation” allowing investigators to create a PDServer Remote Agent installation package.
- Added remote image Side Loading feature allowing investigators to redirect the remote image to any UNC path or Local to the target USB storage.
- Added the ability for investigators to choose target directory for remote agent push.
- Added ProScript APIs for ProDiscover email features.
- Changed development platform allowing Technology Pathways to provide enhanced multi-byte, UI, and 64 bit support.
- Added wildcard pattern matching capabilities to content search. An example of use would be to use the search pattern ###-##-#### to find social security numbers in documents. Another example would be to use ##:##:## to find time stamps in documents. These patterns will work in ProScript or through the GUI.
- Added the ability to capture RAM in Windows Vista and Server 2003/8.
- ProScript users that use the PSInstallRemoteAgent() and PSAddKeyword() functions should refer to the ProScript API for parameter changes.
Fixes and newly added features in version 5.03 include:
- Fixed issue with large file size report and recovery in NTFS volumes.
- Fixed issue with button bar in Japanese language of ProDiscover
- Added a feature allowing users to choose the language setting despite localization. File | Preferences | General tab contains a new item: Language Setting which has allows the following settings:
- Auto - ProDiscover chooses the language dll to be loaded based on localization.
- English - ProDiscover starts in English
- Chinese - ProDiscover starts in Chinese
- Japanese - ProDiscover starts in Japanese
Fixed issue preventing ProDiscover from starting on some language localizations.
Fixed an issue where ProDiscover would crash if attempting to open a file after choosing not to add a second image to the project.
Fixes and newly added features in version 5 include:
- Added the ability to investigate, extract, and report on Microsoft client email formats including Outlook and Outlook Express.
- Added the ability to read and ad E01 (Expert Witness) Formatted images.
- Added UNICODE support and localization for Japanese and Chinese character sets.
- Improved Microsoft Vista support for remote agent and client.
- Improved overall file I/O and Hashing performance.
- Fixed issue with random crash during content searches of specifically formatted images.
- Fixed long path issue effecting extraction of very long path items of interest from images.
Fixes and newly added features in version 4.89 include:
- Added a virtual “All Selected Files” folder in content view to show all currently selected items in a single view.
- Corrected “Daylight Saving Times” setting issue within user preferences.
- MAC times are displayed based on the following scenarios.
- When System's DST is ON and ProDiscover's DST is ON, the times will be the same as in Windows explorer.
- When System's DST is ON and ProDiscover's DST is OFF, the times will be reported reduced by 1 hour to what in Windows explorer.
- When System's DST is OFF and ProDiscover's DST is ON, the times will be displayed increased by 1 hour to what in Windows explorer.
- When System's DST is OFF and ProDiscover's DST is OFF, the times will be displayed the same as in Windows explorer.
- Note: The times displayed in the report are based on the times when the files are selected as EOI.
- Fixed Content – View *.* issue.
- Fixed MAC Time sort-by-date issue.
Fixes and newly added features in version 4.8 include:
- Content View items can now be sorted by “selected” tag in all views.
- Fixed issue with UnCompress.
- Fixed Copy Disk physical disk to physical disk image issue (destination too small)
- Fixed Copy Disk loop issue.
- Date Sort in Content view is now a true data sort.
- Fixed issue where batch calculate hash would fail.
- Fixed Menu View Report issue.
- Fixed issue where clear recent projects would fail.
- Fixed issue where all files view would fail to display MFT modified dates.
- Added the ability to concatenate hash export files.
- Added ProScript API’s Version 1.4
- Fixed issue causing ProScript raw reading file API’s to fail.
- Added the ability to image physical BIOS.
- Added the ability for ProDiscover to automatically start the remote system registry service is not already running during remote agent push. This service is required for remote agent push.
- Changed PSOpen() ProScript API to no longer need the second “IsDeleted” parameter.
- Fixed Issue with PSCreateImage() and PSCreateProject() API’s.
- ProDiscover will now remove any Prefech files created by Windows XP/2003 when removing the remote agent.
- Added support for VMWare allowing ProDiscover to create all image and support files needed to boot the imaged system in VMWare 5.0 and above.
- Added the ability to create or convert images to ISO format.
- Fixed an issue with long path names in internet history.
- Fixed an issue preventing certain HPA areas from being displayed.
Fixes and newly added features in version 4.55 include:
- MFT entry modified time has been removed from FAT Volumes.
- Added disk size to imaging dialog drop down .
- Wipe Disk Fails to stop when choosing “Close”
- Fixed an issue where content search would fail on local drives.
- Added the ability to query remote agent version via ProScript API.
- Fixed an issue where Filter By Hash set would fail to mark items selected until Find Suspect Files process was run first.
Fixes and newly added features in version 4.54 include:
- Added a work area field chooser allowing users to choose column order and which columns are in view. The field chooser is available by right-clicking over any column header in the content view work area.
- Each hashing algorithm now has its own column in the work area.
- Increased performance in content-view folder display.
- Added MFT entry modified times to the project report as "MFT STANDARD INFO entry modified:" and "MFT FILE NAME entry modified:"
Fixes and newly added features in version 4.5 include:
- Added a sortable hash column to the work area for all files.
- Added EXIF Metadata display for JIFF formatted images.
- Added a horizontal scroll bar for the project report.
- Added the ability for all wipe disk functions to be stopped by user.
- Changed project report format for clusters of interest to separate out clusters and sectors to avoid confusion.
- Fixed an issue where ADS files in the root of a disk would not display in the work area.
- Fixed an issue where cluster view would not be available for some physical disk.
- Fixed an issue where the PDServer remote agent would stop on small business editions of Windows Server 2003 when using ProDiscover GUI Push.
- Open project dialog box only allows project function to be selected once on start.
- Fixed an issue where the project report was not updated after clearing open ports information for remote systems.
- Fixed an issue where thumb drives could not be securely wiped with physical disk pattern method.
- Fixed an issue where remote thumb drives formatted fat32 would fail to view in content view.
- Fixed an issue where wipe disk partition progress would not be updated during wiping operations.
Fixes and newly added features in version 4.4 include:
- Added ProScript API’s for PSGetVersionInfo() to retrieve file version information and PSGetWorkingFolder() to retrieve the user preferences setting for the ProDiscover working folder.
- Now using the Microsoft GDI + functions for graphics thumbnail rendering for overall performance and stability increase while rendering graphics.
- Corrected an issue where ProDiscover would not allow restoring of split image files to disks.
- Corrected an issue where ProDiscover would crash when unable to retrieve the message Dll for Event Log processing.
- Corrected an issue where ProDiscover would not allow the selection of all deleted items folder as evidence of interest.
- Corrected an issue where ProDiscover would hang or crash while processing corrupted EXIF information in recovered jpg images.
- Corrected an issue where remote server disk creation would fail from menu option.
- Corrected an issue where gallery view would fail to render thumbnails on a logical partition image.
- Corrected an issue where network image capturing would fail if level 1 logging is enabled.
- Corrected a typo in find suspect files right-click menu option.
Fixes and newly added features in version 4.31 include:
- Changed to dynamic loading of the ActiveState Perl DLL Causing an increase in overall performance and stability.
- Changed the text of the check box in Event Log search from "Search in selected keys" to "Search in selected items".
- Corrected a typo in Appearances tab of Preferences dialog box.
- Changed support logging to log to a folder in split file segments rather than a single file.
- Fixed an issue where ProDiscover would not display all files from a directory when an unusually large number of files were recently deleted while in content view.
- Corrected a crash associated with the OS Info function on certain platforms.
- Corrected various typos in the manual and help file.
Fixes and newly added features in version 4.2 include:
- Added Data Carving Features to ProScript API
- Added two new ProScript API's for Auditing
- Updated CarvPrintArtifacts.pl script
- Added CarvJpgArtifacts.pl script
- Added example scripts for data carving and auditing API's
- Fixed an issue where crashes when selecting a cluster returned by a search
- Fixed an issue ProDiscover fails to search clusters on some physical thumb drive images
- Fixed an issue where ProDiscover would not show the file system of a thumb drive attached to a remote system
- Fixed an issue where ProDiscover for Windows and ProDiscover Forensics edition would attempt to listen on port 6518
- Removed "Find Suspected Files" right-click menu option seen in ProDiscover for Windows and ProDiscover Forensics editions
- Fixed a recursive folder display issue found on some remote systems in content view
- Fixed an issue where project files would now save images added associated with offline project mode
Fixes and newly added features in version 4.0 include:
- Added the ProScript API and ActivePerl to provide users unlimited extensibility and customization.
- Added the Windows Event Log Viewer.
- Added the ability to search Windows Event Logs.
- Added display of Last Accessed times for Windows Registry keys.
- Added the ability to right-click and extract selected fragments from Evidence of Interest.
- Added the ability to right-click and copy file and directory information to the clipboard.
- Fixed crash associated with Windows Server 2003 Dynamic Disks.
- Requires PDServer 2.4 or higher to connect to remote machine.
- Added an “All Files” virtual directory to the root of each partition in content-view allowing users to list and sort all files on the disk in a single view.
- Added the ability to view and add files Access Control Lists (ACL) to the project reports.
- Added IP information to the Windows Remote Agent window in addition to the title bar display.
- Added gallery view display capabilities to the search results window.
- Remote disk folders are now cached for faster browsing. Click on a folder performs folder update.
- The virtual “Deleted Files” folder containing recoverable deleted files in NTFS is now cached.
- Internet History can now be added to the project report.
- New menu option available under Network allows for simplified installation and removal of the PDServer Remote Agent.
- The remote agent process can no longer be killed by remote users when installed as a service.
- The remote agent is now protected from brute force password attempts.
- ProDiscover expects the command line like this:
- ProDiscover can now be launched from the command line with the following parameters .
- Report items can be copied to the clipboard.
- The Secure Wipe tool has been updated to allow user specified patterns on physical disk wiping.
- Fixed an issue where long image numbers would overwrite the password entry in image headers.
Fixes and newly added features in version 3.83 include:
- Issue with incomplete population of User profiles in registry editor in systems where ntuser.dat has become highly fragmented.
- ProDiscover crashes upon EOI selection in selected image files.
- Corrected Boolean logic cluster search.
- Add support for SHA256 hashing.
- New dialog box in PDServer help menu.
- Users are no longer prevented from copying to PhysicalDisk0.
- Add subsets – error searching tree.
- ProDiscover crashes while searching selected compressed images.
vProDiscover crashes on searching for matched files selected compressed images.
- One registry entry has been changed. This registry entry used to store the hash type selected in Preferences. The name was “Preferences Dialog” with an integer value set to represent the type of hash using. It has been changed to “ChecksumType”. This holds a string value and contains the hash name. The old registry value will be deleted automatically on first use and the new value will be created.
- Added brute force password attempt lockout feature to PDServer.
- The ProDiscover Image data header format has been changed to accommodate SHA-256 checksum to be stored.
- ProDiscover version 3.83 requires PDServer 2.1 or higher to connect to remote machine.
Fixes and newly added features in version 3.8 include:
- Remote Agent Password is now encrypted when installed in stealth mode.
- Added Disk Label to image capture dialog box disk selection menu.
- Changed the Connect To… PDServer (password protected) dialog box text
- Added hashing progress bar.
- Resolved Registry Search stability issue on selected Windows XP installations.
- Fixed issue where ProDiscover would crash when accessing a compressed image of UFS file systems from x86 versions of Solaris.
- Fixed issue where ProDiscover would crash when attempting gallery view of the “deleted files folder” when graphic files were only partially recoverable.
- Fixed issue where saving a new project file over an existing project file would corrupt the original file.
- Fixed issue where physical memory capture would silently fail if the “add” tree-view item is expanded.
- fixed issue where using explorer to open a project file would cause volumes to be labeled x, y, z rather than c, d, e.
- Fixed issue where after opening a project file containing search results using “file open” the listed number of search results is the number of actual search results multiplied by the number of partitions in that image
- Fixed issue where ProDiscover would allow users to UnCompress an image file which was not compressed thereby expanding the image beyond its actual size.
- Added support for multiple overlaid file systems within a partition.
- Added a remote process explorer function to ProDiscover IR allowing drill-down and evidence selection of dependant dlls.
- Added a remote volatile system state capture capability to ProDiscover IR allowing investigators to capture ARP cache, route tables, open files, mounted drives and more.
- Fixed an issue where ProDiscover would crash when selecting “search terms” Drop Down when the search returned no results.
- Fixed several issues related to dynamic disks on Windows Server 2003 platform.
- Increased performance while selecting very large files.
- Changed report format for cluster chain data.
- Added the ability to include or not include cluster chain data in project report from user preferences dialog box.
- Added .dd as a pre-filtered image file extension when choosing to add images to the current project.
- Added hash sets containing over 1000 windows keystroke logger files in SHA1 and MD5.
- Fixed the crash when content search is performed on UFS volumes.
- Fixed an issue with searching all *.jpg files created between a particular dates.
- Fixed an issue preventing data display of $MFT meta file on NTFS volumes.
- Note: remote agents for Windows Platforms have been updated to new versions.
Fixes and newly added features in version 3.7 include:
- Fixed issue where ProDiscover crashes when connected to PDServer is running on Windows 98 and choosing Find Unseen Processes.
- Fixed issue where the cluster search results are not being properly filtered when a cluster search is conducted using more than one pattern. When the first pattern occurs more than once in the same cluster is being listed even when filtered on the second pattern.
- Fixed issue where after searching all files of type *.gif in a Solaris disk, ProDiscover displayed all gif files as expected but the results cannot be selected or content shown.
- Fixed buffering issue when hashing small files (< 100 bytes) in NTFS file systems.
- Added the ability to capture raw physical memory on local or remote live image acquisitions.
- Added the ability to flag files using “shift + right-click” then right click. Once files are flagged then can all be selected as evidence of interest using the right-click | flagged items pop-up menu option.
- Fixed issue related to recursively selecting all deleted files when the deleted folder contains in excess of 10,000 files.
- Added the string "Copy0_" to the beginning of each duplicated recovered item from the deleted files folder.
- Find unseen processes now displays the “system idle” and system process in the report.
- Added the ability to search the windows registry of images and live systems.
- Changed the Connect To… dialog box to provide optional network browsing of windows domains.
- Reworded several dialog boxes and alerts to provide better clarity.
- Fixed issue where ProDiscover would not launch on current patch level Windows Server 2003.
- Note: all remote agents and the Linux boot CD have been updated to new versions.
Fixes and newly added features in version 3.6 include:
- Added the ability to filter out search results from view in the search results window.
- Added the ability to find files from the cluster search results window.
- Added the ability to export any items marked evidence of interest in hashkeeper file format. This feature allows users to quickly create hash databases.
- Added cluster chain information to report for all evidence of interest.
- Added the ability to search only in unallocated clusters when conducting a cluster search.
- Added Adobe Acrobat Reader installation files for users without the reader installed.
- Fixed issue preventing data view area from being populated when reading early versions of NTFS. This issue also caused unpredictable results when selecting some NTFS meta files.
- Fixed issue where thumbnail index would be off when in gallery view for a directory which all graphics files could not be displayed.
- Fixed issue causing ProDiscover to not display the second partition of a remote disk that contained a hidden partition.
- Fixed issue causing ProDiscover to crash when users selected the first registry hive “HK_CLASSES_ROOT” in registry view on some systems.
- Fixed issue where ProDiscover would fail to display data view on compressed FAT32 images.
Fixes and newly added features in version 3.5 include:
- Added the ability to add comments to each entry of evidence of interest in the project report.
- Added the ability to add sub-sets of evidence of interest to the project report in RAW or ASCII/HEX view.
- Added a Windows registry viewer for Win9x, W2k and XP registries.
- Added the ability to display, extract and add to the project report EXIF meta data from Jpg and Tif graphic files.
- Added thumbnail gallery view option when viewing directories containing graphics files.
- Added the ability for users to add preview image to report in evidence of interest.
- Added the ability to display allocated and unallocated clusters for UFS and Ext 2/3 file systems.
- Added estimated time to completion to status bar during imaging operations.
- Added an alert dialog notifying users that a project must be open to add local or remote disks for preview.
- Added support for Linux Ext 2/3 file systems
- Added remote agent for Linux
- Added Linux boot disk with remote agent for system-at-rest imaging such as hard to get at notebook hard disks.
- Added 256 Bit AES encryption option to remote agent data stream in Investigator and Incident Response versions.
- Changes headdersig.txt file format to accept file extensions with or without “.”
- Fixed German language localization issue.
- Fixed FAT 32 Disk Label file hiding issue reported by Brian Carrier on CFTT List Server.
- Fixed issue where FAT 32 clusters would incorrectly be reported as unused.
- Fixed issue where PDServer remote agent would not run on Windows NT 4.0 and below systems.
- Fixed an issue where ProDiscover would appear to hang when selecting the NTFS root directory meta file $BadClus:$Bad. This file maps to the entire volume and therefore appears to hang ProDiscover. Users now have an option of only displaying the first 100 MB when selecting the $BadClus:$Bad meta file.
- Under certain configurations a Windows Server would attempt to install the digitally signed paremove driver as a service through the PDServer remote agent. PDServer now prohibits a local Windows Server from attempting to install the signed paremove.sys driver.
- Fixed an issue where ProDiscover would crash and/or not display the contents of an illegally named file in Windows file systems. Specifically a file with only a file extension and no name.
- TCP/IP performance tweaks for Windows 2000 and XP systems are now automatically made to the registry during product installation in Investigator and Incident Response versions.
Fixes and newly added features in version 3.2 include:
- Added the ability to create initial image in UNIX style ‘dd’ format or ProDiscover meta format.
- Added the ability to read split ‘dd’ images.
- Added Solaris X86 remote agent.
- Added known-bad hash file entries.
- Added Windows XP style right-click menus
- Added increased error checking when reading NTFS MFT data runs.
- Fixed issue where an extra \ was added to the default temporary path when changing ProDiscover temporary folder.
- Fixed issue in baseline and compare where some baseline files contained an extra \ in the definitions section.
- Fixed an issue in baseline compare operation where in limited circumstances some Program Files folder directories were missed in the compare operation.
- Fixed Remote Agent DLL entry point issue on Windows NT 4.0 platforms.
- Fixed issue where searching for “files named” would fail on Solaris UFS.
- Implemented find unseen files for Solaris
- Updated hash database of known-bad files (Trojans and Rootkits).
- Updated Documentation (help file and manual)
Fixes and newly added features in version 3.0 include:
- Added the ability to export evidence of interest or clusters of interest
to XML formatted file.
- Added the ability to create a remote server agent from the Tools menu.
- Added the ability to create images which are split into many files for
- Added the ability to add split "dd" images to a project.
- Added IR menu to ProDiscover IR version.
- Added the ability to find unseen processes running on local or remote
systems with ProDiscover IR version.
- Added the ability to quickly find unseen files or remote systems with
ProDiscover IR version.
- Added the ability for ProDiscover IR version to create and compare file
baselines using hash values.
- Added the ability to select or unselect "all" files from search results.
- Improved file selection performance.
- Added the ability for ProDiscover IR to more quickly find suspect files
based on hash value database.
- Added File system support for Sun Solaris UFS.
- Windows versions of HPA Device driver and PDserver.exe are now
cryptographically signed and verifiable through the Thawte CA.
- Added Sun Solaris version of PDServer Remote Agent.
- Changed Software copy protection system to provide more flexibility.
- Updated hash database of known-bad files (Trojans and Rootkits).
- Updated Documentation (help file and manual)
- Fixed File Menu Print option failure.
- Fixed issue where ProDiscover image verification would fail to correctly
validate images hashed with SHA1 algorithm.
- Fixed Image conversion to dd format utility.
Fixes and newly added features in version 2.8 include:
- Changed Project file’s XML Schema to support separate fields for Modified, Accessed, and Created time values.
- Added the ability to save a projects search results from session to session.
- Added the ability to select groups of, or individual clusters as evidence of interest.
- Added updated scripts to install PDServer as a service. Once installed the scripts will automatically start the service.
- Fixed an issue where PDServer would not return to normal mode (window shown) after switching to stealth mode.
- Fixed an issue where cluster searches of compressed FAT32 images using early image header design would fail.
- Added full Boolean (AND, OR, NOT) capabilities to search terms.
- Changed sector location reporting format to include Hex and Binary location values in the following format: “HEX (Binary)”.
- Fixed an issue related to 16 – 32 bit thunking which caused false positive search returns on Win98 SE platforms.
- Added the ability to load search strings from a text file with (.sts) file extension.
- Added a large group of pre-defined search term sets.
- All cluster search results are now returned as objects in a “Cluster Search Results” tree-view item with the search term highlighted.
- All Content search results are now returned as objects in a “Content Search Results” tree-view item with the search term highlighted.
- Fixed an issue where selecting “View | Startup Dialog” when the startup dialog was enabled would crash ProDiscover.
- Fixed an issue where ProDiscover would crash if the user attempted to access a remote disk which the server connection had been manually disconnected.
Fixes and newly added features in version 2.6 include:
- Added full dynamic disk support for windows NTFS to include RAID 0, 5 and spanned volumes.
- Added the ability to manually adjust the number of auto retries on network timeouts when using the PDServer™ Remote Agent.
- Increased preview performance over the WAN when using the PDServer™ Remote Agent.
- Increased imaging performance over the WAN when using the PDServer™ Remote Agent.
- Added the ability to correct for daylight savings times calculation errors in Windows NTFS file systems (submitted by Brian Carrier on the CFTT Listserv)
- Improved preferences dialog box layout to accommodate user adjusted time zone settings.
- Corrected an issue where the "List of words found:" section of search results in report was truncated by one character.
- Added the ability to read partition-only dd images.
- Removed the ability to add the same physical disk more than once.
- Corrected an issue where ProDiscover would crash when adding remote images with UNC (\\MachineName\directory) paths.
- NTFS Metafiles are no longer hashed when using “filter by hash set”.
- Fixed issue where in some cases ProDiscover would warn users "Source is larger than 4Gb..." when the actual source size was smaller than 4GB. In all test cases ProDiscover would image correctly and without error after displaying the error.
Fixes adn newly added features in version 2.44 include:
- Added the ability to read multiple extended DOS partitions (submitted by Brian Carrier on the CFTT Listserv)
- Added the ability for users to set unique file type display color.
- Added the ability to display and analyze NTFS $ metafiles.
- Added the ability to include NTFS $ metafiles in content searches.
- Added extended disk information to the project report.
- Added the ability to recover sectors from remote disks.
- Fixed individual file hashing errors.
- Improved PDServer network performance over WANs and busy LANs.
- Added the ability to inventory remote disks.
- Added the ability to read and analyze NTFS dynamic disk.
- Tree-view items are now expanded on program load.
- Added a “Connect To…” button on the button bar.
- Fixed an issue where choosing the View -> Report menu item would cause a program crash in some situations.
- Fixed SHA1 hashing algorithm implementation issue.
- Added the ability to add disk with multiple primary partitions to a project.
- Added system bound IP address to the PDServer title bar.
- Added registry tweak file for improving ProDiscover IR performance over network on Windows XP and Windows 2000 systems running ProDiscover IR client.
- Added “known-Bad” hash files in hashkeeper format. Files contain known Trojan and rootkit hashes in MD5 and SHA1.
- Added NIST RDS Hash subsets to the “hash sets” directory.
- Implemented the ability to analyze NTFS software RAID level 1.
Newly added Network features in version 2.2 include:
- Added the ability for PDServer to pass Hardware Protected Area information to The ProDiscover® client. This addition allows for remote imaging and analysis to now include protected areas implemented with the ATA specification HPA (PARITES). This feature is currently available only on systems running Windows XP and Windows 2000 prior to service pack 3 installed. Microsoft changed security settings in Service pack 3 which prohibit the PARemove.sys driver from dynamically loading. We are currently looking into a resolution to this issue. Windows 98 SE architecture prohibits dynamically loading the PARemove.sys device driver.
- Added disks volume serial number to the ProDiscover® report.
- Added the ability to automatically extract any resulting clusters from a cluster search.
- Added the “Preferences” setting to adjust network timeout when connecting to a remote system with PDServer. This setting is useful on busy LANs or when connecting to PDServer’s over long distances.
- Enhanced error recovery when examining Windows XP NTFS formatted disk with corrupted Master File Tables (MFT).
- Added the ability to choose “none” for hashing algorithm to allow the creation of evidence of interest indexes with out hash value.
- Added batch hash calculation to add hash values to evidence of interest without prior hash calculation
- Fixed issue causing crash when using “File | Save As” to save project reports under a new name.
- Fixed issue where the ProDiscover® report was not showing all project information.
- Fixed an issue where ProDiscover® would allow users to select the ProDiscover “Working Folder” as evidence of interest, effectively creating temporary file recursion.
- Fixed incorrect icon for disks in remotely connected disks.
- Fixed issue where using Content Search with “Select All Matches” and “Search for files Named” successfully returns a list of search term files but fails to mark search results as “selected”.
- Fixed issue where ProDiscover® Crashes when selecting signature matching and the physical drive is selected in Content view rather than a partition.
- Fixed issue where ProDiscover® would miss imaging some slack sectors at the end of certain hard disks.
- Fixed an issue where some Windows 98 SE users would receive an error in “netapi32.dll” on ProDiscover® program launch.
Release 2.1 includes the following fixes and enhancements:
- Preview live systems remotely bypassing all file security.
- Choice of Clear and TwoFish encrypted data channel.
- Stealth Mode for covert imaging and analysis of live systems.
- Configurable port settings.
- Server is read only protecting data. Note: Stealth mode requires one-step installation.
- Secure client/server connection allowing only one connection.
- Conduct Searches, hash comparisons and deleted file recovery remotely.
- Run PDServer from a floppy, CD or USB drive.
- Connect to PDServer over high-speed Corporate LANs and WANs
Release 2.0 includes the following fixes and enhancements:
- Fix for the delay in UI after the OK button is clicked in Capture dialog box.
- Fix for the image being captured to FAT disk: A warning message is now provided to the user when the source is more than 4GB and the destination is FAT disk.
- Fix for the error "Capture interrupted" during opening of the compressed image files.
- Fix for Compression Header.
- Fix for corrupt compressed image files in certain circumstances. Now using 64 bit image file addressing.
- Fix for incorrect processing of image files in content-view that contain the string “PhysicalDrive” in the image name.
- Fix to no longer treat letter case as significant during file sort in content-view.
- Fix for when using Filter by Hashset, with Compare Recursively set to off, no files are selected even the user chooses any of the Select all matches or Select all non-matches option under file selection.
- Project files are now in XML format allowing easy parsing and integration with many reporting tools.
- Added a new tool for converting project files. See the menu item “Tools | Convert Project File”
- Reports can now be exported in RTF format as well as TXT format.
- Added the OSInfo feature to detect OS by parsing registry and file identification.
- Added the ability to right-click on files from content-view to locate a specific file’s cluster locations. Double-clicking on location will change window focus to the selected cluster view grid location.
- Added the ability to right-click on clusters from cluster-view to locate any associated files.
- Changed default cluster-view navigation to hex values.
- Added the display of extended ASCII characters in cluster-view.
- Export cluster data now allows users to choose binary as an export format.
Update 1.62 includes the following fixes and enhancements:
- Greatly improved directory listing speed in content view for directories with large numbers of files.
- Added the ability to recursivly unselect files in content view.
Update 1.60 includes the following fixes and enhancements:
- Added a Disk Inventory feature which will add the total file and folder count to a project report for both a physical drives and an images.
- Added new icons for deleted folders and files.
- Added the ability to mark files as evidence of interest as the results of a content search.
- Added an image format conversion utility to Tools menu to create a UNIX “dd” format image from any ProDiscover created image. Converting images to "dd" format is useful when the user desires to analyze evidence with one of the many tools which support the "dd" format.
- Added Hard Disk manufacture information to image information area.
- Added Image File Dialog Box information caching feature allowing investigators to create multiple images more quickly.
- Fixed an issue where not all files are displayed in content view when a deleted directory of the same name exists.
- Fixed an issue where ProDiscover would crash when immediately choosing “Tools->Copy Selected Files” after opening a previously created project.
- Fixed file size being reported incorrectly for very large files on NTFS volumes.
- Fixed issue where HPA Scan from within cluster view would report incorrect file system.
- Fixed issue where ProDiscover® would crash during file signature compare of “corrupt” files in FAT32 volumes.
- Updated the help file.
Update 1.54 includes the following fixes and enhancements:
- Includes a fix for silent failure to copy disk in certain situations.
- Includes added sector location information to status bar in cluster view.
- Includes the ability to extract unallocated space and disk slack as a single file or multiple files with click-n-drag.
- Includes a Windows device driver allowing users to non-destructively detect and analyze the Hardware Protected Area from within Windows.
Update 1.44 includes the following fixes and enhancements:
- Includes a fix for missed sectors during some floppy cluster searches.
- Includes an updated help file.
- Includes a fix FAT tables not being included in report sector count.
Update 1.42 includes the following fixes and enhancements:
- Includes the ability to add compressed images to a working project.
- Includes added status bar information during operations.
Update 1.39 includes the following fixes and enhancements:
- Includes a new File Signature Mismatch feature to compare file signatures against file extensions.
- Includes the ability to set the ProDiscover temporary directory from the preferences dialog.
- Includes an updated help file.
- Includes image file compression enhancements.
Update 1.35 includes the following fixes and enhancements:
- Includes fix for adding large image files to projects.
- Includes fix for error reporting.
Update 1.34 includes the following fixes and enhancements:
- Includes fix for Windows 98 direct physical disk access issues.
- Includes the ability to restore an image to a physical disk.
- Includes an updated help file.
Update 1.30 includes the following fixes and enhancements:
- Fix for cluster search radio button
- Updated help file.
Update 1.29 includes the following fixes and enhancements:
- Support for recursively comparing files against hashkeeper checksums.
Batch file transfers of evidence of interest.
- Bates numbering of files during batch transfer.
- The ability to search only files marked “Evidence of Interest”.
- Several minor bug fixes and performance enhancements.
- Updated help file.
Update 1.16 includes the following fixes and enhancements:
- Support for UNIX “DD” images of all Windows file formats.
- MAC times are now added to the report for all evidence of interest.
- Fix for hot key functionality.
- Fix for ProDiscover crashes when attempting to print with no printer installed.
- Fix for improper imaging of floppy disks in some versions of Windows 98.
- Fix for imaging disk slack space.