Q. Why do I need ProDiscover® Investigator to conduct internal investigations?
A. Standard applications, when used to examine a system for evidence of criminal activity or violations of corporate policy, have three basic problems. First, they can be miss data which has been deleted or hidden in areas such as the Hardware Protected Area, Alternate Data Streams or disk slack space. Second, standard applications will alter valuable metadata such as last time accessed, and thereby destroy valuable evidence. Third, the data gathered by these tools is not evidentiary quality and may not hold up in court. ProDiscover® Investigator will find all the data on the disk, will not alter any data or metadata, and provides hash signatures of the files for proof of authenticity in legal proceedings.
Q. How does ProDiscover® Investigator work?
A. ProDiscover® Investigator uses the lowest level disk sector read commands to get data off the disk. It uses its own file system and GUI to display all the files on the system, including recoverable deleted files and Alternate Data Streams (these files are usually overlooked by other audit tools). The use of the low level disk sector reads and a separate file system prevents any files from being hidden from the investigator. Once all the data is exposed, the user can chose files or folders to be examined in more detail. The software automatically generates hash signatures of each file before examining the file. This guarantees data integrity can be proven if evidence is uncovered. In addition, the file type can be compared to the file extension to identify any mis-classified files (a trick used by many criminals to hide information). The suspect files can then be searched to see if they contain any proprietary, unauthorized, or inappropriate data. Finally, if any evidence is found, they can be preserved, along with its hash signature to be used by law enforcement agencies for investigation or prosecution purposes.
Q. How can I investigate a remote system over my network?
A. ProDiscover® Investigator has been tested on both LAN and WAN networks. It comes with a remote agent (PDServer) which may be loaded on a suspect system and allows you to examine that system over your network. The Remote Agent may be run from a CD loaded into the suspect system, or with System Administration privileges, it may be pushed out and run remotely on the suspect system. Once the Remote Agent is running, the ProDiscover® Investigator console may connect to it and allow the investigator to examine the suspect system. Please refer to the ProDiscover Remote Analysis and Imaging Application Note for further details.
Q. Can ProDiscover® Investigator work through firewalls?
A. Yes. ProDiscover® Investigator offers the ability to adjust the TCP Port settings it uses for both the client and server agent allowing users to adapt to most firewall rule settings.
Q. Can ProDiscover® Investigator be installed on the suspect system hard drive?
A. Yes. ProDiscover® Investigator can be pushed out and installed on remote suspect systems if the investigator has System Administrator rights on the suspect system. Technology Pathways provides scripts for pushing out and installing the remote agent. To run the remote agent once it is installed will require third party software such as Microsoft's Telnet service, Hyena or Dameware. The remote agent may be removed from the suspect server after the investigation.
Q. Can I examine a suspect system without being detected by the user?
A. In most cases, yes. ProDiscover can be run in a special Stealth mode on the suspect system to avoid detection. It is not, however, totally invisible as the user may notice disk activity and the PDServer process will be shown by the Task Manager. The PDServer process may be renamed during the installation process to avoid detection.
Q. Can I connect to more than one ProDiscover® Investigator remote agents at the same time?
A. ProDiscover® Investigator limits connections to only one remote agent at a time.
Q. Is my data secure over the network?
A. Yes. ProDiscover® Investigator employs a secure protocol which used Global Unique Identifiers (GUID's) to prevent packet insertion and allows users to encrypt all data transmitted over the network using the widely accepted TwoFish encryption algorithm.
Q. Can I password protect the ProDiscover® Investigator remote agent to prevent rogue unauthorized access?
A. Yes. The ProDiscover® Investigator remote agent can be password protected. Furthermore the challenge and reply portion of communications is always encrypted to prevent password sniffing.
Q. How can I be sure the data I receive is exactly the data on the suspect system?
A. Each packet transmitted by the remote agent is numbered and contains a Cyclical Redundancy Check (CRC) value which is transmitted along with the data. Upon receipt of the packet, the CRC is checked and if any error has occurred, the packet will be discarded and a request for retransmission is sent to the remote agent. This process insures all the data is accurate.
Q. Can you handle UNIX / Linux systems?
A. Yes, ProDiscover® Investigator can be used with Windows servers utilizing FAT12, FAT16, FAT 32, all NTFS, SUN Solaris UFS and Linux Ext. 2/3 file systems. We will add Apple Mac and other file systems soon.
Q. Can you handle RAID disks?
A. ProDiscover® Investigator works with any hardware or NTFS software RAID configuration.
Q. Can you handle systems which operate with shared disk storage on a SAN?
A. : In most SAN configurations, the system has a boot disk where the OS resides, separate from the SAN. ProDiscover® Investigator can examine all files and data on this boot disk to assure the system administrator that the system has not been compromised. In addition, if the SAN controller is based on a Windows OS and utilizes FAT12, FAT16, FAT 32 and all NTFS file systems, then ProDiscover® Investigator can be used to examine all the data on the SAN.
Q. Can I use other software tools to analyze the data captured by ProDiscover® Investigator?
A. Yes. ProDiscover® Investigator outputs in the pervasive UNIX® dd format to be used by other tools. We recommend you keep an original copy of the data to insure the data to insure your evidence does not get destroyed by other tools.
Q. Has ProDiscover been utilized in legal proceedings?
A. Yes. The evidence gathered and preserved by ProDiscover has been utilized in numerous criminal and civil court proceedings. ProDiscover is designed to comply with the NIST Disk Imaging Tool standard 3.1.6.
Q. How hard is it to learn and use ProDiscover® Investigator?
A. ProDiscover® Investigator is easy to learn and utilize. The intuitive GUI used menus to enable you to find the functions you need to use. And the GUI presents the data in a standard file tree structure so it is easy to makes it easy to find the files you need to examine. The integrated help function can be used to find out how to use any ProDiscover® Investigator feature.
Q. Does ProDiscover® work on Microsoft Vista?
A. Yes, ProDiscover began expanded support for Microsoft Vista beginning with version 5.0
Q. Can ProDiscover® analyze user email?
A. Yes, ProDiscover provides an email viewer that provides a close-to-native view of all Microsoft email formats within the ProDiscover console. Formats include PST, OST, and DBX for Microsoft Outlook and Outlook Express.
Q. Can ProDiscover® image physical RAM?
A. Yes, ProDiscover network enabled versions can image the remote systems physical RAM. Analysis can be performed using Perl and the ProDiscover ProScripting API.
Q. Can ProDiscover® be automated?
A. Yes, ProDiscover (Forensics edition and above) includes the Active State Perl engine and exposes over 200 ProDiscover functions through the ProScript API. This scripting facility can be used for automation, standard case flow management, and detailed low level analysis.
Q. Can ProDiscover® work with VMWare?
A. Yes, ProDiscover includes a VMware .VMDK file generator for "DD" images that allows the images to be run through the VMWare console.
[Back]