Q. Why do I need ProDiscover® IR to audit my systems or investigate an incident?
A. The standard tools which are used to audit a system or examine it after an incident have three basic problems. First, they can be fooled by today's widely available rootkits which are loaded into the kernel and alter the functions of the system cover their tracks or hide files. Other tools rely on the file system or system commands to examine the disk and therefore cannot be trusted. ProDiscover® IR circumvents these commands and the file system to get to the data. This gives a true representation of all the data on the disk. Second, other tools will alter valuable metadata such as last time accessed, and thereby destroy valuable evidence. Third, the data gathered by these tools is not evidentiary quality and may not hold up in court. ProDiscover® IR will not alter any data and provides hash signatures of the files for proof of authenticity in legal proceedings.
Q. How does ProDiscover® IR work?
A. First, ProDiscover® IR uses the lowest level disk sector read commands to get data off the disk. It uses its own file system and GUI to display all the files on the system, including recoverable deleted files and Alternate Data Streams (these files are usually overlooked by other audit tools). The use of the low level disk sector reads and a separate file system prevents any files from being hidden by a rootkit. Next, the user can chose files or folders to be examined in more detail. The software automatically generates hash signatures of each file before examining the file. These hash signatures are compared to the ProDiscover® IR database of known files to filter out known good files and identify known rootkits. In addition, the file type is compared to the file extension to identify any mis-classified files (a trick used by many crackers). The content of any suspect files can then be examined to see if it contains executable code, or proprietary data such as user names and passwords or credit card information. Finally, if any files are identified as belonging to a cracker, they can be preserved, along with their hash signatures to be used by law enforcement agencies for investigation or prosecution purposes.
Q. If you only examine the data on disk, how can I be sure I determine if a system has been rooted? What if the intruder only changes the content of system memory?
A. The rootkits that we have seen to date all create hidden files on disk. Much of the function of the rootkit, in addition to giving control to the cracker, is to hide this evidence. While it is possible for a cracker to create a rootkit which does not save anything to disk, it is nearly impossible to be sure that no tell-tale sign of its presence is ever written to disk as the system manages its virtual memory process. In any case, if you suspect a system has been rooted, you can use ProDiscover® IR to verify that there are no hidden files on disk, and then re-boot the system to flush out any potential memory-only based attacks. Since you can be sure that there are no hidden files on disk, the re-boot will give you a trusted system again.
Q. Can't a rootkit be written to avoid detection by ProDiscover® IR?
A. While it is theoretically possible to create a rootkit to alter the lower level disk sector read command utilized by ProDiscover® IR, it would be extremely difficult and would require significant information about the specific machine being rooted. Any attempt to determine which sectors contain the data the rootkit is trying to hide would need to keep track of virtually the complete disk data structure on the system to keep the normal operation of the system from overwriting the files. If the cracker tried to mark a section of disk "bad" to prevent the system from altering the hidden files, it would no longer be available to read using the rooted disk sector commands. We believe it is impractical to create this low level rootkit.
Q. Can you handle UNIX / Linux systems?
A. Yes, today ProDiscover® IR can be used with Windows servers utilizing FAT12, FAT16, FAT 32, all NTFS, SUN Solaris UFS on Intel and Sparc, and Linux Ext 2/3 file systems. We will add BSD and Mac file systems during the first quarter of 2005.
Q. Can you handle RAID disks?
A. ProDiscover® IR works with any hardware or NTFS software RAID configuration.
Q. Can you handle systems which operate with shared disk storage on a SAN?
A. In most SAN configurations, the system has a boot disk where the OS resides, separate from the SAN. ProDiscover® IR can examine all files and data on this boot disk to assure the system administrator that the system has not been compromised. In addition, if the SAN controller is based on a Windows OS and utilizes FAT12, FAT16, FAT 32 and all NTFS file systems, then ProDiscover® IR can be used to examine all the data on the SAN.
Q. Can I use other software tools to analyze the data captured by ProDiscover® IR?
A. Yes. ProDiscover® IR outputs in the pervasive UNIX® dd format to be used by other tools. We recommend you keep an original copy of the data to insure the data to insure your evidence does not get destroyed by other tools.
Q. Has ProDiscover® been utilized in legal proceedings??
A. Yes. The evidence gathered and preserved by ProDiscover® has been utilized in numerous criminal and civil court proceedings. ProDiscover® is designed to comply with the NIST Disk Imaging Tool standard 3.1.6.
Q. How hard is it to learn and use ProDiscover® IR?
A. ProDiscover® IR is easy to learn and utilize. The intuitive GUI used menus to enable you to find the functions you need to use. And the GUI presents the data in a standard file tree structure so it is easy to makes it easy to find the files you need to examine. The integrated help function can be used to find out how to use any ProDiscover® IR feature.
Q. Can I password protect the ProDiscover® IR remote agent to prevent rogue ProDiscover® clients from connecting?
A. Yes. The ProDiscover® IR remote agent (PDServer) can be password protected. Furthermore the challenge and reply portion of communications is always encrypted to prevent password sniffing.
Q. Will ProDiscover® IR work over a Wide Area Network?
A. Yes. ProDiscover® IR has been tested analyzing remote disk half a world away.
Q. Can ProDiscover® IR work through firewalls?
A. Yes. ProDiscover® IR offers the ability to adjust the TCP Port settings it uses for both the client and server agent allowing users to adapt to most firewall rule settings.
Q. Can ProDiscover® IR be installed on the remote host hard drive?
A. Yes. ProDiscover® IR can be installed on remote hosts and even run in what is known as a "Stealth" mode, hiding its presence from normal users. This mode of operation is not recommended for Incident Response, but is intended for longer term Policy Compliance and HR related investigations.
Q. Can I connect to many ProDiscover® IR remote agents at once?
A. No. To ensure the best possible performance during live analysis ProDiscover® IR limits connections to only one client and server agent at a time.
Q. Is my data secure over the network?
A. Yes. ProDiscover® IR allows users to create a secure channel by encrypting all communications over the network using the widely acclaimed TwoFish encryption algorithm.
[Back]