ProDiscover^® Incident Response enables you to quickly and thoroughly examine a live system operating anywhere on your network. When used as part of an incident response procedure or as part of a routine system audit, ProDiscover Incident Response enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.

Features and Benefits:

• Quickly verify if your system has been compromised without taking the system down.
• Analyze remote systems over the network eliminating the need to hire expensive staff or travel to remote locations.
• Utilizes remote agent to access suspect system disk at the sector level, revealing all files even if suspect system has been compromised by Trojan or rootkit.
• Search entire disk, including unallocated space, slack space, Windows NT/2000/XP Alternate Data Streams, and even HPA section (patent pending), for complete system integrity.
• Create a bit-stream image of the target system disk and physical memory to preserve evidence and restore the system quickly.
• Automatically creates and records MD5, SHA1, or SHA256 hashes of evidence files to prove data authenticity and integrity.
• Capture volatile state information such as open ports with connected IP addresses, route tables, ARP cache, logged-on users, etc. to investigate an incident.
• Capture image of BIOS/CMOS memory to find compromises.
• Integrated thumbnail graphics, internet history, event log file, and registry viewers to facilitate investigation process.
• Integrated viewer to examine .pst /.ost and .dbx e-mail files.
• Find files and processes that are being cloaked by rootkits.
• Create system baseline for comparison to uncover altered files.
• Utilize Perl scripts to automate investigation tasks.
• Utilize user provided or National Drug Intelligence Center Hashkeeper hash sets to verify integrity of all system files.
• Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.
• Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
• Maintains multi-tool compatibility by reading and writing images in the pervasive UNIX® dd format and reading images in E01 format.
• Support for VMware to run a captured image.
• Remote agent may be preinstalled or pushed out, installed, and run remotely in normal or Stealth mode (with System Administrator privileges) to avoid detection.
• Linux boot disk provided to image systems without removing hard disk drive.
• User selectable 256 bit AES or Twofish encryption protects data transfers and remote system access.
• Automated report generation in XML format saves time, improves accuracy and compatibility.
• GUI interface and integrated help function assure quick start and ease of use.

If you suspect that your system has been compromised or if you perform regular system audits, you need to thoroughly examine systems without taking your network down. ProDiscover^® Incident Response will enable you to quickly, and with certainty, determine the integrity of your system while it is still on-line, performing its normal operations.

ProDiscover^® Incident Response utilizes an agent that runs on the suspect system to read the disk at the bit level. This enables ProDiscover^® Incident Response to work around the suspect system's o/s and examine all files, even if they are hidden by Trojans or rootkits. It also prevents any valuable metadata, such as last time accessed, from being altered. ProDiscover^® Incident Response can search the suspect system for over 400 known Trojans or rootkits. And, to insure the integrity of the o/s, ProDiscover^® Incident Response can examine all files and compare their hash signature to the signatures of known good files from a user provided baseline or from the National Drug Intelligence Center Hashkeeper database. ProDiscover^® Incident Response allows system administrators to be sure that they uncover any compromised files in the least intrusive manner.

If the system has been compromised, ProDiscover^® Incident Response allows the system administrator to make a bit stream image of the disk for later analysis and restore the system to proper working order to get it back on-line quickly. The off-line analysis of the data is easy and allows evidentiary quality data to be provided to law enforcement agencies.

The off-line analysis of the data is easy and allows “evidentiary quality” data to be provided to law enforcement agencies.

Questions and Answers:

ProDiscover^® IR Questions and Answers

Support Policy:

ProDiscover^® IR Product Support Policy

Downloads:

Download the free technical white paper "Why Low Level Disk Auditing is as Important as Virus Scanning" which outlines what current Trojan and Virus scanners may be missing.

Download the free technical white paper "Suspect Host Incident Verification in Incident Response" which outlines using ProDiscover^® IR in Incident Response.

Download the ProDiscover^® IR Product Information Sheet

Download the ProDiscover^® IR Remote Analysis and Imaging Application Note

Download the ProDiscover^® Family Guide

Download the ProDiscover^® IR Product Demo

Independent Validation:

ProDiscover^® has been utilized by professionals to find evidence for civil and criminal proceedings. An Independent Review of Forensic Tools was recently published by Mark Scott on the SANS web site validating the ProDiscover imaging process.
The Dartmouth Institute for Security Technology Studies report Law Enforcement Tools and Technologies for Investigating Cyber Attacks - Gap Analysis Report ranks ProDiscover^® as meeting the greatest number of needs for Preliminary Investigation and Data Collection.

Order:

Order ProDiscover^® IR

System Requirements:

• Windows 2000/2003/2008/XP/Vista
• 800 MHz or higher Pentium-compatible CPU
• 256 MB RAM (512 MB recommended)
• 25 MB available hard-disc space
• CD-ROM or DVD-ROM drive
• VGA or higher resolution monitor
• Keyboard and Mouse (or compatible pointing device)

Includes Technology From:

License:

Each single end-user license purchased of ProDiscover^® entitles a single user the right to use the ProDiscover^® software. Copies of ProDiscover^® may be installed on up to three machines provided, however, that only one copy is in use at any given time. ProDiscover^® installations may also be moved as needed. See the ProDiscover^® End-User License Agreement for details. Site and Enterprise licenses are also available for ProDiscover^®.