For users who desire to run PDServer for an extended period of time, or without the users knowledge PDServer offers two options for"Create Smart Agent Package" found under the Tools menu.
The preferred method of installing the remote agent for many investigators is through the "Network | Push PDServer to Windows" menu option. Through this menu option investigators can easily set the install, uninstall, choose installation type, and remote agent settings such as the process name, port and password. If the investigator does not have the proper privileges to install the remote agent on the target machine, a dialog box will appear allowing a user name and password with the proper privileges to be entered.
Notes: (1) When pushing the remote agent to Windows 7 systems, users should choose a folder other than the %SYSTEM32% location. It is recommended to use the Program Files folder or to create an absolute path of choice.
(2) All installations using the "Network | Push PDServer to Windows" menu option are installed in Stealth mode only.
Choosing to install in "Windows Run Registry Key" causes the remote agent to only run while a user is logged on to the remote system. The specific entry can be found in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
PDServer.exe /E:xxxx (where xxxx is the encrypted version of the password (up to 19 characters) set by the user)
Capture: Allows the user to choose to image the primary Physical Disk 0, or All Connected Physical Disk. Users can also set the image to be split if desired.
Image Format: Allows the user to choose the ProDiscover format, or standard Unix style DD.
Image Name Prefix: This will place a Prefix on the user name. The resulting image name will included this prefix appended to the system name and physical drive. For instance an image prefix entry of CASE_123 would create an image of Case_123.forensic.PhysicalDrive0.eve if the system name was "forensic" and physical drive 0 was being imaged.
Image Path: This is the desired UNC path for the image to be placed. The expected syntax is "\\<IP Address>\Share\". In cases where users are testing with VMWare it is recommended that a share on the host be setup in the VMWare workstation configuration and enter the syntax "\\.host\Shared Folders\Share".
Start Image Capture at: The date and time the agent should start the imaging process. If the time has passed at installation the imaging process will begin. All imaging will begin within 1 min. of the time set.
User Name: This entry should be in the formation "<domain>\user" or "<machine>\user" where the fully qualified user had complete share and file level access to the share entered in the Image Path.
Password: password credentials for the user name above.
Re-enter Password: password confirmation.
eDiscovery Section
Enable User Notification Tray Icon: When checked a user notification icon will be placed in the system tray notifying custodians the current status of an imaging process.
Customer Message: Allows users to set a custom message that will alert the custodians when the imaging process is complete.
Once the user presses "OK" ProDiscover will install the Remote Agent and support files in the system32 directory of the target machine. Files installed include:
aplib.dll
mem.sys
mem64.sys
msvcrt.dll
PDServer.exe
DftSrv.exe (Installed only if installing as a service)
DftSrv.ini (Installed only if installing as a service)
PDStub.exe (installed only if using eDiscovery mode)
If the user selects to uninstall PDServer from the remote system, all the above files will be removed with the exception of "msvcrt.dll" because other installed applications may depend on the file. Additionally any prefech entries for PDServer.exe-pf and DftSrv.exe-pf will also be removed.
To use "Install Stealth Mode" All the files from the PDServer disk should be copied to a directory on the target computer. Once all files have been copied running PDServer then selecting "Install Stealth Mode" from the tools menu will launch the installation dialog box. The user to change the PDServer default TCP/IP port and set PDServer to start each time the user logs in. Selecting the "Start in Stealth Mode" checkbox will ensure PDServer is not visible to users on the target system. Optionally a password can be set requiring any ProDiscover® client to provide the password upon connection. Even when encryption mode is not set the initial connection setup and password communications are encrypted to prevent man-in-the-middle attacks.
Choosing OK will make the following registry entry on the target system.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
PDServer.exe /E:xxxx (where xxxx is the encrypted version of the password (up to 19 characters) set by the user)
Removing all the PDServer files and this registry entry is all that is needed to completely remote PDServer from the target system.
Runs PDServer without visibility on the program bar or tray area.
1. PDServer can be started in stealth mode from command line with:
"PDServer.exe /s:xxxx (where xxxx is a clear text password up to 19 characters)"
2. PDServer can be launched from command line with a specified TCP/IP Port number with:
"PDServer.exe /p:xxxx" (where xxxx is the desired port number)