ProDiscover Forensics

ProDiscover is a disk forensics system which provides

a host of features to capture and analyse disks.



Whether you suspect your system has been hacked or are looking for discoverable evidence in a civil proceeding or criminal investigation. Designed to the National Institute of Standards Disk Imaging Tool Specification 3.1.6

ProDiscover Forensics

ProDiscover Forensics is a powerful computer security tool that enables law enforcement professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.

ProDiscover is a disk forensics system which provides a host of features to capture and analyse disks. The product supports a wide variety of Windows and Linux file systems. ProDiscover ensures that both the capturing and analysis processes are performed by applying forensically sound methods. The resulting reports meet evidentiary quality requirements.


ProDiscover is integrated with a full text search engine, set of embedded viewers and hash comparison methods, all together providing an easy-to-use and yet powerful toolkit to forensic investigators. ProDiscover has been designed to satisfy the requirements of NIST Imaging Tool Specification.

Following are some of the key features of ProDiscover Forensics:

  • Preview and image disks.


  • Preview and search suspect files to find evidence quickly and without altering any data or metadata.


  • Automatically creates and records MD5, SHA1 and SHA256 hashes of evidence files to prove data integrity.


  • Creates bit-stream copy of entire suspect disk, including hidden HPA section, to keep the original evidence safe.

  • Maintains multi-tool compatibility by reading and writing images in the pervasive UNIX .dd format.


  • Examine any or all of the following file systems:

    • Windows: FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID.

    • Mac OS X: HFS, HFS+.

    • Linux: EXT2, EXT3 and EXT4.

    • Solaris: UFS


  • Integrated graphics thumbnail viewer and registry viewer


  • Integrated Outlook email viewer


  • Integrated Internet History viewer


  • Integrated Registry viewer


  • Integrated Event Log viewer


  • Extract Clusters / Files into Logical File Collections


  • File / Cluster Cross Reference


  • Import / Export .dd format images


  • Add comments to evidence of interest


  • Disk Wipe Capability


  • Extracts EXIF information from JPEG files to identify file creators


  • Linux boot disk provided to image systems without removing hard disk drive


  • Automated report generation in XML format saves time, improves accuracy and compatibility


  • GUI interface and integrated help function assure quick start and ease of use


  • Designed to NIST Disk Imaging Tool Specification 3.1.6 to ensure high quality


  • Support for VMware to run a captured image.

ProDiscover Incident Response

ProDiscover Enterprise (IR) enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.


ProDiscover Enterprise (IR) supports all the features of ProDiscover Forensics and in addition, the following features are also supported:

  • Quickly verify if your system has been compromised without taking the system down.


  • Speed investigations and save travel costs by remotely examining live systems forensically throughout your network.


  • Quickly uncover Trojans and rootkits, even kernel mode Trojans which can cloak themselves in your systems.


  • Utilizes remote agent to read suspect disk at bit level, enabling you to examine all the contents of the suspect disk, including HPA and Windows Alternate Data Streams.


  • To minimize the possibility of detection, the remote agent may be pushed out, installed, and run remotely in stealth mode (with System Administrator privileges).


  • Image shadow copy of remote system disk.


  • Remote image copy may be sent out local system port or to a network storage location to improve image capture performance.


  • Powerful Image differencing capabilities for fast VSC analysis.


  • Process Explorer for remote system


  • Capture volatile state information such as open ports with connected IP addresses, route tables, ARP cache, logged-on users, etc. to investigate an incident.


  • Powerful automated data carving saves time, improves accuracy of investigations.


  • Capture image of BIOS/CMOS memory to find compromises.


  • All data transferred over the network may be protected with 256-bit AES encryption.

ProDiscover Pro

ProDiscover Pro acts as a repository for ProDiscover Forensics and ProDiscover Enterprise (IR) products and enables teams to get updated, review and collaborate. Information retrieved from devices is securely stored on the web platform.


Following features are available on ProDiscover Pro:

  • Search for file names and content

    • Support Boolean, Date and Heuristic searches across all the files captured from a disk

    • Provides a preview of the file contents within the search view.

  • View document contents

    • Annotation and cross-reference tools.

  • Without disturbing the folder structure, create document groups as placeholders for important documents.

  • Generate reports on the content. Create management reports..


  • Secure platform with options for encryption of stored data, two-factor authentication, time limited sharing and audit logs with complete information on user access.