SummaryProDiscover IR (PD-IR) was designed from the ground up as an incident response tool. The approach PD-IR uses is relatively simple. It requires an agent on any computer that you will want to analyze. The tool communicates through an encrypted link with the agent and collects data as needed/scheduled.
From the user interface perspective, the tool has not changed a lot since its original introduction and that makes it feel like an old friend - even though it keeps adding more and more functionality with each new release (it's in release 6.0 now). With ProScript, this forensic tool exudes forensic analytic power. ProScript allows development of sophisticated automated processes using the familiar Perl language.
I, personally, have used PD-IR both for standalone analysis and over-the-network analysis with equally solid success. At the university where I am CISO, we use it as our primary incident response forensics teaching tool. The students abuse it the way college students always do and the product stands strong and tall. That helps our students gain confidence in the use of forensic techniques. In a production environment, users to whom I've spoken tell me they experience the same results.
Make no mistake: This is a computer forensic tool. It is not, as some erroneously think, a network forensics tool. But it does work over the network so it can gather some additional data from the target computer. Port, open file, running processes and other communications data is accessible quickly and easily. Overall, if you want to use a forensic tool to aid in incident response - and who wouldn't? - I'm betting you'll like this one as much as we do.