ProDiscover IR is an over-the-network computer forensics tool. It connects to any computer that has the ProDiscover agent and performs a suite of forensic tests that can be scripted using ProScript, a variant of Perl. We like ProDiscover IR for its flexibility and simplicity. For example, the notion of using Perl as the basis for ProScript makes sense because many IT professionals already are proficient in Perl. A simple console-to-agent connection also provides simplicity and reduced cost over more complicated over-the-network acquisition schemes.
Of all of the computer forensic products we tested, we found ProDiscover IR to be the easiest to use.
We found in earlier tests and in day-to-day use that this product really exploits ProScript for its true power. We have scripted common requirements, such as periodic remote acquisition and analysis, as well as exotic ones, such as performing vulnerability analysis during a forensic scan. ProScript is remarkably robust and flexible.
ProDiscover IR does a lot more than collect images or parts of images from remote computers. It can collect volatile data, such as open and hidden files, running processes and open ports. It can run ongoing hash comparisons that help spot changes to critical files. Additionally, it can perform full live forensic analysis over the network.
The product is capable of handling most common file systems, including Windows, Linux and Solaris Unix. It accepts DD images and can image RAM memory and, of course, can capture and analyze the Windows registry. In general, this is a powerful incident response and proactive forensics tool.
At $7,995 for the complete over-the-network product, ProDiscover IR is a good buy. Support is solid, though it is an extra cost option. We never have had a complaint about support in the two years that we have reviewed the product. Documentation is good, though not as extensive as we would like. For its very high value, ease of use and solid functionality we award ProDiscover IR our Recommended rating.
