Name: ProDiscover IR (Data Forensics group test)
- Good basic tool set for a low-entry price.
- Remote acquisition may be insecure, very Windows-centric.
- Not a bad entry-level tool for modest Windows environments wanting basic forensics and incident response capabilities.
SC Labs Reviews
Reviews from our expert team
ProDiscover is a basic disk image analysis tool, which can acquire and analyze Windows disk partitions. Although light on features, those included are usually only found in more expensive offerings.
Most notable is a remote client that allows online systems to be imaged while they are running, taking ‘smears’ of a live file system which remains forensically intact, despite the file system being subject to change. This is not unique – Guidance offers a superior version of its EnCase product with remote imaging, although it costs more. For the price, ProDiscover is an impressive achievement.
Although it reads directly off the disk, including from protected areas, ProDiscover can only mount and analyze Windows file systems (FAT and NTFS). Support for Unix, Mac and CD-ROM file systems is an essential component missing from this product.
Cases are set up easily, and disk images (local or remote) are added using the Bates numbering scheme. Image files can be compressed too, which is helpful when large file systems are being examined. Images that contain Windows file systems are mounted and the file system made available for examination. Unallocated clusters and deleted files are readily available.
Only basic text searching is offered – there are no regular expressions and search parameters cannot be saved. This will make running identical queries against a large number of systems a tedious process. Results are noted in an ongoing report, making it easy to track the progress of investigations.
The product makes it easy to create hash sets of files, and the software recognises some 90-odd file types out of the box – a small number compared to the open source tools on trial. It also integrates neatly with the hashkeeper database of known files, making it easy to eliminate files from the investigation, or identify changed files.
Of some concern is the agent, which allows remote systems to be imaged. It can be configured to require a password and use Twofish encryption, but the local binary is wide open to exploitation, making it a pre-installed Trojan for a knowledgeable hacker.
With its limitations, we would not recommend ProDiscover as a front-line forensics tool. But for companies needing a simple forensics tool on a budget, this is a good option.