Technology Pathways ProDiscover Forensics 4.9
Strengths: Easy to use for a single system forensic investigation.
Weaknesses: Greater flexibility for evidence sources would help.
Verdict: A solid forensic application which is above average for forensic packages.
SummaryProDiscover Forensics 4.9 is a utility best used for analysis of an entire system. It includes utilities for viewing the registry, event log and internet activity from a captured image. Everything needed for forensic analysis is included in one clean interface, which resembles Windows Explorer. ProDiscover allows for scripting of commands using Perl. The scripts can be handy to automate tasks routinely performed as part of a forensic investigation. The product is feature rich, but internal viewers -- as opposed to loading the applications -- would be a time-saver.
The ProDiscover utility needed around three minutes to create a forensic image of a one GB drive. Importing the image file into ProDiscover was so quick it was impossible to time. ProDiscover recovered more deleted files than any other program, including some files which were supposedly wiped using a wiping program from a well-known manufacturer. ProDiscover found many deleted executables, a deleted directory and deleted picture files. The password-protected files were not highlighted and the investigator would only discover this by double-clicking on the file to open it in the external application. ProDiscover also did not detect the presence of any steganographed files. The picture files merely opened in picture preview. Since ProDiscover is designed to read an imaged system disk and not individual files as inputs, we were unable to test ProDiscover against VMWare disk files to ascertain if ProDiscover would view the VMWare file as a flat file or a virtual file systems.
The installation of ProDiscover was as easy as any utility in this group. The utility installed from a downloaded file, which installed the ProDiscover program as well as ActivePerl for forensic scripting. The license file was copied to the program directory and the installation was done.
The help file for ProDiscover is above average and covers most of the common usage of the product. Reading the first few sections will provide the knowledge necessary to perform basic tasks with the system.
The pricing for FTK is $2,195 which is at the upper end of the price spectrum.