Software Search


Prodiscover Incident Response

ProDiscover® Incident Response enables you to quickly and thoroughly examine a live system operating anywhere on your network. When used as part of an incident response procedure or as part of a routine system audit, ProDiscover Incident Response enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.

ProDiscover® Incident Response enables you to quickly and thoroughly examine a live system operating anywhere on your network. When used as part of an incident response procedure or as part of a routine system audit, ProDiscover Incident Response enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.

Features and Benefits:

• Quickly verify if your system has been compromised without taking the system down.
• Analyze remote systems over the network eliminating the need to hire expensive staff or travel to remote locations.
• Access suspect system disk at the sector level, revealing all files even if suspect system has been compromised by Trojan or rootkit.
• Search entire disk, including unallocated space, slack space, Windows NT/2000/XP Alternate Data Streams, and even HPA section (patent pending), for complete system integrity.
• Create a bit-stream copy of the compromised system disk and memory to enable you to quickly restore the system without losing valuable evidence.
• Automatically generate and record MD5, SHA1 or SHA256 hashes to prove data integrity.
• Capture volatile state information such as open ports with connected IP addresses, route tables, ARP cache, logged-on users, etc. to investigate an incident.
• Integrated process explorer and registry viewer.
• Integrated graphics thumbnail viewer.
• Integrated Windows event log viewer.
• Extract Internet history.
• Find files and processes that cannot be seen by suspect system O/S.
• Create system baseline for later comparison to uncover altered files.
• Utilize Perl scripts to automate investigation tasks.
• Utilize user provided or National Drug Intelligence Center Hashkeeper database information to positively identify all system files.
• Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.
• Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
• Remote agent may be preinstalled or pushed out, installed, and run remotely in normal or Stealth mode (with System Administrator privileges) to avoid detection.
• Linux boot disk provided to image systems without removing hard disk drive.
• User selectable 256 bit AES or Twofish encryption protects data transfers and remote system access.
• GUI interface and integrated help function assure quick start and ease of use.