To use the Shuttle, you deploy agents on those computers on the network to which you want forensic access. The agents and the Captains communicate through the Proxy, which provides security for the connection. Both exchange data with the Server, which provides centralised authentication to the other elements and is the core control, storage and analysis component of the system.
We found the product to be unnecessarily complicated to deploy and manage. On a large network we would expect this level of complexity to require significant administration, and we would expect performance to suffer due to the multiple components that need to interact.
Although it was a bit tricky getting the entire system up and running, we were pleased to see many of the capabilities that we have come to expect from an over-the-network forensic tool.
For example, we could capture running processes, open ports (services) and open network sessions. File acquisition over the network performed acceptably, and the functions, such as the data view, performed as we expected.
The system is designed for an MS Windows environment which is somewhat limiting. Although the advertised purpose for the P2 Enterprise Shuttle is proactive forensics, there is no scripting language that allows real-time acquisition of data, so being proactive requires human interaction.
Also, we found the documentation seriously lacking in details. For example, when searching for the file system types the product supports we were unable to find any information in the manual.
Although the price is somewhat lower than its nearest competitor, this product requires two servers and either MS SQL Server or MySQL. The overall cost of ownership is, at best, average.
For: An interesting implementation of an over-the-network computer forensics and incident management tool; very good security.
Against: Unnecessarily complicated to deploy and support; lacks some needed features; very poor documentation.
Verdict: An average entry in this class.