This product is the big brother of its family, including all the forensic capabilities of other versions with the additional ability to conduct investigations over the network and compare live systems to known-good baselines to establish whether a machine has been compromised or tampered with.
ProDiscover might not have the same depth of file and disk forensics features as EnCase in terms of sheer analytical bells and whistles, but it completes all its functions quickly and thoroughly, keeping track of every significant step in a constantly-updated case report, with every piece of data hashed and tagged, and plenty of basic searching tools.
The ability to use the Hashkeeper database (and other hash lists) to identify known files means it is quick and easy to identify modified system files and trace the presence of malware.
Many file systems are supported, including various Unix/Linux types, RAID systems and protected HPA disk areas. RAM can also be captured and imaged the same way, and while none of the file analysis works (obviously, there are no files), direct examination of the data in memory can be a very useful feature. Similarly, the registry can be collected and analyzed. Images are kept in a proprietary format, or in the Unix dd format, and images can also be converted between the types.
We liked the elegant simplicity of the software, especially when creating and comparing systems against baseline images. Remote systems are easily connected and investigated, with Twofish encryption used to keep the link secure. A scripting language, complete with a perl API, is a particularly nice touch.
We received no documentation, and the online help didn't work. Fortunately, there is quite good help at the vendor's website, but we expect better from a product in this space, even if its core features are intuitive to anyone with basic forensic experience.
Overall, we think ProDiscover IR is a good package. It is quick and responsive, and while not as comprehensive as some suites, it knows its job and gets down to business with a minimum of fuss.
And with a tight focus comes other benefits – it shouldn't take long to get a user competent with the software and contributing to forensic cases.
Quick and easy to use, with good incident response features.
Could use more analysis tools, and any sort of documentation.
Pricey for what you get, but a good tool for rapid incident response.