ProDiscover Incident Response
ProDiscover Enterprise (IR) enables you to determine if that system has been compromised and allows you to gather the evidence needed to prove it.
ProDiscover Enterprise (IR) supports all the features of ProDiscover Forensics and in addition, the following features are also supported:
- Quickly verify if your system has been compromised without taking the system down.
- Speed investigations and save travel costs by remotely examining live systems forensically throughout your network.
- Quickly uncover Trojans and rootkits, even kernel mode Trojans which can cloak themselves in your systems.
- Utilizes remote agent to read suspect disk at bit level, enabling you to examine all the contents of the suspect disk, including HPA and Windows Alternate Data Streams.
- To minimize the possibility of detection, the remote agent may be pushed out, installed, and run remotely in stealth mode (with System Administrator privileges).
- Image shadow copy of remote system disk.
- Remote image copy may be sent out local system port or to a network storage location to improve image capture performance.
- Powerful Image differencing capabilities for fast VSC analysis.
- Process Explorer for remote system
- Capture volatile state information such as open ports with connected IP addresses, route tables, ARP cache, logged-on users, etc. to investigate an incident.
- Powerful automated data carving saves time, improves accuracy of investigations.
- Capture image of BIOS/CMOS memory to find compromises.
- All data transferred over the network may be protected with 256-bit AES encryption.