![]() ![]() ![]() Images are kept in a proprietary format, or in the Unix dd format, and images can also be converted between the types. ![]() Similarly, the registry can be collected and analyzed. RAM can also be captured and imaged the same way, and while none of the file analysis works (obviously, there are no files), direct examination of the data in memory can be a very useful feature. Many file systems are supported, including various Unix/Linux types, RAID systems and protected HPA disk areas. The ability to use the Hashkeeper database (and other hash lists) to identify known files means it is quick and easy to identify modified system files and trace the presence of malware. ProDiscover might not have the same depth of file and disk forensics features as EnCase in terms of sheer analytical bells and whistles, but it completes all its functions quickly and thoroughly, keeping track of every significant step in a constantly-updated case report, with every piece of data hashed and tagged, and plenty of basic searching tools. This product is the big brother of its family, including all the forensic capabilities of other versions with the additional ability to conduct investigations over the network and compare live systems to known-good baselines to establish whether a machine has been compromised or tampered with. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |