Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

Home » Blog » ProDiscover Incident Response Project

 Posted in ProDiscover

ProDiscover Incident Response Project

   21st November 2014  Leave a Comment on ProDiscover Incident Response Project 0 979

ProDiscover Incident Response Project

 

Project Name: ProDiscover Incident Response Project
Description: Step by step guide to ProDiscover Incident Response
Author: Rohit D Sadgune

Summary of Contents

In this blog we will learn following things

  • how to start prodiscover incident response
  • Project number & case files
  • Adding suspected evidence drive
  • Saving project for further analysis.

This is initial window of PIR where 3 case fields are mentioned “Project Number”, “Project File Name” & last is “Description”

Digital Forensics Pune

 

Project Number is filed where we suppose to put forensics project number e.g [001-HDD-1-16-11-2014]

Digital Forensics

Case number is oo1 is from assumption that we will have maximum of 999 different variant of investigation

HDD-1 is for case-1 first Hard disk is for investigation.

Date is the thing which gives clarity or authenticity to respective case.

You can use same case number for project file name so to avoid confusion on later investigation

ProDiscover Incident Response Project File Name
ProDiscover Incident Response Project File Name

 

Forensics case description is not only helps forensics investigator but it also help for further litigation process

 

Forensics Case Description
Forensics Case Description

 

How add evidence drive in prodiscover for investigation

Adding Evedance Drive in ProDiscover
Adding Evidence Drive in ProDiscover

Left click here on Disk tab of PIR

Adding Evidence Drive in ProDiscover
Adding Evidence Drive in ProDiscover

Click on suspected HDD here I am selecting [PhysicalDrive0] item

 

Selecting Suspect Drive in Prodiscover
Selecting Suspect Drive in Prodiscover

Type [suspected Drive – 001]

 

Suspected Drive Comment
Suspected Drive Comment

Crick on [Add] button

Selecting Suspect Drive in Prodiscover
Selecting Suspect Drive in Prodiscover

 

To see the disk view content in tree mode please click on disk so as to expand the tree mode.

Disk View In ProDiscover
Disk View In ProDiscover

To expand tree level in PIR please click on PhysicalDrive0

Disk View In ProDiscover
Disk View In ProDiscover

 

To expand any drive to access or investigate internal content Left click drive letter

Disk View in ProDiscover
Disk View in ProDiscover

ProDisover Incident response kit offer parallel cluster view of HDD to investigator.

To access please click on disk tab of cluster view so as to examine branches which are bellow that view

Disk Cluster View
Disk Cluster View

 

The physical Drive will appear in the tree view of ProDiscover IR Left click to examine branches

 

Disk Cluster View
Disk Cluster View

 

Please click on corresponding drive letter to expand & Here you can see the cluster view of ProDiscover Incident Response.

In ProDiscover there are three components to analyze forensically

  1. used cluster with marked as green
  2. unused cluster is denoted by blue
  3. boot sector & partition data cluster are marked by red
Disk Cluster View
Disk Cluster View

 

To save particular project in PIR Select [File] menu item

Saving Prodicover Project
Saving Prodicover Project

 

Select [Save Project     Ctrl+S] menu item

Saving Prodicover Project
Saving Prodicover Project

 

Select a location where you want to save case here i am saving on [Desktop] outline item

Saving Prodicover Project
Saving Prodicover Project
Saving Prodicover Project
Saving Prodicover Project

 

Note: – Entire demonstration of ProDiscvover is developed on eduction license of ProDiscover Incident Response

 

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack