2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Facebook / LinkedIN / Twitter / Google+

CYBER THREAT HUNTING

Detect
Diagnose Edureka
Defeat Blockchain
Cyber Learn Blockchain in 6 Training | 24x7
Threat Support |
Weeks Lifetime Access
| World-Class
Instructors

HACKFORLAB  BLOG 

How to use ProDiscover

By: Rohit Sadgune / On: 12th March 2015 / In: ProDiscover

Surprises, a thing of the past

PRTG is easy to set up and noti es you long before your boss picks up the phone.

PRTG Network Monitor DOWNLOAD

How to use ProDiscover

Project Name: How to use ProDiscover
Description: Step by step guide to How to use ProDiscover Incident Response
customization
Author: Rohit D Sadgune

Summary of Contents

https://hackforlab.com/how-to-use-prodiscover/ 1/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Virtualization Software
See why Scale Computing HC3 is the ideal infrastructure solution
for your business

closeup.crn.com OPEN

In this blog we will learn following things

How to start prodiscover incident response

How to use ProDiscover
Project number & case les
ProDiscover Preferences
ProDiscover Index path
Appearances
ProDiscover Report Custom Items

Most of the digital forensics analysis software’s needs to be customized before to load
case. Computer forensics software are complete customizable depend on cases to
case. Here I will demonstrate how to perfrom changes in prodiscover to create strong
forensics case.

Just double click on Prodiscover icon which is there in system. Following screen will
appear. Left click on “Project Number”

prodiscover launch window

Type your forensics case number as [001-HDD-1-27-12-2014] & project le name as

[PIRCUSTOM-001-HDD-1-27-12-2014].

People always used to ask what should be standard evidence number, standard
forensics project le name here is the solution.

PIRCUSTOM-Prodiscover custom is name what I have given. In normal case it should

be case initials i.e client name or forensics case reference e.g (Fraud Investigation,
Espionage)

001- It is rst case for respective client. During the investigation if new scenario comes
into picture then it will be 002.

HDD-1- It is rst disk what we are investigating. If you have multiple HDD the you can
give put like HDD-1-H2-H3.

27-12-2014- Date for case reference.

https://hackforlab.com/how-to-use-prodiscover/ 2/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Forensics case number & project le name

Forensics case number & project le name

Click open button to start forensics case in prodiscover.

After opening case in prodiscover it will show three pane view with case name as title
now please elect le menu from PIR to get preference

prodiscover main window

Now you will get multiple options to select out of which please select preferences

prodiscover preferences

https://hackforlab.com/how-to-use-prodiscover/ 3/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Here you will get option depending on versions i.e in prodiscover forensics version
you will not get menu of “PDServer”. In prodiscover incident response version you get
menu to PDServer. General menu you will get

General
PDServer (Prodiscover Incident Response)
Apperance
Time zone
Search Index
EXIF

General

Now select “General” menu from given window

prodiscover general

Hash is basically used for veri cation of forensics images are in identical condition or
not.

Here you can select multiple Hashing algorithm

Prodiscvoer provides three hashing algorithms

MD5 :- It is 128 bit hash. It is most commonly used has algorithm in India.
SHA-1 :- It is forensics more accurate & widely recommended for forensics hash
veri cation
SHA-256 :- It is highly secured but time consuming

https://hackforlab.com/how-to-use-prodiscover/ 4/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

prodiscover hash algorithm

prodiscover hash algorithm

Here I have selected MD5 hash algorithm as it takes very less time for veri cation.

Warning: Turning on “Auto Verify Image Checksum” will cause image addition and
project loading to become very slow.

Please on both the services

Warning
Auto verify checksum: – This will increases project load time as it veri es evidence
for checksum.

https://hackforlab.com/how-to-use-prodiscover/ 5/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

prodiscover general

Now we have to select working folder.

ProDiscover uses a “Working Folder” to persist temporary les in during investigation

operations such as generating hash values. By default the “Working Folder” is set to
use the current users Documents and Settings temporary folder. Users may select
any desired location as the ProDiscover “Working Folder”.

Select appropriate path of system for working folder.

prodiscover general

The “When a disk/image cannot be found while opening the project:” this setting is
primarily developed for user who is doing remote investigation. This setting is
primarily known as as “o ine project mode” and includes the choices “Prompt Me”,
“Add as O ine”, and “ignore”. When user is working on remote system investigation
you can add & save search result & project report to project le.

We also need to choose the maximum le size to be carved from evidence image or
drive.

Default max. Size of le carving in prodiscover is 2 MB.

Click on “O ce X les as folders” this setting is for MS-O ce les which are based on
2007, 2010, 2013 & so on.

Click on “Compressed les as folders”

https://hackforlab.com/how-to-use-prodiscover/ 6/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

prodiscover general

PDServer

“PDServer” is the menu available only in ProDiscover Incident Response. Here you can
set default port number to communicate disk access.Investigator can customize this
port number as per his network environment.

PDServer for network imaging & analysis. The “Server Time-out” setting tells
ProDiscover how much time he needs to wait without receiving packets before trying
to reestablish communications with the PDServer Remote Agent. The “Auto Retries”
setting helps ProDiscover how many times to automatically attempt to reestablish
communications after a “Server Time-out” has occurred.

prodiscover server (PDServer)

Appearance

As others forensics analysis software we can also customize appearance of

prodiscover.

Here you can change color of…

Hash les :- Many commercial databases use hash  les as a method of indexing
data
Compressed les: – Compress les are compound le in which multiple les are
gather in single compound le.

https://hackforlab.com/how-to-use-prodiscover/ 7/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Alternate Data Streams (ADS):- An alternate data stream (ADS) is a feature of

Windows New Technology File System (NTFS) that stores a metadata for locating a
speci c le by author or title.
Subset
Mismatch les: – These les provides bene cial data which ltered from
prodiscover.

prodiscover appearance

The most import component of forensics analysis is reporting. We can change the
form of report as per our requirement. In prodiscover we can customize following
aspects

Font
Font size
Font style
E ect
Colour
Script

prodiscover appearance

RECENT POST
Add following thing to get more interactive report for Client
Principal Components of Security Informati
Add Thumbnail image to report for graphic le
Management
Create thumbnail on load
Cyber Threat Hunt Cycle
Include cluster chain information to evidence of interest
Discover yourself in New year
Include Access Control List (ACL) to evidence of interest
Indicator of Attack vs Indicator of Comprom
Include outlook message header to report
How to keep your cell phones secure
https://hackforlab.com/how-to-use-prodiscover/ 8/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Power of Security Operation Center

Cyber Security Lifecycle
Types of System Software
Cyber Security Control
Reconstructing Past Digital Events

HACKFORLAB CATEGORY

Select Category

SOCIAL HACKFORLAB

Facebook
LinkedIN
Twitter
Google+

FACEBOOK PAGE
prodiscover appearance

Time Zone Hacking Forensics Lab

194 likes
Entire forensics analysis is depends on time references.so Select appropriate time
zone.
Like Page
As the NTFS le system persists time zone information with les, it is important for
digital forensics investigators to set the proper image or disk time zone information to Be the first of your friends to like this
ensure MAC (Modi ed, Accessed and Created) times are displayed as they would be
appear on the target system.
SIEM | UEBA
Modi ed, Accessed and Created times are displayed in prodiscover based on the
following scenarios.

When System’s daylight saving time is ON and ProDiscover’s daylight saving time is
ON, the times will be the same as in Windows explorer.
When System’s DAYLIGHT SAVING TIME is ON and ProDiscover’s DAYLIGHT SAVING
TIME is OFF, the times will be reported reduced by 1 hour to what in Windows
explorer.
When System’s DAYLIGHT SAVING TIME is OFF and ProDiscover’s DAYLIGHT SAVING Virtualization Softwa
TIME is ON, the times will be displayed increased by 1 hour to what in Windows
explorer.
When System’s DAYLIGHT SAVING TIME is OFF and ProDiscover’s DAYLIGHT SAVING
TIME is OFF, the times will be displayed the same as in Windows explorer.

Note: The times displayed in the report are based on the times when the les are
selected as Evidence Of Interest. All-In-One Solution

See why Scale Computing HC3 is the id

infrastructure solution for your busines
closeup.crn.com

https://hackforlab.com/how-to-use-prodiscover/ 9/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

OPEN

SUBSCRIBE TO BLOG VIA EMAIL

Enter your email address to subscribe to this

receive noti cations of new posts by email.

Join 7 other subscribers.

Email Address

Subscribe

CYBER THREAT ATTACKS / HUNTIN

HACKFORALB successfully completed threat h

following attack…

prodiscover time zone DNS Reconnaissance, Domain Generation Alg

(DGA), Robotic Pattern Detection, DNS Shadow
Forensics Search Index
Flux DNS , Beaconing , Phishing , APT , Lateral

Forensics index is is in a method of simply a generating list of o sets for occurrences Browser Compromised , DNS Ampli cation , D

of keywords. In simpler way an index is a le which stores a list of o sets for each Tunneling , Skeleton key Malware , Advance P

word in which there on HDD. Searching the index amounts to looking up the index le Threats, Low and Slow attacks , DoS, Watering

for a list of o sets. Detection, Weh Shell , DNS Water Torch Attac
Detection, Cookie visibility and theft, User log
A thesaurus le contains a list of synonyms the search engine can use to nd matches hijacking, Broken Trust, Pass the Hash, Sessio
for particular words if the words themselves don’t appear in documents. Honey Token account suspicious activities, Da
/ Data aggregation, Cross Channel Data Egres
The noise le contains noise words sometimes referred to as stop words. These are
fraud detection, Chopper Web shell
conjunctions, prepositions and other words such as AND, TO and A that appear often
in documents yet alone may contain little meaning. CYBER DECEPTION

A basic noise.txt is available as you going to install prodiscover.

forensics search index

Here you have to select appropriate index path.i.e location where you want to keep
your forensics index. Note: – Best practice is to keep within case folder.

https://hackforlab.com/how-to-use-prodiscover/ 10/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

By default ProDiscover is set to index “All index able les” This means that during the
process of indexing ProDiscover will scan every le and any le containing readable
ASCII or UNICODE data will be indexed. This process is more time consuming but
more reasult oriented. To select this feature please click on “All Index able Files”.
Users are alsochoose to give the option to index les only for speci c le extensions.
This optios is going to reduce time of indexing.

You also have option to create forensics index of clusters & sectors. Prodiscover also
gives extended feature to index frees space & slack sectors.

EXIF

Exchangeable image le format (o cially Exif, according to JEIDA/JEITA/CIPA

speci cations) is a standard that speci es the formats for images, sound, and ancillary
tags used by digital cameras (including smartphones), scanners and other systems
handling image and sound les recorded by digital cameras.

Here prodiscover has given the facility to “Add All” EXIF Meta eld values to the report,
“Remove All” EXIF Meta elds from the report or to custom select eld for addition to
the project report.

prodiscover EXIF

Note: – Entire demonstration of ProDiscvover Customization developed on eduction

license of ProDiscover Incident Response

https://hackforlab.com/how-to-use-prodiscover/ 11/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

Expert-Led
Blockchain Training

Edureka's Blockchain Training

covers Bitcoin, Ethereum,
Hyperledger, MultiChain & more!
Edureka

SHARE
Share 0 Share Tweet Save Share
Post

LIKE THIS:

LIKE Loading...

Previous Post: Advance Data Recovery

Next Post: Compromised Linux Server Investigation

LEAVE A REPLY

Your email address will not be published. Required elds are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

CAPTCHA Code *

Notify me of follow-up comments by email.

Notify me of new posts by email.

POST COMMENT

https://hackforlab.com/how-to-use-prodiscover/ 12/13
2/27/2020 How to use ProDiscover, ProDiscover Forensics,

FORENSICS AND CYBER THREAT RESEARCH AREA

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Incident Response & Management Fraud Investigation |
Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly &
Pattern Detection | Vulnerability Assessment | Information Security And Forensics Product Implementation | Security Information
Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security
operations and analytics platform architecture (SOAPA)

FOLLOW US CYBER THREAT TOP CYBER SECURITY THREAT HUNTING

CATEGORIES ARTICLES SCENARIOS
Facebook / LinkedIN / Twitter
/ Google+ Cyber Threat (9) Types of System
Data Recovery (3) Software
Digital Forensics (16)
Types of Computer
General (5)
Forensics
Linux Server Investigation
Technology
(1)
Packet Forensics and Cyber Security
Analytics (4) Lifecycle
ProDiscover (4)
Indicator of Attack
vs Indicator of
Compromises

Digital Evidence
Collection and Data
Seizure

Cyber Threat Hunt

Cycle

Designed using Unos. Powered by WordPress.

https://hackforlab.com/how-to-use-prodiscover/ 13/13