Tutorial Key Facts
Supported Operating System Windows XP, Vista, Win 7 , server 2008 (all versions)
Both 32 AND 64 bit
ProDiscover Version ProDiscover Basic Edition 188.8.131.52
Supported File Systems: All Windows based file systems including FAT 12/16/32/exFAT and NTFS Dynamic disks in addition to file systems such as SUN Solaris UFS and Linux Ext 2/3/4, and Mac OSX HFS+
Last Update 2013/12/01
Author Nihad Hassan
The first thing we need to do when conducting computer investigations is to have a copy of the suspect drive, in this tutorial Iam going to show you how to use ProDiscover basic software tool to acquire and analysis a suspect drive.
Let us first describe what we mean by a drive image copy, a disk image is a file that contains the exact same data and structure information as the original one, we can have this image through performing a sector-by sector image copy of the original disk, in this way we perform a replication of the same original disk.
[important]Important note: a sector-by sector image (known also as bit-stream image) is different from performing a copy of the disk using standard windows copy/paste function, as this will not copy hidden data and slack spaces. Also avoid using backup software to have an image of the original drive as backup software cannot copy deleted files, emails and fragment files; however in some cases it will be necessary to use backup software in order to recover data from damaged hard disk; however the integrity of files is not guaranteed in the last case.[/important]
Download ProDiscover program from the following link http://prodiscover-basic.software.informer.com/download/
If the link changed go to http://www.techpathways.com and search for it. Install the program using simple steps with the default settings.
First star ProDiscover, a pop up window may appears, this windows allows you to enter project number, name and description as follow:
Click “Open” to continue
In main program window, click on “Capture & add image”
The following window appears
The steps in red are mandatory, while the green one is optional
In the step one we select the source drive that we want to capture, this could be a removable disk , USB drive or just one of the partition of the main disk of the computer. In my case I select drive Q: which is my USB drive.
In step two “destination”, we set the destination of the image file where we want to store it , in my case I used D: drive and named the image “DarknessGate_USB” , the acquired image has the extension .eve
In step 3 and step 4 and step 5 , you can enter the “technician name” , “image number” and “description” to further describe the acquired project , all these steps are optional.
In the last two steps (step 6 and 7), the step 6 allow us to compress the acquired image to reduce image size. In step 7 we can set a password to further protect our image, both steps are optional.
Now after filling the required information, click on “Ok” and the image acquisition starts as appears in the bottom of the program window as follow
After finishing, the following window appears stating the acquisition was successful
If you have chosen to close the ProDiscover program after acquiring the image it will asks you to save the project before closing
Now let us begin analyzing our acquired image, starts ProDiscover program, a pop up window appears asking you to create/open a project, select the “Open Project” tab, browse to your project file, select it and click “Open”
Tip: We can also do the same through going to the “File” menu and selecting “Open Project”
The project opens, go to the left menu and select “Images” to view image contents (folders and old deleted files)
You can view image contents in the main program window as follow
For example, click on “Deleted Files” folder to view old deleted files, select one of the files called “exchange” with .txt extension to view/retrieve it
We can right click the file to copy it to another location
You can copy all files with the same way, there is also a check box beside every file/folder you can put a check mark to insert comments, this checked file or folder will appear in the final generated report of ProDiscover.
We can also perform different searches on our finding,
To generate an automatic report outlining your finding do the following:
Go to the View >> report, the report page appears you can print it or review it
In this tutorial I show you how to use ProDiscover basic to acquire a bit-stream image of a USB drive, we can use the same steps to acquire and analysis similar hard disks, DVD’s, CD’s, tape drive.
In the next tutorials in the computer forensic section Iam going to show you how to further analysis your evidence in addition to showing how to use other tools to perform the same bit-stream image copying of the drive.