Support Forums

Is it possible to use ProDiscover Investigator to acquire a single folder or directory tree (either locally or remotely) as opposed to an entire disk image? For example, in a setup where users have roaming profiles that are replicated to a server and deleted from a workstation on logoff: the requirement would be to access the user's profile in a forensically sound way. We would not want to have to acquire the entire server disk image just for one profile folder!

With ProDiscover Investigator and IR versions, after investigators connect to the remote system and add any disk for preview, they can mark any folder listed in the work area (top right window) as selected. This will allow the investigator to then choose to subsequently recursively select all sub-folders and files. ProDiscover will then hash all files and add to the report. At this point the investigator can choose to “copy all selected” from the Tools menu and copy to a location of their choosing.

This method of selective extraction preserves all the original hash values in the project report and extracts the files from the sector level up and not through the remote systems file system.

---

Regards,
Christopher L. T. Brown, CISSP

Don't you just love it when new people show up and post a zillion questions?
I have used the technique you describe to capture and preserve single folders. I have exported evidence of interest which always seems to show up at its new home with brand new MAC data.  I have tried to copy evidence and it doesn't seem to want to print anything in the destination folder.  The other problem is that once I sort and copy/export, I can't get to the folder from PD to continue processing.

So now assuming I have connected to a network, found BadUser's account in Docs and Settings and selected all of Bad's folders as evidence of interest.  So now I copy evidence of interest to a folder on my machine and disconnect to do searches, etc later at the lab.  How do I make that work?

Basically, I think I need some way to copy selected evidence as an image so I can come back to it later without revisiting the client. Thanks.

Jerry

Jerry,

We thank you for your postings.

It’s really a matter of preference. I would ensure that I extracted to a local “staging” disk just because I like to isolate data as much as possible.  Then I would add that new physical disk to the project and begin my next level of processing.

While ever investigator will have a unique approach, each investigation is also unique. In addition to the process we have been discussing, and as you alluded to, some type of logical collection ‘sealed’ in its own container (so to speak) would also be beneficial. This is just what we intend on adding in our post 5.0 development tasks. We will be creating a logical file collection container with the extracted files as an option.

 

---

Regards,
Christopher L. T. Brown, CISSP