How to gather Forensics Investigation Evidence using ProDiscover Basic

The ARC Group ProDiscover® Basic edition is a self-managed tool for the examination of your hard disk security. ProDiscover Basic is designed to operate under the National Institute of Standards’ Disk Imaging Tool Specification 3.1.6 to collect snapshots of activities that are critical to taking proactive steps in protecting your data.

ProDiscover Basic has a built-in reporting tool to present findings as evidence for legal proceedings. You gather time zone data, drive information, Internet activity, and more, piece by piece, or in a full report as needed. You have robust search capabilities for capturing unique data, filenames and filetypes, data patterns, date ranges, etc. ProDiscover Basic gives clients the autonomy they desire in managing their own data security.

At the ARC Group, we provide the tools you need to identify security issues before they escalate, and we use ProDiscover solutions to maintain your corporate safety and preserve your data. With ProDiscover Basic, professional consultants, system administrators, and investigators take the upper hand to manage cyber security at every level and protect information in the case of impending legal actions.

First Download the ProDiscover Basic from here and install it in pc and enter the Project Number, Project File Name and Description in prodiscover basic software. Click on Open.

In main window click on Capture & Add Image

Now select the source drive that we want to capture, this could be a USB Drive or physical Drive.In my case I select drive Physical Drive 1 which is my USB drive.

Now set the destination of the image file where we want to store it, in my case I used E: drive and named the image folder as pd and the name of the image which is to be saved in desired folder is PD.EVE .

Now enter the ‘Technician Name’, ‘Image Number’ and ‘description’ Now Click on ok.

After finishing the following steps, windows will appear.

After imaging the drive close the prodiscover program then it will ask you to save your project.

Now starts prodiscover program again and click on open project and browser your project image select it and click open

Now the project will open & go to the left menu and click on Content View. Then it will show you all   the contents of evidence image.

To generate the automatic report click on report tab under the view menu. Then it will show you Evidence Report.

AuthorMukul Mohan is a Microsoft Certified System Engineer in Security and Messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at

How to study Forensics Evidence of PC using P2 Commander (Part 2)

Now we are studying about the forensic evidence which we have collected in the previous article.

If you are interested to see the collection of forensic evidence, please click on the below link.

First of all, we will look into the Trash folder (which contains the files and folders deleted by the user but not erased permanently from system yet).

By clicking on Trash folder, it will show us the different files and folders with their Creation Time, Last Access Time, Last Change Time, and File Size.

Now click on Advanced Registry and System Analyzer and then Auto Run Option.

Go to Run option. It will Show all the programs that can run automatically at the time of booting of the system.

Now Select OS Info option. Through OS Info, we can see the Root Path, Current Version, Registered User, Product ID, Edition ID, and Installation Type.

Now select Uninstall Option from Programs Option. By Uninstall Option, we can see all the programs which are installed in the system.

To see the running services in the system, select Services option.

Now  click on Known DLLs to see the Dynamic Link Libraries ( which contains data and code that are used by different programs simultaneously.)

Now to get the information about the removable disks used recently or in the past, first click on USB Storage and then select USBSTOR. It will show the name of the Disks.

Now select any one of the disk and it will show us the size as well as the manufacturer name.

To see the history of most recently used commands from the Run command on the Start menu click on Users Info Option. Select a user; in my case we are selecting Raj. Now click on RunMRU.

To see the user-based web activities, click on the TypedURLs, which will show the recently visited web sites.

AuthorMukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at

How to Collect Forensics Evidence of PC using P2 Commander (Part 1)

P2C is a comprehensive digital investigation tool with over ten years of court-approved use by forensic examiners. An integrated database and true multi-threading mean faster processing. P2C was built on Paraben’s trusted email examination tools for unparalleled network email and personal email archive analysis. Advanced features like Data Triage analysis, Xbox analysis, pornography detection.

First Download the p2 commander from here and install in victim pc and open p2 commander Click New Case the ‘Create a New Case’ page will open

Then click on next to proceed to next step.

Here in next step you have to enter the case name and DEMO details and click on finish to proceed to next step

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step

Now Click ‘Add Evidence’->Choose ‘Image File’

Now select Auto-detect Image option from source type which will add the image evidence in any format. You can choose any option from different available options such as Drive Image or Fat Partition Image.

Now load the Evidence Disk Image

How to create Disk Image read this article

 After selecting the evidence Image, click on Open.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence image.

Now you can click on any one of the directories of the evidence image and it will show you all the containing files and sub folders within that folder describing   their   file name, file type, file size, creation time and last modification etc.

Now click on generate report tab.

Select the report type which is to be generated. In my case I am selecting HTML Investigative Report & select the destination folder. Then click on next.

Now select the sorted file which is to be added by clicking on Add and Export button with their file types. Now click on next to proceed further.

Now click on Finish to proceed to next step. 

The report file will be saved on your destination folder. Now you will visualize the details of your report.

AuthorMukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at

How to Create Forensics Image of PC using R-Drive Image

R-Drive Image is a potent utility providing disk image files creation for backup or duplication purposes. A disk image file contains the exact, byte-by-byte copy of a hard drive, partition or logical disk and can be created with various compression levels on the fly without stopping Windows OS and therefore without interrupting your business. These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W)/DVD, Iomega Zip or Jazz disks, etc.

R-Drive Image Features

A simple wizard interface – no in-depth computer management skills are required.

On-the-fly actions: Image files are created on-the-fly, no need to stop and restart Windows. All other disk writes are stored in a cache until the image is created. Data from image files are restored on-the-fly as well, except on a system partition. Data to the system partition can be restored either by restarting R-Drive Image in its pseudo-graphic mode directly from Windows, or by using specially created startup disks.

Image files compression. Image files can be compressed to save free storage space.

Removable media support. Image files can be stored on removable media.

Startup version. A startup version can be used to image / restore / copy partitions locked by the OS. The computer can be re-started into the startup version either directly from Windows, or from an external USB device, a CD/DVD disk, or 6 floppies. The startup version can use either a graphic user interface, or a pseudo-graphic mode, if the graphic card isn’t supported. Support for UEFI boot for modern computers.

USB 2.0 and 3.0 support in the startup version. With hard drives prices constantly going down, an external IDE-USB 2.0 or 3.0 HDD case with an appropriate hard drive is an ideal (fast and reliable) solution for storing backup files for system and other partitions that can be restored only in the startup version. Do not use numerous unreliable CD discs and slow CD/DVD recorders any more. Remember: with the incremental backup, this hard drive is not to be too large.

Network support in the startup version. R-Drive Image startup version supports disk image file creation and restoration over the Microsoft network (CIFS protocol).

Extended List of the supported devices in the startup version. The list of hardware supported by R-Drive Image startup versions has been extende An image file can be connected as a read-only virtual disk. Such disk can be browsed through and files/folders can be found and copied.

Individual files and folders restoration. Individual files and floders rather than entire disk can be restored either during the restoring action or from a image file connected as a virtual disk.

Image files splitting. Drive images can be split into several files to fit a storage medium.

Image Protection. Disk image files can be password-protected and contain comments.

New partition creation. Data from a disk image can be restored on a free (unpartitioned) space on any place on a hard drive. The size of the restored partition can be changed.

Partition replacement. Data from a disk image can be restored on other existing partitions. R-Drive Image deletes such partitions and restores data on that free space.

Disk to Disk copy. An entire disk can be directly copied on another one.

Image files verification. You may check if your image files are good before you store them or restore data from them.

Scheduler. A time for disk image creation may be scheduled and the process can be run in unattended mode.

Script creation for frequent or unattended actions. Such scripts for creating an image file and appending data to an existing image file are created from the R-Drive Image interface the same way the actual action is performed. Scripts are executed from a command line and such command can be included to any command file.

Action Report. When disk image is successfully created or the action fails the report can be automatically sent over e-mail or an external application can be launched.

Support for the ReFS file system (Resilient File System), a new local file system Microsoft has introduced in its Windows 2012 Server. All disk actions are supported, except partition resizing.

Full support for the GPT partitioning layout. R-Drive Image can create GPT disks, resize them, and change their partition layout during copy/restore operations.

Support for Windows Storage Spaces (Windows 8/8.1 and 10), Linux Logical Volume Managervolumes, and MacRAIDs.

First Download R-Drive Image from here and install in your pc

Now open R-Drive Image and click on Create on Image

Select the drive which image you want to create than click on next

You may select all objects on a hard drive by clicking the hard drive icon. . It will show the marked hard drive.

Select the place on the Image Destination panel to which the image files will be written, specify the file name, and click the Next button

If you try to append data to a password-protected image file, the Password prompts. Message will appear. Enter the password and click on next.

Click on NEXT

Verify that the information on the Processing panel is correct and click the Start button

How to Restore Backup

 Click Restore from an Image on the Action Selection panel

Select the file with the image on the Image File Selection panel and click the Next button

Select the object in the image file on the Image Object Selection panel, select a destination, and click the Next button

Now Click on NEXT

Click on start the process of restoring will start and the drive stored in your pc.

Author: Mukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at

Related Posts Plugin for WordPress, Blogger...