Prodiscover Basic Download For Mac

What You Need for This Project

  • A Windows machine, real or virtual. I did it on the Mac in a VMware Fusion virtual machine running 32-bit Windows 7 Pro.
  • Your Windows machine needs to have either Microsoft Wordor Open Office installed. If you don't have it,get Open Office here:

Downloading ProDiscover Basic Edition

Mac App Store is the simplest way to find and download apps for your Mac. To download apps from the Mac App Store, you need a Mac with OS X 10.6.6 or later.

Enter new MAC address in the field and click Change Now! You may even click Random MAC Address button to fill up a randomly selected MAC address from the vendor list available. To restore the original MAC address of the network adapter, select the adapter, click Restore Original button in the Change MAC Address frame. Not To Bad It Could Be Better I switch back to mac from windows after 4 yrs using cyberlink power director, i tried davinci and for the most part the app works great, but can't seem to get the transitions to work, with powerdirector and even imovie and FCP, you can just drag the transitions to the end of each clip, and they will work just fine, with Davinci you have trim the end and beguining. ProDiscover is widely used in Computer Forensics and Incident Response. The product suite is also equipped with diagnostic and evidence collection tools for corporate policy compliance investigations and electronic discovery. ProDiscover helps in efficiently uncovering files and data of interest.

In your Windows machine, open a Web browser and go to

At the bottom of the page, click the'Download ProDiscover Basic Edition (Version 8.2.0.5)'link. It's a free product and 73 MB in size. I used the 32-bit version, but you can try the 64-bit version if you like.

Installing ProDiscover

On your Windows desktop,right-clickthe ProDiscoverRelease8205Basic.zip file andclick 'Extract All..', Extract.

Right-click the ProDiscoverRelease8205Basic.exe fileand click 'Run as Administrator'.

Click through the installer as usual to install the software.

Downloading a Sample Disk Image

In your Windows machine, in a Web browser, downloadthis file:

This is an image of a 10 MB hard disk partition which contains several active files and several deleted files. The file is 418 KB in size.

Save the file on your desktop.

On your Windows desktop,right-clickthe p15.zip file andclick 'Extract All..', Extract.

Starting ProDiscover Basic

On your desktop, double-click the'ProDiscover Basic' icon.

In the 'Launch Dialog' box, enter a'Project Number' of 15 and a'Project File Name' of 15-YOURNAME,replacing 'YOURNAME' with your own name,as shown below:

Click Open.

This creates a Project, but so far the Project has noevidence in it.

Adding an Image File

From the ProDiscover menu bar, clickAction, Add,'Image File..',as shown below. (This refers to a forensichard disk image, not a visible image likeJPG or GIF.)

Navigate to your desktop,double-click the p15folder, anddouble-click the p15.ddfile.

Viewing the Hard Drive Image in Content View

In the left pane of ProDiscover, in the'Content View' section, click the plus signto expandImages.

Expand C:UsersstudentDesktopp15p15.dd

Double-click C:

The contents of C: are displayed,as shown below.

Notice these items:

  • In the left pane, a tree-structured list of thecontents of C appears.
    • $Extend and 'System VolumeInformation' contain NTFSfile system data, which would be tedious toanalyze. Most of the time you don't haveto bother to analyze it--that's what ProDiscoverdoes for you.
    • $RECYCLE.BIN contains files in the Recycle Bin, as you might guess.
    • 'Deleted Files' contains files that were deleted, but are still recoverable by ProDiscover. As you will see, ProDiscover can't recover all of them.
  • The upper right pane shows all the files in theroot of C:. Notice that there are three filesat the bottom with file extensions--these arethe active files (not deleted).

Viewing a DOCX File

In the upper right-pane of ProDiscover,click bill-of-rights.

The lower right pane displays the file contentsin ASCII, as shown below. Since this is a .docx file, thecontents are not easy to read in this form.

In the upper right-pane of ProDiscover,double-click bill-of-rights.

If you have Microsoft Word or Open Office installed,the file will open in the appropriate applicationand become readable, as shown below.

If you don't have it, get Open Office here:

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • Amendment I followed by readable text inMicrosoft Word or Open Office Writer

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15a'. Use your real name, not the literal text 'Your Name'.

Viewing JPG files

In the upper right-pane of ProDiscover,double-click images. A visiblephoto of a kitten appears in 'Windows PhotoViewer' or some other image viewer.

Notice the ASCII view in the lower right paneof ProDiscover. This shows the image bytes.JPEG images begin with a header including theASCII text 'JFIF', as shown below.

Double-click the puppy file and examineit in Photo Viewer and in ASCII view.

Using Gallery View

In the upper right pane of ProDiscover,right-click the puppy file and click'Gallery View.

This is similar to the way WindowsExplorer displays folder contents.

Scroll down to see the thumbnail imagesof the two JPG files,as shown below.

Viewing Deleted Files

In the left pane of ProDiscover, click'Deleted Files'. Two files appearin the upper right pane,as shown below.

Double-click the gun image. It opens inPhoto Viewer. As you can see, ProDisdcoverwas able to completely recover this file, includingthe file name.

Double-click the hackers-manifesto.docx file.

It opens in your DOCX viewer, as shown below.

Viewing All Files

In the left pane of ProDiscover, click'All Files'.

A box pops up saying 'CAUTION:..that may take some time tocomplete..'. Click Yes.

This is probably the friendliest view in ProDiscover.As shown below, both active and recovered filesare shown as convenient icons,as shown below.

Viewing the Physical Drive in Cluster View

Most of the time, you can find what you need usingContent View. However, if you want to getright down to the raw bytes on the disk,you can use Cluster View.

In the left pane of ProDiscover,in the 'Cluster View' section,click the plus signto expandImages.

Double-click C:UsersstudentDesktopp15p15.dd

In the top right pane,the physical drive is shown in 'Cluster View'--agrid of colored rectangles,as shown below.

Click the first red rectangle, cluster 0. In the lower rightpane, notice that it starts at address 0,as shown below.

Download

On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.

Cluster 1 starts at address 200,as shown below.

Move right through the next few clusters tosee the pattern. Each cluster is 200 bytesin size. The 200 is in hexadecimal, so it's512 bytes in decimal. These so-called'Clusters' are actually Sectors, becauseat the direct physical level we are using,the disk has no concept of 'Clusters'.

Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the disk--the Master Boot Record.

In the lower right pane, scroll down to find thecharacteristic readable text always seen in theMBR: 'Error loading operating system',as shown below.

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • 'Error loading operating system' in the lowerright pane.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15b'. Use your real name, not the literal text 'Your Name'.

Viewing the Logical Drive in Cluster View

In the left pane of ProDiscover,in the 'Cluster View' section,click C:.

In the top right pane, click the first rectangle toselect Cluster 0. Look at the lower rightpane--this cluster starts at address zero,as shown below.

Notice that this address is relative to the startof the C: partition, so it is not the sameas the physical sector 0 that containsthe Master Boot Record.

Notice the colors: the green clusters are 'Used'--thatis, they contain active data. The blue clusters are'Unused' and may contain latent data.

On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.

Cluster 1 starts at address 1000,as shown below.

Move to the right a few more times to see thepattern: the clusters are all 1000 bytes insize now. In Hexadecimal, that's 4 KB,the usual cluster size for an NTFS partition.

Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the partition--the Partition BootSector.

In the lower right pane,in the top row, find the characters NTFS,as shown below. This, obviously, indicatesthat the partition is formatted with theNTFS file system.

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • 'NTFS' in the lowerright pane.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15c'. Use your real name, not the literal text 'Your Name'.

Turning in your Project

Email the images to [email protected] with the subject line:Proj 15 from YOUR NAME

Sources

http://www.ntfs.com/ntfs-system-files.htm

Last Modified: 4-7-14 1:16 PM

What You Need for This Project

  • A Windows machine, real or virtual. I did it on the Mac in a VMware Fusion virtual machine running 32-bit Windows 7 Pro.
  • Your Windows machine needs to have either Microsoft Wordor Open Office installed. If you don't have it,get Open Office here:

Downloading ProDiscover Basic Edition

In your Windows machine, open a Web browser and go to

At the bottom of the page, click the'Download ProDiscover Basic Edition (Version 8.2.0.5)'link. It's a free product and 73 MB in size. I used the 32-bit version, but you can try the 64-bit version if you like.

Installing ProDiscover

On your Windows desktop,right-clickthe ProDiscoverRelease8205Basic.zip file andclick 'Extract All..', Extract.

Right-click the ProDiscoverRelease8205Basic.exe fileand click 'Run as Administrator'.

Click through the installer as usual to install the software.

Downloading a Sample Disk Image

In your Windows machine, in a Web browser, downloadthis file:

This is an image of a 10 MB hard disk partition which contains several active files and several deleted files. The file is 418 KB in size.

Save the file on your desktop.

On your Windows desktop,right-clickthe p15.zip file andclick 'Extract All..', Extract.

Starting ProDiscover Basic

On your desktop, double-click the'ProDiscover Basic' icon.

In the 'Launch Dialog' box, enter a'Project Number' of 15 and a'Project File Name' of 15-YOURNAME,replacing 'YOURNAME' with your own name,as shown below:

Click Open.

This creates a Project, but so far the Project has noevidence in it.

Adding an Image File

From the ProDiscover menu bar, clickAction, Add,'Image File..',as shown below. (This refers to a forensichard disk image, not a visible image likeJPG or GIF.)

Navigate to your desktop,double-click the p15folder, anddouble-click the p15.ddfile.

Viewing the Hard Drive Image in Content View

In the left pane of ProDiscover, in the'Content View' section, click the plus signto expandImages.

Expand C:UsersstudentDesktopp15p15.dd

Double-click C:

The contents of C: are displayed,as shown below.

Notice these items:

  • In the left pane, a tree-structured list of thecontents of C appears.
    • $Extend and 'System VolumeInformation' contain NTFSfile system data, which would be tedious toanalyze. Most of the time you don't haveto bother to analyze it--that's what ProDiscoverdoes for you.
    • $RECYCLE.BIN contains files in the Recycle Bin, as you might guess.
    • 'Deleted Files' contains files that were deleted, but are still recoverable by ProDiscover. As you will see, ProDiscover can't recover all of them.
  • The upper right pane shows all the files in theroot of C:. Notice that there are three filesat the bottom with file extensions--these arethe active files (not deleted).

Viewing a DOCX File

In the upper right-pane of ProDiscover,click bill-of-rights.

The lower right pane displays the file contentsin ASCII, as shown below. Since this is a .docx file, thecontents are not easy to read in this form.

In the upper right-pane of ProDiscover,double-click bill-of-rights.

If you have Microsoft Word or Open Office installed,the file will open in the appropriate applicationand become readable, as shown below.

If you don't have it, get Open Office here:

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • Amendment I followed by readable text inMicrosoft Word or Open Office Writer

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15a'. Use your real name, not the literal text 'Your Name'.

Viewing JPG files

In the upper right-pane of ProDiscover,double-click images. A visiblephoto of a kitten appears in 'Windows PhotoViewer' or some other image viewer.

Notice the ASCII view in the lower right paneof ProDiscover. This shows the image bytes.JPEG images begin with a header including theASCII text 'JFIF', as shown below.

Double-click the puppy file and examineit in Photo Viewer and in ASCII view.

Using Gallery View

In the upper right pane of ProDiscover,right-click the puppy file and click'Gallery View.

This is similar to the way WindowsExplorer displays folder contents.

Scroll down to see the thumbnail imagesof the two JPG files,as shown below.

Viewing Deleted Files

In the left pane of ProDiscover, click'Deleted Files'. Two files appearin the upper right pane,as shown below.

Double-click the gun image. It opens inPhoto Viewer. As you can see, ProDisdcoverwas able to completely recover this file, includingthe file name.

Double-click the hackers-manifesto.docx file.

It opens in your DOCX viewer, as shown below.

Viewing All Files

In the left pane of ProDiscover, click'All Files'.

A box pops up saying 'CAUTION:..that may take some time tocomplete..'. Click Yes.

This is probably the friendliest view in ProDiscover.As shown below, both active and recovered filesare shown as convenient icons,as shown below.

Viewing the Physical Drive in Cluster View

Most of the time, you can find what you need usingContent View. However, if you want to getright down to the raw bytes on the disk,you can use Cluster View.

In the left pane of ProDiscover,in the 'Cluster View' section,click the plus signto expandImages.

Double-click C:UsersstudentDesktopp15p15.dd

In the top right pane,the physical drive is shown in 'Cluster View'--agrid of colored rectangles,as shown below.

Click the first red rectangle, cluster 0. In the lower rightpane, notice that it starts at address 0,as shown below.

On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.

Cluster 1 starts at address 200,as shown below.

Move right through the next few clusters tosee the pattern. Each cluster is 200 bytesin size. The 200 is in hexadecimal, so it's512 bytes in decimal. These so-called'Clusters' are actually Sectors, becauseat the direct physical level we are using,the disk has no concept of 'Clusters'.

Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the disk--the Master Boot Record.

In the lower right pane, scroll down to find thecharacteristic readable text always seen in theMBR: 'Error loading operating system',as shown below.

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • 'Error loading operating system' in the lowerright pane.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15b'. Use your real name, not the literal text 'Your Name'.

Viewing the Logical Drive in Cluster View

In the left pane of ProDiscover,in the 'Cluster View' section,click C:.

In the top right pane, click the first rectangle toselect Cluster 0. Look at the lower rightpane--this cluster starts at address zero,as shown below.

Notice that this address is relative to the startof the C: partition, so it is not the sameas the physical sector 0 that containsthe Master Boot Record.

Notice the colors: the green clusters are 'Used'--thatis, they contain active data. The blue clusters are'Unused' and may contain latent data.

On your keyboard, press the right-arrow key tomove to the next cluster, cluster 1.

Prodiscover Basic Download For Mac Os

Cluster 1 starts at address 1000,as shown below.

Move to the right a few more times to see thepattern: the clusters are all 1000 bytes insize now. In Hexadecimal, that's 4 KB,the usual cluster size for an NTFS partition.

Click the first red rectangle again to selectCluster 0. This is thefirst cluster on the partition--the Partition BootSector.

In the lower right pane,in the top row, find the characters NTFS,as shown below. This, obviously, indicatesthat the partition is formatted with theNTFS file system.

Saving a Screen Image

Make sure your screen shows these two items:
  • YOUR NAME in the title bar of ProDiscover
  • 'NTFS' in the lowerright pane.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename 'Your Name Proj 15c'. Use your real name, not the literal text 'Your Name'.

Turning in your Project

Prodiscover Basic Download For Mac Windows 10

Email the images to [email protected] with the subject line:

Prodiscover Basic Download For Macbook Pro

Proj 15 from YOUR NAME

Sources

Prodiscover Basic Download For Mac Windows 7

http://www.ntfs.com/ntfs-system-files.htm

Prodiscover Basic Download For Mac

Last Modified: 4-7-14 1:16 PM