This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
The Paraben Agent is invisible to the user, although a savvy user may suspect something by the increased CPU load and network activity during acquisition. We were also able to see it with a rootkit detector.
The GUI-based Captain has a tabbed and framed design. Navigation is smooth, and buttons are easy to figure out with contextual help.
The Paraben Proxy, naturally, acts as an encrypted proxy between all of the components. It's installed on a system with an Internet connection The Server is the main module, performing all authentication and acting as the central repository for acquired data. It verifies access permission for any actions initiated by the Captain and Agent to provide increased security. The Server should be installed on an isolated and secured system with no direct Internet connection.
You will spend most of your time with the Captain, which has quite a few tools to analyze clients. You can do a forensic dump of data, copying over each file or directory,
| or perform deep system inspections while the system is running. You can view running processes, what files those processes are accessing, and which registry keys they have open. Other capabilities include capturing screenshots, viewing the registry, processes, drivers and network sessions, as well as viewing the files on the system. You can create a full snapshot and save it to the database.
Testing methodology: Server, Proxy and Captain were all installed on the same system. Agents were installed on a variety of Windows XP SP2 and Windows 2000 machines.
This was first published in November 2007