Published: 01 Nov 2007
Paraben's P2 Enterprise Shuttle is a remote digital forensic suite, allowing you to remotely conduct undetected forensic tests on Windows machines in your network without taking the machines offline.
This can be useful to acquire the data without raising suspicion of the target. It may also be used to monitor infected systems in real time.
The installation automatically filled in the IP address to be used by the proxy and server with the hostname, which did not seem to work. The proxy would not start and did not really give a reason. We corrected the issue by editing the config files and changing the hostname to be the actual IP address.
The client agents can be installed directly or through the Captain, which controls agents and acquires and analyzes data from systems.
The latter allows you to place the agent without alerting the user or install agents on multiple machines.
The Paraben Agent is invisible to the user, although a savvy user may suspect something by the increased CPU load and network activity during acquisition. We were also able to see it with a rootkit detector.
The GUI-based Captain has a tabbed and framed design. Navigation is smooth, and buttons are easy to figure out with contextual help.
The Paraben Proxy, naturally, acts as an encrypted proxy between all of the components. It's installed on a system with an Internet connection The Server is the main module, performing all authentication and acting as the central repository for acquired data. It verifies access permission for any actions initiated by the Captain and Agent to provide increased security. The Server should be installed on an isolated and secured system with no direct Internet connection.
You will spend most of your time with the Captain, which has quite a few tools to analyze clients. You can do a forensic dump of data, copying over each file or directory, or perform deep system inspections while the system is running. You can view running processes, what files those processes are accessing, and which registry keys they have open. Other capabilities include capturing screenshots, viewing the registry, processes, drivers and network sessions, as well as viewing the files on the system. You can create a full snapshot and save it to the database.
Testing methodology: Server, Proxy and Captain were all installed on the same system. Agents were installed on a variety of Windows XP SP2 and Windows 2000 machines.