Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Product review: Paraben's P2 Enterprise Shuttle

Paraben's P2 Enterprise Shuttle


P2 Enterprise Shuttle

Price: $6,995

Paraben's P2 Enterprise Shuttle is a remote digital forensic suite, allowing you to remotely conduct undetected forensic tests on Windows machines in your network without taking the machines offline.

This can be useful to acquire the data without raising suspicion of the target. It may also be used to monitor infected systems in real time.

Installation C+  
Installation was pretty straightforward--a CD guide walks you through it--but we did encounter some issues after the installation. We were unable to get the proxy functioning due to a misconfiguration.

The installation automatically filled in the IP address to be used by the proxy and server with the hostname, which did not seem to work. The proxy would not start and did not really give a reason. We corrected the issue by editing the config files and changing the hostname to be the actual IP address.

The client agents can be installed directly or through the Captain, which controls agents and acquires and analyzes data from systems.

The latter allows you to place the agent without alerting the user or install agents on multiple machines.

Management and Features B+  
There are four major parts to the enterprise suite: the Agent, Captain, Proxy and Server. These modules interact with each other over a 128-bit encrypted channel.

The Paraben Agent is invisible to the user, although a savvy user may suspect something by the increased CPU load and network activity during acquisition. We were also able to see it with a rootkit detector.

The GUI-based Captain has a tabbed and framed design. Navigation is smooth, and buttons are easy to figure out with contextual help.

The Paraben Proxy, naturally, acts as an encrypted proxy between all of the components. It's installed on a system with an Internet connection The Server is the main module, performing all authentication and acting as the central repository for acquired data. It verifies access permission for any actions initiated by the Captain and Agent to provide increased security. The Server should be installed on an isolated and secured system with no direct Internet connection.

You will spend most of your time with the Captain, which has quite a few tools to analyze clients. You can do a forensic dump of data, copying over each file or directory, or perform deep system inspections while the system is running. You can view running processes, what files those processes are accessing, and which registry keys they have open. Other capabilities include capturing screenshots, viewing the registry, processes, drivers and network sessions, as well as viewing the files on the system. You can create a full snapshot and save it to the database.

Reporting B  
Reporting functions are fairly simple and to the point. Reports can be generated for module access such as server/proxy connecting, login and logout of the server, and agent connections. Each event is assigned a priority (fatal, error, warning and information); you can filter based on the event and the priority. Reports are generated in a table inside of Captain GUI. There are no charts or fancy graphics, but they're definitely not needed here. Reports can be saved to text, HTML or XML formats.

Paraben's P2 Enterprise Shuttle is a good offering if you are looking for a remote forensics tool to use in a Windows environment. It provides all the tools necessary for a complete forensic analysis of a system, as well as the security to ensure the integrity of the acquired data.

Testing methodology: Server, Proxy and Captain were all installed on the same system. Agents were installed on a variety of Windows XP SP2 and Windows 2000 machines.

Article 11 of 16

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All