P2 Enterprise Shuttle Edition

Live Network Forensics Made Simple

Live network forensics and incident response come hand and hand. You never know what to expect all you know is that you have a short deployment to an enterprise and need to do an active gathering of data. This is where P2 Enterprise Shuttle comes in. P2 Enterprise Shuttle (P2EES) is a live network forensic tool that combines the power of the one-to-one forensic features from P2 Enterprise Edition (P2 ENTERPRISE) and makes them into an easy and cost effective deployment solution for any forensic team.

The P2 Enterprise Shuttle system is broken into similar components as the full P2 Enterprise system. The differences are found in the hardware recommendations being lower since many of the components can run on a single system, and the database management being done by MYSQL in coordination with the CAS server.

Server Module 1: Central Authentication Server (CAS)
This module is the authentication mechanism behind P2 Enterprise Shuttle. It facilitates the data management between the other modules. It also acts as the central repository for all forensic images collected and is integrated with MYSQL.

Server Module 2: The Enterprise Shuttle Proxy
The Enterprise Shuttle Proxy serves one main purpose as it is the main communication pass through for the system as well as for the routers and firewalls. All other modules use the Proxy to unify all data transfers through one secure gateway. The authentication process is also performed on the Proxy side to make security even stronger. The Proxy has a base of a 128-bit encryption.

Server Module 3: The Captain
The Captain module provides the GUI for the customization of P2 Enterprise. It is the centralized manager for all of the Agent-Crew modules in the network.

A. Active Computer Investigations
The Captain module is also responsible for initiating forensic investigations on Agent-Crew machines. Due to advanced techniques used in the development process, the user is able to perform almost any usual operation remotely on Agent-Crew machines, including (but not limited to) device mapping, remote memory examination, remote administration, and complete remote hard drive acquisitions.

B. Technical Specifications
P2 Enterprise adheres to strict forensic practices by ensuring that data integrity is maintained. The clients are completely invisible to the local users and all of the P2 Enterprise components support Windows 2K/XP/2003. The full P2 Enterprise system is fully capable of working with other suites that are currently deployed in an enterprise.

Client Module: Agent-Crew (A-C)
The Agent-Crew module is the main investigative module. It is installed on all the computers on the network for remote data collection and acquisition. The module is completely hidden from the user and its activity remains unseen. Most operations are performed at the lowest possible level, so it is possible to gather data from all PC activities. The Agent-Crew module can all be deployed remotely through the Captain interface.

The P2EES agent module can only function in a forensic mode unlike its counter-part in our P2 Enterprise Edition which can also be used for data collection & monitoring for proactive forensics. The forensic mode sends all data collected over the network to a central hidden store that is associated with the Shuttle CAS.

Each of these components come together to form the latest in deployable forensic solutions.