Configurable investigative tool
First Claim
Patent Images
1. A method comprising:
- presenting, with an investigative device, a user interface configured to receive input, from a user, that specifies a plurality of different user-defined investigative profiles, each of the investigative profiles identifying a plurality of tools, defining a sequence in which the tools are to be invoked by an investigative device for an investigation of a target computing device, and defining a reporting structure of data collected from the investigation for the particular investigation, wherein at least two of the plurality of tools are configured to acquire different types of data from the target computing device as part of the investigation of the target computing device;
generating and storing, in response to the input, the plurality of investigative profiles, wherein one or more of the investigative profiles are non-executable data configuration information files arranged as text that specifies the plurality of tools, define the sequence in which the tools are to be invoked by the investigative device for the investigation of the target computing device, and define the reporting structure of data collected from the investigation for the particular investigation, and wherein at least two of the investigative profiles specify different sequences for invoking the tools;
receiving a selection of one of the investigative profiles;
configuring, responsive to the selection of one of the investigative profiles, an investigative tool on the investigative device for execution, on the target computing device, with the plurality of tools identified by the selected investigative profile to allow for collection of all desired data with one investigation of the target computing device and reporting of the collected data in the reporting structure defined by the selected investigative profile, wherein the investigative tool is configurable to operate in accordance with any of the plurality of investigative profiles;
establishing, with the investigative tool, a communication link with the target computing device, the communication link including at least an input socket between the investigative device on which the investigative tool is configured and the target computing device and a file transfer socket between the investigative device on which the investigative tool is configured and the target computing device for communicating with the target computing device;
automatically transferring, with the investigative device the tools identified by the selected profile and a remote agent, via the input socket, to the target computing device;
configuring, with the investigative tool, the remote agent on the target computing device to control execution, on the target computing device, of the tools identified by the selected investigative profile and in the sequence defined by the investigative profile;
receiving, with the investigative tool executing on the investigative device and from the remote agent via the file transfer socket, data acquired from the target computing device by the execution of the tools identified in the selected investigative profile and in the sequence defined by the selected investigative profile; and
outputting, with the investigative tool executing on the investigative device, results of the data acquired from the target computing device, by the execution of the tools identified in the investigative profile, in the defined reporting structure.
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure provides example techniques to invoke one or more tools, with an investigative tool. The investigative tool provides a common framework that allows investigators to invoke their own trusted tools or third-party generated tools. The investigative tool described herein seamlessly and transparently invokes the tools in accordance with an investigative profile created by the investigator.
36 Citations
25 Claims
-
1. A method comprising:
-
presenting, with an investigative device, a user interface configured to receive input, from a user, that specifies a plurality of different user-defined investigative profiles, each of the investigative profiles identifying a plurality of tools, defining a sequence in which the tools are to be invoked by an investigative device for an investigation of a target computing device, and defining a reporting structure of data collected from the investigation for the particular investigation, wherein at least two of the plurality of tools are configured to acquire different types of data from the target computing device as part of the investigation of the target computing device; generating and storing, in response to the input, the plurality of investigative profiles, wherein one or more of the investigative profiles are non-executable data configuration information files arranged as text that specifies the plurality of tools, define the sequence in which the tools are to be invoked by the investigative device for the investigation of the target computing device, and define the reporting structure of data collected from the investigation for the particular investigation, and wherein at least two of the investigative profiles specify different sequences for invoking the tools; receiving a selection of one of the investigative profiles; configuring, responsive to the selection of one of the investigative profiles, an investigative tool on the investigative device for execution, on the target computing device, with the plurality of tools identified by the selected investigative profile to allow for collection of all desired data with one investigation of the target computing device and reporting of the collected data in the reporting structure defined by the selected investigative profile, wherein the investigative tool is configurable to operate in accordance with any of the plurality of investigative profiles; establishing, with the investigative tool, a communication link with the target computing device, the communication link including at least an input socket between the investigative device on which the investigative tool is configured and the target computing device and a file transfer socket between the investigative device on which the investigative tool is configured and the target computing device for communicating with the target computing device; automatically transferring, with the investigative device the tools identified by the selected profile and a remote agent, via the input socket, to the target computing device; configuring, with the investigative tool, the remote agent on the target computing device to control execution, on the target computing device, of the tools identified by the selected investigative profile and in the sequence defined by the investigative profile; receiving, with the investigative tool executing on the investigative device and from the remote agent via the file transfer socket, data acquired from the target computing device by the execution of the tools identified in the selected investigative profile and in the sequence defined by the selected investigative profile; and outputting, with the investigative tool executing on the investigative device, results of the data acquired from the target computing device, by the execution of the tools identified in the investigative profile, in the defined reporting structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 24, 25)
-
-
12. An investigative device comprising:
-
a storage device; and a hardware unit configured to; generate a plurality of different investigative profiles based on input, received from a user, via a presented user interface, that specifies the plurality of different investigative profiles, each of the investigative profiles identifying a plurality of tools, defining a sequence in which the tools are to be invoked by an investigative device for an investigation of a target computing device, and defining a reporting structure of data collected from the investigation for the particular investigation, wherein at least two of the plurality of tools are configured to acquire different types of data from the target computing device as part of the investigation of the target computing device, wherein one or more of the investigative profiles are non-executable data configuration information files arranged as text that specifies the plurality of tools, define the sequence in which the tools are to be invoked by the investigative device for the investigation of the target computing device, and define the reporting structure of data collected from the investigation for the particular investigation, and wherein at least two of the investigative profiles specify different sequences for invoking the tools; store, in response to the input, the plurality of investigative profiles in the storage device; receive a selection of one of the investigative profiles; configure, responsive to the selection of one of the investigative profiles, an investigative tool on the investigative device for execution, on the target computing device, with the plurality of tools identified by the selected investigative profile to allow for collection of all desired data with one investigation of the target computing device and reporting of the collected data in the reporting structure defined by the selected investigative profile, wherein the investigative tool is configurable to operate in accordance with any of the plurality of investigative profiles; establish, with the investigative tool, a communication link with the target computing device, the communication link including at least an input socket between the investigative device on which the investigative tool is configured and the target computing device and a file transfer socket between the investigative device on which the investigative tool is configured and the target computing device for communicating with the target computing device; automatically transfer the tools identified by the selected profile and a remote agent, via the input socket, to the target computing device; configure, with the investigative tool, the remote agent on the target computing device to control execution, on the target computing device, of the tools identified by the selected investigative profile and in the sequence defined by the investigative profile; receive, with the investigative tool and from the remote agent via the file transfer docket, data acquired from the target computing device by the execution of the tools identified in the selected investigative profile and in the sequence defined by the selected investigative profile; and output results of the data acquired from the target computing device, by the execution of the tools identified in the investigative profile, in the defined reporting structure. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer-readable storage medium comprising instructions that cause one or more processors of an investigative device to:
-
generate a plurality of different investigative profiles based on input, received from a user, via a presented user interface, that specifies the plurality of different investigative profiles, each of the investigative profiles identifying a plurality of tools, defining a sequence in which the tools are to be invoked by an investigative device for an investigation of a target computing device, and defining a reporting structure of data collected from the investigation for the particular investigation, wherein at least two of the plurality of tools are configured to acquire different types of data from the target computing device as part of the investigation of the target computing device, wherein one or more of the investigative profiles are non-executable data configuration information files arranged as text that specifies the plurality of tools, define the sequence in which the tools are to be invoked by the investigative device for the investigation of the target computing device, and define the reporting structure of data collected from the investigation for the particular investigation, and wherein at least two of the investigative profiles specify different sequences for invoking the tools; store, in response to the input, the plurality of investigative profiles in a storage device; receive a selection of one of the investigative profiles; configure, responsive to the selection of one of the investigative profiles, an investigative tool on the investigative device for execution, on the target computing device, with the plurality of tools identified by the selected investigative profile to allow for collection of all desired data with one investigation of the target computing device and reporting of the collected data in the reporting structure defined by the selected investigative profile, wherein the investigative tool is configurable to operate in accordance with any of the plurality of investigative profiles; establish, with the investigative tool, a communication link with the target computing device, the communication link including at least an input socket between the investigative device on which the investigative tool is configured and the target computing device and a file transfer socket between the investigative device on which the investigative tool is configured and the target computing device for communicating with the target computing device; automatically transfer, with the investigative tool, the tools identified by the selected profile and a remote agent, via the input socket, to the target computing device; configure, with the investigative tool, the remote agent on the target computing device to control execution, on the target computing device, of the tools identified by the selected investigative profile and in the sequence defined by the investigative profile; receive, with the investigative tool and from the remote agent via the file transfer socket, data acquired from the target computing device by the execution of the tools identified in the selected investigative profile and in the sequence defined by the selected investigative profile; and output, with the investigative tool, results of the data acquired from the target computing device, by the execution of the tools identified in the investigative profile, in the defined reporting structure.
-
Specification