Configurable forensic investigative tool
First Claim
Patent Images
1. A method comprising:
- storing an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines;
a sequence in which the forensic investigative tool invokes the identified forensic tools,one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, andan identification of data to capture from the target computing device;
processing the investigative profile with the forensic investigative tool on a forensic device to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools;
transferring, with the forensic device upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage;
temporarily executing, with the forensic device upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile;
receiving, with the forensic investigative tool executing on the forensic device, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and
deleting, after receiving the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored.
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure provides example techniques to invoke one or more forensic tools, with a forensic investigative tool. The forensic investigative tool provides a common framework that allows investigators to invoke their own trusted forensic tools or third-party generated forensic tools. The forensic investigative tool described herein seamlessly and transparently invokes the forensic tools in accordance with an investigative profile created by the investigator.
-
Citations
32 Claims
-
1. A method comprising:
-
storing an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines; a sequence in which the forensic investigative tool invokes the identified forensic tools, one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, and an identification of data to capture from the target computing device; processing the investigative profile with the forensic investigative tool on a forensic device to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools; transferring, with the forensic device upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage; temporarily executing, with the forensic device upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile; receiving, with the forensic investigative tool executing on the forensic device, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and deleting, after receiving the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23, 24, 25, 26)
-
-
11. A forensic device comprising:
-
a storage device that stores an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines; a sequence in which the forensic investigative tool invokes the identified forensic tools, one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, and an identification of data to capture from the target computing device; and a hardware unit that executes the forensic investigative tool to; process the investigative profile to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools; transfer one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage; temporarily execute the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile; receive data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and delete, after receipt of the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 27, 28, 29, 30)
-
-
21. A non-transitory computer-readable storage medium comprising instructions that cause one or more processors to:
-
store an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines; a sequence in which the forensic investigative tool invokes the identified forensic tools, one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, and an identification of data to capture from the target computing device; process the investigative profile with the forensic investigative tool to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools; transfer, upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage; temporarily execute, upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile; receive, with the forensic investigative tool, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and delete, after receipt of the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored. - View Dependent Claims (22, 31, 32)
-
Specification