Configurable forensic investigative tool

US 10,067,787 B2
Filed: 02/10/2011
Issued: 09/04/2018
Est. Priority Date: 02/10/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines;

a sequence in which the forensic investigative tool invokes the identified forensic tools,one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, andan identification of data to capture from the target computing device;

processing the investigative profile with the forensic investigative tool on a forensic device to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools;

transferring, with the forensic device upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage;

temporarily executing, with the forensic device upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile;

receiving, with the forensic investigative tool executing on the forensic device, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and

deleting, after receiving the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides example techniques to invoke one or more forensic tools, with a forensic investigative tool. The forensic investigative tool provides a common framework that allows investigators to invoke their own trusted forensic tools or third-party generated forensic tools. The forensic investigative tool described herein seamlessly and transparently invokes the forensic tools in accordance with an investigative profile created by the investigator.

Citations

32 Claims

1. A method comprising:
- storing an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines;
  
  a sequence in which the forensic investigative tool invokes the identified forensic tools,one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, andan identification of data to capture from the target computing device;
  
  processing the investigative profile with the forensic investigative tool on a forensic device to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools;
  
  transferring, with the forensic device upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage;
  
  temporarily executing, with the forensic device upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile;
  
  receiving, with the forensic investigative tool executing on the forensic device, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and
  
  deleting, after receiving the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the investigative profile comprises a first investigative profile, the plurality of forensic tools comprise a first plurality of forensic tools, and the investigation of the target computing device comprises a first investigation of a first target computing device, the method further comprising:
    - storing a second investigative profile that identifies a second plurality of forensic tools from the set of forensic tools and defines a manner in which the forensic investigative tool invokes the second plurality of forensic tools for a second investigation of a second target computing device.
  - 3. The method of claim 1, wherein the investigative profile identifies the plurality of forensic tools from the set of forensic tools and defines the manner in which the forensic investigative tool invokes the identified forensic tools for an investigation of a plurality of target computing devices, wherein the target computing device is one of the plurality of target computing devices.
  - 4. The method of claim 3, wherein the investigative profile defines whether the investigation of the plurality of target computing devices occurs sequentially or in parallel.
  - 5. The method of claim 1, wherein temporarily executing the remote agent comprises temporarily implementing a service that includes the remote agent on the target computing device.
  - 6. The method of claim 1, wherein receiving data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile comprises receiving at least one of encrypted and compressed data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile.
  - 7. The method of claim 1, wherein receiving data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile comprises receiving the acquired data in raw format or extensible markup language (XML) format.
  - 8. The method of claim 1, wherein the investigative profile further defines a duration of the execution of the forensic tools on the target computing device.
  - 9. The method of claim 1, wherein the investigative profile further defines actions to be performed when the forensic investigative tool encounters an error on the target computing device.
  - 10. The method of claim 1, wherein storing the investigative profile comprises at least one of a user pre-building the investigative profile and the user building the investigative profile after execution of the forensic investigative tool.
  - 23. The method of claim 1, wherein the investigative profile further defines a number of times within a period that the forensic tools are to be executed on the target computing device.
  - 24. The method of claim 1, wherein the investigative profile further defines a non-continuous execution of one or more of the forensic tools on the target computing device.
  - 25. The method of claim 1, wherein the investigative profile further defines that the forensic tools are to be executed continuously on the target computing device for a permanent investigation.
  - 26. The method of claim 1, wherein the investigative profile further defines information for handling conditions experienced by target computing device during the investigation.

11. A forensic device comprising:
- a storage device that stores an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines;
  
  a sequence in which the forensic investigative tool invokes the identified forensic tools,one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, andan identification of data to capture from the target computing device; and
  
  a hardware unit that executes the forensic investigative tool to;
  
  process the investigative profile to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools;
  
  transfer one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage;
  
  temporarily execute the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile;
  
  receive data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and
  
  delete, after receipt of the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 27, 28, 29, 30)
- - 12. The forensic device of claim 11, wherein the investigative profile comprises a first investigative profile, the plurality of forensic tools comprise a first plurality of forensic tools, and the investigation of the target computing device comprises a first investigation of a first target computing device, and wherein the storage device:
    - stores a second investigative profile that identifies a second plurality of forensic tools from the set of forensic tools and defines a manner in which the forensic investigative tool invokes the second plurality of forensic tools for a second investigation of a second target computing device.
  - 13. The forensic device of claim 11, wherein the investigative profile identifies the plurality of forensic tools from the set of forensic tools and defines the manner in which the forensic investigative tool invokes the identified forensic tools for an investigation of a plurality of target computing devices, wherein the target computing device is one of the plurality of target computing devices.
  - 14. The forensic device of claim 13, wherein the investigative profile defines whether the investigation of the plurality of target computing devices occurs sequentially or in parallel.
  - 15. The forensic device of claim 11, wherein the forensic investigative tool temporarily invokes a service that includes the remote agent on the target computing device to temporarily execute the remote agent.
  - 16. The forensic device of claim 11, wherein the forensic investigative tool receives at least one of encrypted and compressed data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile.
  - 17. The forensic device of claim 11, wherein the forensic investigative tool receives the acquired data in raw format or extensible markup language (XML) format.
  - 18. The forensic device of claim 11, wherein the investigative profile further defines a duration of the execution of the forensic tools on the target computing device.
  - 19. The forensic device of claim 11, wherein the investigative profile further defines actions to be performed when the forensic investigative tool encounters an error on the target computing device.
  - 20. The forensic device of claim 11, wherein the investigative profile stored in the storage device comprises at least one of a user pre-built investigative profile and an investigative profile built by the user after execution of the forensic investigative tool.
  - 27. The forensic device of claim 11,wherein the target computing device is included in a set of target computing devices to be investigated, andwherein, to identify the plurality of forensic tools from the set of forensic tools, the investigative profile identifies the plurality of forensic tools based on a number of the set of target computing devices to be investigated.
  - 28. The forensic device of claim 11, wherein the set of forensic tools includes at least one forensic tool provided by a first entity and at least one forensic tool provided by a second entity.
  - 29. The forensic device of claim 11, wherein, to identify the plurality of forensic tools from the set of forensic tools, the investigative profile identifies the plurality of forensic tools based on at least one of (i) a type of evidence to be collected from the target computing device, (ii) a configuration of the target computing device, or (iii) a likelihood of detection of the investigation of the target computing device.
  - 30. The forensic device of claim 11,wherein the hardware unit further executes the forensic investigative tool to store metadata to the storage device,wherein the metadata describes the received data using at least one of (i) a version of a particular forensic tool of the plurality of forensic tools, (ii) at least one of a date or time when the received data was acquired from the target computing device, or (iii) a format according to which the received data is stored to the storage device by the hardware unit.

21. A non-transitory computer-readable storage medium comprising instructions that cause one or more processors to:
- store an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines;
  
  a sequence in which the forensic investigative tool invokes the identified forensic tools,one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, andan identification of data to capture from the target computing device;
  
  process the investigative profile with the forensic investigative tool to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools;
  
  transfer, upon execution of the forensic investigative tool, one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage;
  
  temporarily execute, upon execution of the forensic investigative tool, the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile;
  
  receive, with the forensic investigative tool, data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile; and
  
  delete, after receipt of the data acquired from the target computing device, the transferred identified forensic tools, the remote agent, and a temporary directory within the target computing device where the transferred forensic tools and the remote agent are temporarily stored.
- View Dependent Claims (22, 31, 32)
- - 22. The non-transitory computer-readable storage medium of claim 21, wherein the computer-readable storage medium comprises a computer-readable storage medium that a user inserts or attaches into the target computing device.
  - 31. The non-transitory computer-readable storage medium of claim 21, wherein the investigative profile further defines a duration of the execution of the forensic tools on the target computing device.
  - 32. The non-transitory computer-readable storage medium of claim 21, wherein the investigative profile further defines actions to be performed when the forensic investigative tool encounters an error on the target computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Bronner, Derek P., Joyce, Robert A., Donovan, Matthew P., Baker, Julia A.
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
Bukhari, Sibte

Application Number

US13/025,007
Publication Number

US 20120209983A1
Time in Patent Office

2,763 Days
Field of Search

709223-224
US Class Current
CPC Class Codes

G06F 2209/549 Remote execution

G06F 9/4843 by program, e.g. task dispa...

Configurable forensic investigative tool

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Configurable forensic investigative tool

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links