System and method for simultaneous forensic, acquisition, examination and analysis of a computer readable medium at wire speed

US 10,354,062 B2
Filed: 07/22/2015
Issued: 07/16/2019
Est. Priority Date: 07/24/2014
Status: Active Grant

First Claim

Patent Images

1. A system for simultaneous forensic acquisition and analysis of data from a target data repository, the system comprising:

a source agent in operative communication with the target data repository, said source agent being configured to read a portion of the target data repository;

a scheduler configured to schedule reads of the target data repository based on read commands tagged with predetermined priorities and computations based on the result of prior reads;

an investigator computer having a processor configured to send at least one prioritised read command to said source agent to schedule a read of the target data repository based on a predetermined priority; and

a data sink configured to store at least a partial forensic image of the target data repository based on the data read by said source agent, said processor being configured to permit reading from the partial forensic image, while the same partial forensic image is being written with data read based on the predetermined priorities by said source agent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system for simultaneous forensic acquisition and analysis of data from a target data repository. The system comprises a source agent in communication with the target data repository. The source agent is incapable of writing to the target data repository and is configured to read a portion of the target data repository. The system further comprises an investigator computer having a processor configured to send at least one prioritized read command to the source agent to schedule a read of the target data repository based on a predetermined priority. A data sink is configured to store at least a partial forensic image of the target data repository based on the data read by said source agent.

35 Citations

View as Search Results

20 Claims

1. A system for simultaneous forensic acquisition and analysis of data from a target data repository, the system comprising:
- a source agent in operative communication with the target data repository, said source agent being configured to read a portion of the target data repository;
  
  a scheduler configured to schedule reads of the target data repository based on read commands tagged with predetermined priorities and computations based on the result of prior reads;
  
  an investigator computer having a processor configured to send at least one prioritised read command to said source agent to schedule a read of the target data repository based on a predetermined priority; and
  
  a data sink configured to store at least a partial forensic image of the target data repository based on the data read by said source agent, said processor being configured to permit reading from the partial forensic image, while the same partial forensic image is being written with data read based on the predetermined priorities by said source agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, further comprising a sink agent in operative communication with each of said data sink, said processor, and said source agent, said processor being configured to send the prioritised read command to said sink agent prior to sending the evidence request to said source agent.
  - 3. The system of claim 1, further comprising a sink agent in operative communication with each of said data sink, said processor, and said source agent, said source agent being incapable of writing to the target data repository, and said sink agent being configured to assemble the partial forensic image based on non-sequential data reads from the target data repository.
  - 4. The system of claim 1, wherein the prioritised read command is prioritised based on an amount of allocated memory in the target data repository.
  - 5. The system of claim 1, wherein the prioritised read command specifies the reading of data based on mime type or extension.
  - 6. The system of claim 1, wherein the prioritised read command specifies the reading of data based on based on file objects within a folder hierarchy.
  - 7. The system of claim 1, wherein the prioritised read command is prioritised based on a storage type associated with the target data repository.
  - 8. The system of claim 1, wherein the prioritised read command is prioritised based on an address of data blocks being read.
  - 9. The system of claim 1, wherein said data sink forms part of a remote computer separate from said investigator computer and the target data repository.
  - 10. The system of claim 1, wherein the prioritised read command includes a priority tag and a read command.
  - 11. The system of claim 10, wherein the priority tag is configurable for more than one level.

12. A method for forensically analysing data during a data acquisition from a target data repository, the method comprising:
- reading data, with a source agent, from the target data repository to a data sink to assemble a partial forensic image of the target data repository;
  
  submitting at least one prioritised read command to the source agent, the prioritised read command including a read command that is prioritised based on a pre-configured priority;
  
  scheduling, with the source agent, a data read from the target data repository based on the prioritised read command;
  
  reading data, with the source agent, from the target data repository based on the prioritised read command to the data sink; and
  
  permitting analysis of both the data in the partial forensic image and data read by the prioritized read command from the target data repository to the partial forensic image.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein the data is read non-sequentially from the target data repository to the data sink.
  - 14. The method of claim 12, wherein the read command is prioritised based on an amount of allocated memory in the target data repository.
  - 15. The method of claim 12, wherein the read command specifies a block range.
  - 16. The method of claim 12, wherein the read command specifies a file subset.
  - 17. The method of claim 12, wherein the read command is prioritised based on a storage type associated with the target data repository.
  - 18. The method of claim 12, wherein the read command is prioritised based on block address for a target data repository having a spinning disk hard drive.

19. A method for forensically analysing data during a data acquisition from a target data repository, the method comprising:
- reading data, with a source agent, from the target data repository to a data sink to assemble a partial forensic image of the target data repository;
  
  scheduling reads of the target data repository based on read commands tagged with predetermined priorities and computations based on the result of prior reads;
  
  submitting at least one prioritized read command to a sink agent operatively connected to the data sink, the prioritised read command, based on the predetermined priorities, specifying a subset of data thought to be contained in the partial forensic image of the target data repository; and
  
  reading, with the sink agent, the subset of data from the data sink if the requested subset of data is in the partial forensic image, otherwise forwarding the prioritised read command to the source agent to obtain the requested subset of data.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the data is read non-sequentially from the target data repository to the data sink.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hemicordulia Australiae Capital LLC
Original Assignee
Schatz Forensic Pty Limited
Inventors
Schatz, Bradley
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/328,452
Publication Number

US 20170213024A1
Time in Patent Office

1,455 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/645   using a third party

G06F 2221/034   Test or assess a computer o...

G06Q 50/18   Legal services

G06Q 50/26   Government or public servic...

System and method for simultaneous forensic, acquisition, examination and analysis of a computer readable medium at wire speed

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for simultaneous forensic, acquisition, examination and analysis of a computer readable medium at wire speed

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others