Remote collection of computer forensic evidence
First Claim
1. A method comprising:
- receiving input from a remote user of a client device that identifies computer evidence to acquire from a target computing device;
acquiring the computer evidence from the target computing device with a forensic device coupled to the target computing device via a communication link;
storing the computer evidence on the forensic device; and
presenting a user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.
203 Citations
122 Claims
-
1. A method comprising:
-
receiving input from a remote user of a client device that identifies computer evidence to acquire from a target computing device;
acquiring the computer evidence from the target computing device with a forensic device coupled to the target computing device via a communication link;
storing the computer evidence on the forensic device; and
presenting a user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A system comprising:
-
a target computing device;
a forensic device coupled to the target computing device via a communication link;
a client device; and
a user interface module to present a user interface for the forensic device that is remotely accessible by the client device, wherein the forensic device receives input via the user interface that identifies computer evidence to acquire from a target computing device and, in response, acquires the computer evidence from the target computing device, stores the computer evidence, and presents the computer evidence to the remote user for analysis via the user interface. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
-
71. An interrogation method to remotely acquire computer forensic evidence comprising:
-
receiving input from a remote user that identifies computer evidence to be acquired from a target computing device;
determining an order in which to perform acquisition operations to acquire the computer evidence from the target computing device with reduced impact on other data stored on the target computing device, wherein acquisition operations to acquire at least one of an log file and communication statistics occur in the order prior to any other acquisition operations; and
communicating commands to initiate the acquisition operations on the target computing device in accordance with the determined order. - View Dependent Claims (72, 73, 74, 75, 76, 77)
-
-
78. A method comprising:
-
interrogating a target computing device to acquire a log file;
analyzing the log file to detect log file tampering; and
displaying to a user the results of the analysis. - View Dependent Claims (79, 80, 81, 82, 83, 84, 85, 86)
-
-
87. An apparatus comprising:
-
an abstraction module that acquires data identified by a remote user from a target computing device and stores the computer evidence; and
a user interface module that presents the remote user with a user interface for the remote user to view and analyze the computer evidence. - View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
-
-
102. An apparatus comprising:
-
a data acquisition module that identifies one or more acquisition operations to perform to acquire computer evidence;
an abstraction module that performs the acquisition operations to acquire the computer evidence from a target computing device, wherein the abstraction module includes a plurality of interrogation agents that issue commands associated with the acquisition operations based on the type of operating system executed on the target computing device and the type of computer evidence desired;
a data analysis module that includes one or more data analysis tools; and
a user interface module to present a user interface for a remote user to interact with the data analysis module to view and analyze the collected computer evidence. - View Dependent Claims (103, 104, 105, 106, 107, 108, 109)
-
- 110. A forensic analysis device that is adapted to operate as an intermediate device between a target computing device and a client device associated with a remote forensic investigator, wherein the analysis device comprises an acquisition module to acquire state information from the target computing device and store the state information on the forensic device while the target device remains active.
-
113. A computer-readable medium comprising instructions that cause a processor to:
-
receive input from a remote user of a client device that identifies computer evidence to acquire from a target computing device;
acquire the computer evidence from the target computing device with a forensic device coupled to the target computing device via a communication link;
store the computer evidence on the forensic device; and
present a user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device. - View Dependent Claims (114, 115, 116, 117, 118, 119, 120, 121, 122)
-
Specification