Phone Home Servlet in a Computer Investigation System

US 20080082672A1
Filed: 09/27/2007
Published: 04/03/2008
Est. Priority Date: 09/28/2006
Status: Active Grant

First Claim

Patent Images

1. In a data communications network including a server, an examining device, and a target device, a method for conducting forensic investigations of the target device over the data communications network, the method comprising:

periodically receiving from the target device a request for connection, the request including identification information for the target device;

establishing connection with the target device in response to the request;

determining, in response to the connection with the target device, whether a request to investigate the target device is pending from the examining device; and

providing data for establishing a secure communication link between the examining device and the target device in response to the determination that the request to investigate is pending, the examining device being configured to forward an investigation command via the established secure communication link and receive an output from the target device via the secure communication link responsive to the investigation command.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for conducting forensic investigations is provided which includes a target device, an examining device, and a server. The target device includes a phone home servlet which is configured to periodically transmit to the server a request for connection. The server grants the request for connection if there is an investigation request pending from the examining device for the requesting target device. If no such request is pending, the request is denied. The servlet is programmed with various phone home parameters for determining whether the target device should transmit the request for connection.

99 Citations

View as Search Results

19 Claims

1. In a data communications network including a server, an examining device, and a target device, a method for conducting forensic investigations of the target device over the data communications network, the method comprising:
- periodically receiving from the target device a request for connection, the request including identification information for the target device;
  
  establishing connection with the target device in response to the request;
  
  determining, in response to the connection with the target device, whether a request to investigate the target device is pending from the examining device; and
  
  providing data for establishing a secure communication link between the examining device and the target device in response to the determination that the request to investigate is pending, the examining device being configured to forward an investigation command via the established secure communication link and receive an output from the target device via the secure communication link responsive to the investigation command.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - denying connection between the examining device and the target device in response to the determination that the request to investigate the target device is not pending.
  - 3. The method of claim 1, wherein the determining whether the request to investigate is pending includes:
    - retrieving an address list and determining whether an address of the target device is included in the address list.
  - 4. The method of claim 3 further comprising:
    - establishing connection with the examining device;
      
      receiving the request to investigate the target device;
      
      storing the address of the target device in the address list; and
      
      waiting for receipt of the request for connection from the target device before establishing the connection with the target device.
  - 5. The method of claim 1, wherein the request for connection is transmitted by the target device if the target device has not satisfied a maximum number of consecutive attempts to connect to the server without establishing the connection.
  - 6. The method of claim 1, wherein the request for connection is transmitted by the target device if the target device has not satisfied a maximum number of consecutive times a connection is made with the server without also connecting to an examining device.
  - 7. The method of claim 1, wherein the request for connection is transmitted by the target device if the target device has not satisfied a maximum number of times the secure communication link is established between the examining device and the target device.

8. A server coupled to an examining device and a target device over a data communications network for conducting forensic investigations of the target device, the server comprising:
- a processor; and
  
  a memory operably coupled to the processor and storing program instructions therein, the processor being operable to execute the program instructions, the program instructions including;
  
  periodically receiving from the target device a request for connection, the request including identification information for the target device;
  
  establishing connection with the target device in response to the request;
  
  determining, in response to the connection with the target device, whether a request to investigate the target device is pending from the examining device; and
  
  providing data for establishing a secure communication link between the examining device and the target device in response to the determination that the request to investigate is pending, the examining device being configured to forward an investigation command via the established secure communication link and receive an output from the target device via the secure communication link responsive to the investigation command.
- View Dependent Claims (9, 10, 11)
- - 9. The server of claim 8, wherein the program instructions further include:
    - denying connection between the examining device and the target device in response to the determination that the request to investigate the target device is not pending.
  - 10. The server of claim 8, wherein the program instructions that determine whether the request to investigate is pending further includes program instructions that:
    - retrieve an address list and determine whether an address of the target device is included in the address list.
  - 11. The server of claim 10, wherein the program instructions further include:
    - establishing connection with the examining device;
      
      receiving the request to investigate the target device;
      
      storing the address of the target device in the address list; and
      
      waiting for receipt of the request for connection from the target device before establishing the connection with the target device.

12. An examining device coupled to a server and a target device over a data communications network for conducting forensic investigations of the target device, the examining device comprising:
- a processor; and
  
  a memory operably coupled to the processor and storing program instructions therein, the processor being operable to execute the program instructions, the program instructions including;
  
  establishing a first connection with the server;
  
  transmitting to the server a request to investigate the target device, the request including identification information for the target device;
  
  waiting for the target device to establish a second connection with the server, the target device being configured to transmit a connection request to the server for establishing the second connection;
  
  establishing a secure communication link with the target device in response to the target device establishing the second connection with the server;
  
  transmitting an investigation command to the target device via the established secure communication link; and
  
  receiving an output from the target device via the secure communication link responsive to the investigation command.
- View Dependent Claims (13, 14)
- - 13. The examining device of claim 12, wherein the program instructions further include:
    - maintaining the first connection with the server while waiting for the target device to establish the second connection with the server.
  - 14. The examining device of claim 12, wherein the server is configured to wait for the connection request from the target device before attempting connection with the target device.

15. A target device coupled to a server and an examining device over a data communications network for being investigated by the examining device, the target device comprising:
- a processor; and
  
  a memory operably coupled to the processor and storing program instructions therein, the processor being operable to execute the program instructions, the program instructions including;
  
  determining whether it is time to connect to the server;
  
  determining connection to the data communications network;
  
  transmitting a request to connect to the server if it is time to connect to the server and it is connected to the data communications network; and
  
  receiving a grant to the request to connect if a request from the examining device to investigate the target device is pending at the server.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The target device of claim 15, wherein the program instructions further include:
    - receiving a denial to the request to connect if the request to investigate is not pending at the server.
  - 17. The target device of claim 15, wherein the program instructions further include:
    - determining a number of consecutive attempts made to connect to the server without establishing the connection; and
      
      transmitting the request to connect to the server if the number of consecutive attempts is below a maximum amount.
  - 18. The target device of claim 15, wherein the program instructions further include:
    - determining a number of consecutive times a connection is made with the server without also connecting to an examining device; and
      
      transmitting the request to connect to the server if the number of consecutive times is below a maximum amount.
  - 19. The target device of claim 15, wherein the program instructions further include:
    - determining a number of times the secure communication link is established between the examining device and the target device; and
      
      transmitting the request to connect to the server if the number of times is below a maximum amount.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Text Holdings, Inc. (Open Text Corporation)
Original Assignee
Guidance Software Incorporated (Open Text Corporation)
Inventors
Garrett, Matthew Steven

Granted Patent

US 8,892,735 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/228
CPC Class Codes

H04L 67/125 involving control of end-de...

H04L 67/14 Session management for real...

Phone Home Servlet in a Computer Investigation System

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Phone Home Servlet in a Computer Investigation System

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others