Computer forensics, e-discovery and incident response methods and systems
First Claim
1. A method for collecting volatile data from an active target computer, comprising:
- selecting one or more computer forensic data items, including at least one volatile data item, to be collected from an active target computer from among a plurality of computer forensic data items;
generating executable runtime code comprising one or more data collection modules for collecting the selected computer forensic data items from an active target computer wherein the executable runtime code is configured such that once activated on an active target computer the executable runtime code is capable of launching said modules in a defined sequence from a removable storage device without further user input;
storing the executable runtime code on an initialized removable storage device;
connecting the removable storage device to an active target computer; and
, activating the executable runtime code to collect the selected computer forensic data items from the active target computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for collection of volatile forensic data from active systems are described. In an embodiment of the methods, a selected set of forensics data items can be selected. Runtime code capable of launching data collection modules from a removable storage device with little or no user input is generated and stored on the device. The collection of forensic data can then be accomplished covertly using the removable storage device by a person with minimal training. In another embodiment, pre-deployed agents in communication with servers and controlled by console software can collect forensic data covertly according to schedule, immediately at the command of an analyst using a remote administrative console, or in response to a triggering event.
258 Citations
30 Claims
-
1. A method for collecting volatile data from an active target computer, comprising:
-
selecting one or more computer forensic data items, including at least one volatile data item, to be collected from an active target computer from among a plurality of computer forensic data items; generating executable runtime code comprising one or more data collection modules for collecting the selected computer forensic data items from an active target computer wherein the executable runtime code is configured such that once activated on an active target computer the executable runtime code is capable of launching said modules in a defined sequence from a removable storage device without further user input; storing the executable runtime code on an initialized removable storage device; connecting the removable storage device to an active target computer; and
, activating the executable runtime code to collect the selected computer forensic data items from the active target computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for collecting and managing data relating to the activity of a user of a networked host computer, comprising:
-
a plurality of software agents, each agent active on a host computer system; one or more servers, each server in network communication with one or more of said software agents; and
,one or more console administrative tools residing on computer systems capable of network communication with said servers; wherein said software agents each comprise means for covertly and forensically searching and collecting volatile data from the system upon which the software agent resides and securely transmitting requested data to one of said servers, wherein said servers each comprise means for securely storing data received from one or more of said software agents, means for securely receiving instructions from a console administrative tool subject to an administrative permission rule, means for securely transmitting instructions to one or more agents, and means of transmitting forensic data to said console administrative tools; and wherein said console administrative tools each comprise means of securely communicating with said servers, means of requesting forensic data from said servers and agents, and means of verifying, analyzing and presenting forensic data received from said software agents through said servers. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method for collecting and managing data relating to the activity of a user of a networked in a network system comprising:
-
deploying software agents for collecting computer forensic data from host computers on the network system on which the agents reside, the agents being in networked communication with a server, and one or more of said servers being in network communication with a console administrative tool; causing a console administrative tool to transmit instructions to one or more agents through the servers that are in communication with those agents instructing those one or more said software agents to covertly and forensically collect forensic data including at least one item of volatile data from the computers upon which on those software agents are active; and storing the data on a server for analysis. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
Specification