Computer forensics, e-discovery and incident response methods and systems

US 20090164522A1
Filed: 12/22/2008
Published: 06/25/2009
Est. Priority Date: 12/20/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for collecting volatile data from an active target computer, comprising:

selecting one or more computer forensic data items, including at least one volatile data item, to be collected from an active target computer from among a plurality of computer forensic data items;

generating executable runtime code comprising one or more data collection modules for collecting the selected computer forensic data items from an active target computer wherein the executable runtime code is configured such that once activated on an active target computer the executable runtime code is capable of launching said modules in a defined sequence from a removable storage device without further user input;

storing the executable runtime code on an initialized removable storage device;

connecting the removable storage device to an active target computer; and

, activating the executable runtime code to collect the selected computer forensic data items from the active target computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for collection of volatile forensic data from active systems are described. In an embodiment of the methods, a selected set of forensics data items can be selected. Runtime code capable of launching data collection modules from a removable storage device with little or no user input is generated and stored on the device. The collection of forensic data can then be accomplished covertly using the removable storage device by a person with minimal training. In another embodiment, pre-deployed agents in communication with servers and controlled by console software can collect forensic data covertly according to schedule, immediately at the command of an analyst using a remote administrative console, or in response to a triggering event.

258 Citations

30 Claims

1. A method for collecting volatile data from an active target computer, comprising:
- selecting one or more computer forensic data items, including at least one volatile data item, to be collected from an active target computer from among a plurality of computer forensic data items;
  
  generating executable runtime code comprising one or more data collection modules for collecting the selected computer forensic data items from an active target computer wherein the executable runtime code is configured such that once activated on an active target computer the executable runtime code is capable of launching said modules in a defined sequence from a removable storage device without further user input;
  
  storing the executable runtime code on an initialized removable storage device;
  
  connecting the removable storage device to an active target computer; and
  
  , activating the executable runtime code to collect the selected computer forensic data items from the active target computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the removable storage device is configured such that connecting the removable storage device to an active target computer causes the executable runtime code to be activated automatically.
  - 3. The method of claim 1, wherein, at the time that the executable runtime code is activated, a user can command the runtime code to either store the data items to be collected on the removable storage medium or securely transmit the data items to an internet drop site.
  - 4. The method of claim 1, further comprising deactivating and removing the removable storage medium following completion of the step of collecting the selected data items, wherein the collected data items are stored on the removable storage medium in an encrypted database that is recoverably deleted prior to deactivation and removal of the removable storage medium.
  - 5. The method of claim 1, wherein the removable storage device is a USB flash drive.
  - 6. The method of claim 5, wherein the USB flash drive comprises a writeable partition and a read-only partition.
  - 7. The method of claim 6, wherein the USB flash drive comprises U3 technology and storing the executable runtime code and tools on an initialized removable storage device comprises programming the read-only portion of the thumb drive with a custom launch program.
  - 8. The method of claim 1, wherein the data is collected covertly.
  - 9. The method of claim 8, further comprising displaying a camouflaged view to the user while the data is being collected.
  - 10. The method of claim 9, wherein the camouflaged view appears to be a view selected from among a web browser, a card game, and an image browser.
  - 11. The method of claim 8, wherein the data is collected without any change to the target computer display.

12. A system for collecting and managing data relating to the activity of a user of a networked host computer, comprising:
- a plurality of software agents, each agent active on a host computer system;
  
  one or more servers, each server in network communication with one or more of said software agents; and
  
  ,one or more console administrative tools residing on computer systems capable of network communication with said servers;
  
  wherein said software agents each comprise means for covertly and forensically searching and collecting volatile data from the system upon which the software agent resides and securely transmitting requested data to one of said servers,wherein said servers each comprise means for securely storing data received from one or more of said software agents, means for securely receiving instructions from a console administrative tool subject to an administrative permission rule, means for securely transmitting instructions to one or more agents, and means of transmitting forensic data to said console administrative tools; and
  
  wherein said console administrative tools each comprise means of securely communicating with said servers, means of requesting forensic data from said servers and agents, and means of verifying, analyzing and presenting forensic data received from said software agents through said servers.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The system of claim 12, wherein said software agents comprise means for limiting the agents'"'"' use of network and host computer resources so as to avoid negatively impacting network or host computer performance.
  - 14. The system of claim 12, wherein said servers that are in network communication with said agents comprise a plurality of local servers, the system further comprising one or more supervisory servers in network communication with said plurality of local servers, wherein one or more of said software agents is in a different network region from one or more other of said software agents and wherein the software agents in different network regions are associated with different local servers.
  - 15. The system of claim 12, wherein user access permissions granted to each user of a console administrative tool define limits for accessing agents within the network and their respective data.
  - 16. The system of claim 12, wherein the consoles can command the agents to collect a complete image of the volatile data their host criteria.
  - 17. The system of claim 12, wherein the agents covertly collect the data from the computer by camouflaging as a routine process on the computer.
  - 18. The system of claim 12, wherein the agents do not use any system application program interface calls to collect the data.
  - 19. The system of claim 12, wherein all network communications among and between agents, servers, and consoles are encrypted.
  - 20. The system of claim 12, wherein the servers each comprise a means of securely storing an audit log for archiving all user activity and system events for each agent and console in communication with said server.
  - 21. The system of claim 12, wherein some or all of the agents are deployed to host computers using a software deployment or patch management solution.
  - 22. The system of claim 12, wherein the servers comprise a module for deploying software agents.
  - 23. The system of claim 12, comprising a software agent running from a live CD.

24. A method for collecting and managing data relating to the activity of a user of a networked in a network system comprising:
- deploying software agents for collecting computer forensic data from host computers on the network system on which the agents reside, the agents being in networked communication with a server, and one or more of said servers being in network communication with a console administrative tool;
  
  causing a console administrative tool to transmit instructions to one or more agents through the servers that are in communication with those agents instructing those one or more said software agents to covertly and forensically collect forensic data including at least one item of volatile data from the computers upon which on those software agents are active; and
  
  storing the data on a server for analysis.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The method of claim 24, wherein each software agent is configured to retrieve data of one or more user specified types from the one or more computers according to specified search criteria.
  - 26. The method of claim 24, wherein the software agent is camouflaged as a routine process on the computer.
  - 27. The method of claim 24, wherein the data is collected by the software agent without using any system application program interface (API) calls.
  - 28. The method of claim 24, further comprising securely archiving user activity and system events recorded by a software agent to a server.
  - 29. The method of claim 28, comprising building a case comprising said archived activity without alerting the user of the host computer on which a software agent resides to the data collection.
  - 30. The method of claim 24, comprising compiling data responsive to a litigation discovery requirement by instructing the agents to collect and transmit data satisfying specific search criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
E-Fense Incorporated
Original Assignee
E-Fense Incorporated
Inventors
Fahey, Andrew L.

Application Number

US12/318,083
Publication Number

US 20090164522A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/30 for supporting lawful inter...

Computer forensics, e-discovery and incident response methods and systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

258 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Computer forensics, e-discovery and incident response methods and systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

258 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links