AUTOMATED ACQUISITION OF VOLATILE FORENSIC EVIDENCE FROM NETWORK DEVICES

US 20100299430A1
Filed: 07/15/2009
Published: 11/25/2010
Est. Priority Date: 05/22/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method executed by an electronic forensic device comprising:

detecting, with the electronic forensic device, a network device connected to one of a home or small-office communications network;

selecting an interrogation script for the detected network device; and

retrieving, with the electronic forensic device, forensic data from the network device using the interrogation script.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples disclosed herein are directed to techniques for automatically retrieving and processing forensic data from network devices connected to a communications network without requiring device-specific knowledge or training. A mobile forensic device includes and extensible forensic analysis tool that allows on-scene forensic investigators to quickly and automatically acquire data from network devices without device-specific knowledge. The extensible forensic analysis tool is designed for use on handheld mobile computers, enabling on-scene investigators to quickly and easily acquire forensic data from network devices in the field without losing volatile data or shutting down the network.

78 Citations

View as Search Results

34 Claims

1. A method executed by an electronic forensic device comprising:
- detecting, with the electronic forensic device, a network device connected to one of a home or small-office communications network;
  
  selecting an interrogation script for the detected network device; and
  
  retrieving, with the electronic forensic device, forensic data from the network device using the interrogation script.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method of claim 1, wherein detecting a network device connected to the communications network comprises monitoring data flow on the network.
  - 3. The method of claim 2, wherein monitoring data flow on the network comprises monitoring for a device through which data flows from a plurality of other devices on the network.
  - 4. The method of claim 2, wherein monitoring data flow on the network comprises monitoring Address Resolution Protocol (ARP) rebroadcasts on the network to identify one or more link-layer addresses associated to one-or-more network-layer addresses for one or more of the network device and the one or more non-network devices on the network.
  - 5. The method of claim 2, wherein monitoring data flow on the network comprises monitoring Universal Plug and Play (UPnP) broadcasts on the network from the network device.
  - 6. The method of claim 1, wherein detecting a network device connected to the communications network comprises transmitting one or more ARP requests over the network to identify one or more link-layer addresses associated to one-or-more network-layer addresses for one or more of the network device and one or more non-network devices on the network.
  - 7. The method of claim 1 further comprising identifying the network device.
  - 8. The method of claim 7, wherein identifying the network device comprises identifying one or more of a manufacturer and a model of the network device.
  - 9. The method of claim 7, wherein selecting the interrogation script for the detected network device comprises selecting the script based on the identification of the device.
  - 10. The method of claim 7, wherein identifying the network device comprises:
    - transmitting one or more messages over the communications network configured to illicit responses from one or more types of network devices; and
      
      receiving a response to the one or more messages from the network device.
  - 11. The method of claim 1, wherein retrieving the forensic data from the network device using the interrogation script comprises:
    - retrieving raw data from the network device using the interrogation script; and
      
      processing the raw data into the forensic data.
  - 12. The method of claim 11 further comprising presenting the raw data.
  - 13. The method of claim 1 further comprising presenting the detected network device.
  - 14. The method of claim 1 further comprising presenting the forensic data.
  - 15. The method of claim 1, wherein the network device comprises a network-layer device.
  - 16. The method of claim 1, wherein the network device comprises one of a router, firewall appliance, gateway appliance, virtual private network appliance, or wireless access point.
  - 17. The method of claim 1, wherein retrieving the forensic data from the network device using the interrogation script comprises:
    - the electronic forensic device automatically selecting, without selection input from an operator, at least one of a plurality of access methods via which and one or more locations on the network device from which to retrieve the forensic data; and
      
      communicating commands to the network device via the selected access methods to retrieve the forensic data.
  - 18. The method of claim 17, wherein the access methods include at least one of Telnet, Secure Shell (SSH), Hypertext Transfer Protocol (HTTP), and Hypertext Transfer Protocol Secure (HTTPS).
  - 19. The method of claim 1, wherein retrieving the forensic data from the network device using the interrogation script comprises transmitting authentication information to access the network device.
  - 20. The method of claim 19, wherein the authentication information comprises a username and password.
  - 21. The method of claim 19, wherein the interrogation script comprises default authentication credentials for the network device, and wherein transmitting authentication information to access the network device comprises transmitting the default authentication credentials.
  - 22. The method of claim 21, wherein the default authentication credentials comprise a username and password.
  - 23. The method of claim 1, further comprising:
    - receiving case information to define a new forensic data acquisition;
      
      creating a new forensic data acquisition based on the received information; and
      
      associating the new forensic data acquisition with a case.
  - 24. The method of claim 23, wherein the case information comprises at least one of a acquisition name, acquisition number, case number, case name, principle investigator, location to store retrieved data, and a time zone for date/time reporting.
  - 25. The method of claim 1, further comprising storing a copy of the forensic data originally retrieved from the network device.
  - 26. The method of claim 1, further comprising:
    - normalizing the forensic data to a common format; and
      
      storing the normalized forensic data.
  - 27. The method of claim 26, wherein normalizing the forensic data to a common format comprises at least one of converting timestamp data from a local time zone of the target computing device to a standard time zone, converting data having host names and IP addresses to all host names, converting data having host names and IP addresses to all IP addresses, and normalizing the clock of the network device to a reference.
  - 28. The method of claim 1, further comprising:
    - performing a cryptographic hash on the forensic data; and
      
      storing the resulting hash value.
  - 29. The method of claim 1, further comprising maintaining an audit log of the steps of detecting a network device connected to one of a home or small-office communications network, selecting an interrogation script for the detected network device, and retrieving forensic data from the network device using the interrogation script, and of the forensic data retrieved from the network device.

30. A forensic device configured to automatically retrieve and process forensic data from a plurality of network devices connected to one of a home or small-office communications network, the device comprising:
- an interrogation script storage database storing a plurality of different interrogation scripts, wherein each of the interrogation scripts conform to a common scripting language, and wherein each of the interrogation scripts corresponds to a different type of layer three network device;
  
  a device detection module configured to detect one or more network devices connected to the communications network;
  
  a device identification module configured to identify one or more of the detected network devices;
  
  a data acquisition module configured to automatically, and without user input, select a corresponding one of the interrogation scripts for each of the detected network devices based on its identity, retrieve raw data from each of the network devices using the interrogation script, and process the raw data retrieved from each of the network devices into forensic data; and
  
  a user interface module configured to present the forensic data to a user.
- View Dependent Claims (31)
- - 31. The forensic device of claim 30, wherein the common scripting language is one of Extensible Mark-up Language (XML), JavaScript, PHP, Perl, or VBScript.

32. A system comprising:
- a communications network;
  
  one or more network devices connected to the communications network;
  
  one or more non-network devices connected to the communications network; and
  
  a forensic device configured to connect to the communications network and detect the network devices, select an interrogation script for each of the detected network devices, and retrieve forensic data from each of the network devices using the respective interrogation scripts.

33. A computer-readable medium comprising instructions to cause a processor to:
- detect a network device connected to one of a home or small-office communications network;
  
  select an interrogation script for the detected network device; and
  
  retrieve forensic data from the network device using the interrogation script.

34. A forensic device comprising:
- means for detecting a network device connected to one of a home or small-office communications network;
  
  means for selecting an interrogation script for the detected network device; and
  
  means for retrieving forensic data from the network device using the interrogation script.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Tingstrom, Daniel, Adelstein, Frank, Powers, Judson, Bronner, Derek

Application Number

US12/503,763
Publication Number

US 20100299430A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 12/2809   indicating that an applianc...

H04L 12/282   based on user interaction w...

H04L 63/08   for authentication of entit...

H04L 63/1416   Event detection, e.g. attac...

AUTOMATED ACQUISITION OF VOLATILE FORENSIC EVIDENCE FROM NETWORK DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

78 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED ACQUISITION OF VOLATILE FORENSIC EVIDENCE FROM NETWORK DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links