DIGITAL FORENSIC ACQUISITION KIT AND METHODS OF USE THEREOF

US 20110191533A1
Filed: 02/02/2011
Published: 08/04/2011
Est. Priority Date: 02/02/2010
Status: Active Grant

First Claim

Patent Images

1. An electronic forensics tool comprising:

(a) a physical portable memory device, wherein said physical portable memory device is capable of connecting to a target device;

(b) a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are compositions, methods, and kits, for issuing and conducting automated imaging and preservation for obtaining digital forensic data from active (i.e., powered-on) and non-active (i.e., powered-off) computer systems. In certain embodiments, the invention further encompasses providing a customer base a preliminary report of data. In other embodiments, the invention encompasses the option to receive a virtual machine file set of the acquired information for additional viewing and examination by the customer. The invention further encompasses methods and systems for implementing the embodiments of the invention. The invention also encompasses methods, apparatuses, and systems for secure forensic investigation of a target machine.

37 Citations

View as Search Results

24 Claims

1. An electronic forensics tool comprising:
- (a) a physical portable memory device, wherein said physical portable memory device is capable of connecting to a target device;
  
  (b) a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The electronic forensics tool of claim 1, wherein the physical portable memory device comprises one or more external USB Hard Drive or other external media to be connected and/or inserted to execute a data collection process.
  - 3. The electronic forensics tool of claim 1, wherein the forensic acquisition script is an autorun forensic acquisition script comprising pre-loaded software, which will automate the collection, and at the interface level of this software no user input is required, making for a fully autonomous forensic data capture.
  - 4. The electronic forensics tool of claim 1, wherein the physical portable memory device comprises a varying capacity external hard drive.
  - 5. The electronic forensics tool of claim 1, wherein the forensic acquisition script examines said target device in read-only mode.
  - 6. The electronic forensics tool of claim 1, wherein the forensic acquisition script examines data in the target device in read-only mode, wherein data is stored only in random access memory, without creating evidence of forensic activity on said target device.
  - 7. The electronic forensics tool of claim 1, wherein the forensic acquisition script calculates digital signatures, message digests or hash values of available data storage devices in said target device to verify that no modifications are made to the devices.
  - 8. The electronic forensics tool of claim 1, wherein the forensic acquisition script documents and logs information about said target device and documents and logs activity of said client program.
  - 9. The electronic forensics tool of claim 1, wherein said client program documents and logs information about said target device and documents and logs activity of said client program for authentication, and wherein said log is digitally encrypted, signed and stored.
  - 10. The electronic forensics tool of claim 1, wherein examination results are displayed in limited examination result form, which comprise one or more of:
    - data existence, numbers of keywords match, and one or more file attributes.
  - 11. The electronic forensics tool of claim 10, wherein said limited examination result form further comprises one or more of keyword searching, keyword searching with context, data filtering, binary file signature searching, keyword searching through archives such as compressed or zipped files, keyword searching through encrypted or password protected files, physical keyword searching, Internet usage history parsing, searching by relevance, de-duping data, excluding data searches based on presence of data in one or more search databases;
    - and including searches based on presence of data in one or more search databases.
  - 12. The electronic forensic tool of claim 1, further comprising an encrypted copy of entire data storage device of said target device or make an encrypted copy of data identified by said examination or command-block enabled examination of said target device.

13. A method of obtaining forensic data from a target computer comprising:
- a. connecting a physical portable memory device to a target device; and
  
  b. running a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein the physical portable memory device comprises one or more external USB Hard Drive or other external media to be connected and/or inserted to execute a data collection process.
  - 15. The method of claim 13, wherein the autorun forensic acquisition script comprises pre-loaded software, which will automate the collection, and at the interface level of this software no user input is required, making for a fully autonomous forensic data capture.
  - 16. The method of claim 13, wherein the physical portable memory device comprises a varying capacity external hard drive.
  - 17. The method of claim 13, wherein the forensic acquisition script examines said target device in read-only mode.
  - 18. The method of claim 13, wherein the forensic acquisition script examines data in the target device in read-only mode, wherein data is stored only in random access memory, without creating evidence of forensic activity on said target device,
  - 19. The method of claim 13, wherein the forensic acquisition script calculates digital signatures, message digests or hash values of available data storage devices in said target device to verify that no modifications are made of said devices.
  - 20. The method of claim 13, wherein the forensic acquisition script documents and logs information about said target device and documents and logs activity of said client program.
  - 21. The method of claim 13, wherein said client program documents and logs information about said target device and documents and logs activity of said client program for authentication, and wherein said log is digitally encrypted, signed and stored.
  - 22. The method of claim 13, wherein examination results are displayed in limited examination result comprise one or more of:
    - data existence, numbers of keywords match, and one or more file attributes.
  - 23. The method of claim 22, wherein said limited examination further comprises one or more of keyword searching, keyword searching with context, data filtering, binary file signature searching, keyword searching through archives such as compressed or zipped files, keyword searching through encrypted or password protected files, physical keyword searching, Internet usage history parsing, searching by relevance, de-duping data, excluding data searches based on presence of data in one or more search databases;
    - and including searches based on presence of data in one or more search databases.
  - 24. The method of claim 13, further comprising an encrypted copy of entire data storage device of said target device or make an encrypted copy of data identified by said examination or command-block enabled examination of said target device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Legal Digital Services LLC
Inventors
COULTER, Chris

Granted Patent

US 8,656,095 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/112
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/554   involving event detection a...

G06F 21/575   Secure boot

G06F 21/64   Protecting data integrity, ...

G06Q 10/00   Administration; Management

DIGITAL FORENSIC ACQUISITION KIT AND METHODS OF USE THEREOF

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DIGITAL FORENSIC ACQUISITION KIT AND METHODS OF USE THEREOF

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links