System and Method for Simultaneous Forensic, Acquisition, Examination and Analysis of a Computer Readable Medium at Wire Speed

US 20170213024A1
Filed: 07/22/2015
Published: 07/27/2017
Est. Priority Date: 07/24/2014
Status: Active Grant

First Claim

Patent Images

1. A system for simultaneous forensic acquisition and analysis of data from a target data repository, the system comprising:

a source agent in operative communication with the target data repository, said source agent being incapable of writing to the target data repository, said source agent being configured to read a portion of the target data repository;

an investigator computer having a processor configured to send at least one prioritised read command to said source agent to schedule a read of the target data repository based on a predetermined priority; and

a data sink configured to store at least a partial forensic image of the target data repository based on the data read by said source agent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a system for simultaneous forensic acquisition and analysis of data from a target data repository. The system comprises a source agent in communication with the target data repository. The source agent is incapable of writing to the target data repository and is configured to read a portion of the target data repository. The system further comprises an investigator computer having a processor configured to send at least one prioritised read command to the source agent to schedule a read of the target data repository based on a predetermined priority. A data sink is configured to store at least a partial forensic image of the target data repository based on the data read by said source agent.

Citations

40 Claims

1. A system for simultaneous forensic acquisition and analysis of data from a target data repository, the system comprising:
- a source agent in operative communication with the target data repository, said source agent being incapable of writing to the target data repository, said source agent being configured to read a portion of the target data repository;
  
  an investigator computer having a processor configured to send at least one prioritised read command to said source agent to schedule a read of the target data repository based on a predetermined priority; and
  
  a data sink configured to store at least a partial forensic image of the target data repository based on the data read by said source agent.
- View Dependent Claims (2, 3, 4, 7, 9, 10, 14, 22, 24, 25)
- - 2. The system of claim 1, further comprising a sink agent in operative communication with each of said data sink, said processor, and said source agent, said processor being configured to send the prioritised read command to said sink agent prior to sending the evidence request to said source agent.
  - 3. The system of claim 1, further comprising a sink agent in operative communication with each of said data sink, said processor, and said source agent, said sink agent being configured to assemble the partial forensic image based on non-sequential data reads from the target data repository.
  - 4. The system of claim 1, wherein the prioritised read command is prioritised based on an amount of allocated memory in the target data repository.
  - 7. The system of claim 1, wherein the prioritised read command specifies the reading of data based on mime type or extension.
  - 9. The system of claim 1, wherein the prioritised read command specifies the reading of data based on based on file objects within a folder hierarchy.
  - 10. The system of claim 1, wherein the prioritised read command is prioritised based on a storage type associated with the target data repository.
  - 14. The system of claim 1, wherein the prioritised read command is prioritised based on an address of data blocks being read.
  - 22. The system of claim 1, wherein said data sink forms part of a remote computer separate from said investigator computer and the target data repository.
  - 24. The system of claim 1, wherein the prioritised read command includes a priority tag and a read command.
  - 25. The system of claim 24, wherein the priority tag is configurable for more than one level.

5-6. -6. (canceled)

8. (canceled)

11-13. -13. (canceled)

15-21. -21. (canceled)

23. (canceled)

26. A method for forensically analysing data during a data acquisition from a target data repository, the method comprising:
- reading data, with a source agent, from the target data repository to a data sink to assemble a partial forensic image of the target data repository;
  
  submitting at least one prioritised read command to the source agent, the prioritised read command including a read command that is prioritised based on a pre-configured priority;
  
  scheduling, with the source agent, a data read from the target data repository based on the prioritised read command;
  
  reading data, with the source agent, from the target data repository based on the prioritised read command to the data sink; and
  
  permitting analysis of the data procured by the prioritised read command while further data is read from the target data repository.
- View Dependent Claims (27, 29, 30, 31, 33, 36)
- - 27. The method of claim 26, wherein the data is read non-sequentially from the target data repository to the data sink.
  - 29. The method of claim 26, wherein the read command is prioritised based on an amount of allocated memory in the target data repository.
  - 30. The method of claim 26, wherein the read command specifies a block range.
  - 31. The method of claim 26, wherein the read command specifies a file subset.
  - 33. The method of claim 26, wherein the read command is prioritised based on a storage type associated with the target data repository.
  - 36. The method of claim 26, wherein the read command is prioritised based on block address for a target data repository having a spinning disk hard drive.

28. (canceled)

32. (canceled)

34-35. -35. (canceled)

37. (canceled)

38. A method for forensically analysing data during a data acquisition from a target data repository, the method comprising:
- reading data, with a source agent, from the target data repository to a data sink to assemble a partial forensic image of the target data repository;
  
  submitting at least one prioritised read command to a sink agent operatively connected to the data sink, the prioritised read command specifying a subset of data thought to be contained in the target data repository; and
  
  reading, with the sink agent, the subset of data from the data sink if the requested subset of data is in the data sink, otherwise forwarding the prioritised read command to the source agent to obtain the requested subset of data.
- View Dependent Claims (39)
- - 39. The method of claim 38, wherein the data is read non-sequentially from the target data repository to the data sink.

40-41. -41. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hemicordulia Australiae Capital LLC
Original Assignee
Schatz Forensic Pty Limited
Inventors
Schatz, Bradley

Granted Patent

US 10,354,062 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/645   using a third party

G06F 2221/034   Test or assess a computer o...

G06Q 50/18   Legal services

G06Q 50/26   Government or public servic...

System and Method for Simultaneous Forensic, Acquisition, Examination and Analysis of a Computer Readable Medium at Wire Speed

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Simultaneous Forensic, Acquisition, Examination and Analysis of a Computer Readable Medium at Wire Speed

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links