Method and apparatus for data evidence collection

US 5,351,287 A
Filed: 12/11/1992
Issued: 09/27/1994
Est. Priority Date: 12/11/1992
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for collecting evidence of unauthorized access to equipment connected to the telecommunications network from a telephone subscriber line suspected of being a possible source of calls resulting in unauthorized access, said apparatus comprising:

a high-impedance bridge coupled to the suspect telephone line for unobtrusively tapping all signals on the suspect telephone subscriber line;

a data monitor connected to said high-impedance bridge for receiving said signals and for converting said signals into a stream of characters;

a buffer memory,an analysis processor,a control processor connected to said data monitor for receiving said stream of characters and for routing said stream of characters to said buffer memory for capturing all data traffic on the suspect telephone line and to said analysis processor for finding a match between strings of data in said buffer memory and known data strings; and

a non-volatile memory into which said control processor writes all data from said buffer memory into a call record when said analysis processor finds a match between strings of data in said buffer memory and said known strings of data.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dialed number recorder, a data monitor, and a personal computer are connected in combination to monitor the data traffic on a suspect "hacker'"'"'s" telephone line. At the beginning of a call, the dialed number recorder receives and interprets the DTMF signals detected on the line and translates the DTMF signals into the corresponding telephone number dialed. The data monitor receives all signals on the line and converts them into their corresponding characters and transmits these characters, to the personal computer where the characters are stored in a buffer in dynamic memory. The personal computer compares the received data stream against a set of known characters strings looking for a match. If an on-hook signal (indicating the end of the call) is received without a match, the data stored in dynamic memory thus far is erased. If any series of sequential characters matches one of the known strings, the buffered data is written to the computer'"'"'s disk. In addition, the personal computer collects the call record information from the dialed number recorder and appends this information to the data file.

98 Citations

View as Search Results

15 Claims

1. An apparatus for collecting evidence of unauthorized access to equipment connected to the telecommunications network from a telephone subscriber line suspected of being a possible source of calls resulting in unauthorized access, said apparatus comprising:
- a high-impedance bridge coupled to the suspect telephone line for unobtrusively tapping all signals on the suspect telephone subscriber line;
  
  a data monitor connected to said high-impedance bridge for receiving said signals and for converting said signals into a stream of characters;
  
  a buffer memory,an analysis processor,a control processor connected to said data monitor for receiving said stream of characters and for routing said stream of characters to said buffer memory for capturing all data traffic on the suspect telephone line and to said analysis processor for finding a match between strings of data in said buffer memory and known data strings; and
  
  a non-volatile memory into which said control processor writes all data from said buffer memory into a call record when said analysis processor finds a match between strings of data in said buffer memory and said known strings of data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1 further comprising:
    - a dialed number recorder connected to said high impedance bridge for receiving DTMF signals and translating said DTMF signals into the dialed number.
  - 3. The apparatus of claim 1 further comprising:
    - means for digital time stamping said call record written to said non-volatile memory.
  - 4. The apparatus of claim 1 further comprisingmeans for encrypting said call record as it is written to said non-volatile memory.
  - 5. The apparatus of claim 1 wherein said non-volatile memory is a hard-disk drive.

6. A method for operating a data processing system for collecting evidence of unauthorized access to a host computer system from a telephone line suspected of being a possible source of calls resulting in unauthorized access, comprising the steps, executed in real time of:
- monitoring the telephone line for a signal indicating the beginning of a call;
  
  capturing in volatile memory all data traffic on the telephone line for said call;
  
  analyzing the data traffic for content that identifies said call as an unauthorized access to said host computer;
  
  writing to non-volatile memory a file containing said captured data traffic and all subsequent data traffic upon determination during said analyzing step that said call has accessed said host computer; and
  
  erasing from said volatile memory said captured data upon the detection of the end of the call occurring before identification of said call as an unauthorized access.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method of claim 6 further comprising the steps of;
    - detecting the number dialed on said subscriber line;
      
      recording said detected dialed number;
      
      recording the date and time of the call; and
      
      appending said dialed number information and said date and time of the call information to said file written in non-volatile memory.
  - 8. The method of claim 6 wherein said analyzing step comprises:
    - examining the data traffic for ascii character strings that match a known warning banner that is transmitted from said host computer upon access.
  - 9. The method of claim 6 wherein said analyzing step comprises:
    - examining all data traffic for character strings that match one of a known set of character strings that identify an address of any computer of the host computer systems.
  - 10. The method of claim 7 further comprising the step of time-stamping said file written in said non-volatile memory.
  - 11. The method of claim 7 further comprising the step of encrypting said file written in said non-volatile memory.
  - 12. The method of claim 8 further comprising the step of time-stamping said file written in said non-volatile memory.

13. A method of collecting evidence of unauthorized access from a potential intruder'"'"'s line to equipment connected to the telecommunication network comprising the steps, executed in real time, of:
- monitoring all signals appearing on the subscriber'"'"'s line on initiation and during a communication session established by the intruder;
  
  storing in a store said monitored signals and information identifying the communication session;
  
  responsive to said monitoring step comparing said monitored signals known to indentify equipment to which the intruder does not have legitimate access;
  
  detecting the end of a communication session; and
  
  deleting from the store the priorly stored information on detection of the end of a communication session before the identification of equipment to which the intruder does not have legitimate access.
- View Dependent Claims (14, 15)
- - 14. The method in accordance with claim 13 wherein said responsive step comprises comparing signals monitored in said monitoring step to a known warning banner that is returned from equipment upon access.
  - 15. The method in accordance with claim 13 wherein said responsive step comprises decoding any packet messages monitored in said monitoring step and comparing any packet addresses determined in said decoding step known packet addresses of equipment to which the intruder does not have legitimate access privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures II LLC (Intellectual Ventures LLC)
Original Assignee
Bell Communications Research, Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Feustel, Timothy C., Bhattacharyya, Ranendra K., Kluepfel, Henry M.
Primary Examiner(s)
Dwyer, James L.
Assistant Examiner(s)
Hunter, Daniel S.

Application Number

US07/988,987
Time in Patent Office

655 Days
Field of Search

379/34, 379/35, 379/188, 379/189, 379/95, 379/93
US Class Current

379/93.02
CPC Class Codes

H04M 3/36 Statistical metering, e.g. ...

H04M 3/38 Graded-service arrangements...

Method and apparatus for data evidence collection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for data evidence collection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links