Method and apparatus for data evidence collection
First Claim
1. An apparatus for collecting evidence of unauthorized access to equipment connected to the telecommunications network from a telephone subscriber line suspected of being a possible source of calls resulting in unauthorized access, said apparatus comprising:
- a high-impedance bridge coupled to the suspect telephone line for unobtrusively tapping all signals on the suspect telephone subscriber line;
a data monitor connected to said high-impedance bridge for receiving said signals and for converting said signals into a stream of characters;
a buffer memory,an analysis processor,a control processor connected to said data monitor for receiving said stream of characters and for routing said stream of characters to said buffer memory for capturing all data traffic on the suspect telephone line and to said analysis processor for finding a match between strings of data in said buffer memory and known data strings; and
a non-volatile memory into which said control processor writes all data from said buffer memory into a call record when said analysis processor finds a match between strings of data in said buffer memory and said known strings of data.
10 Assignments
0 Petitions
Accused Products
Abstract
A dialed number recorder, a data monitor, and a personal computer are connected in combination to monitor the data traffic on a suspect "hacker'"'"'s" telephone line. At the beginning of a call, the dialed number recorder receives and interprets the DTMF signals detected on the line and translates the DTMF signals into the corresponding telephone number dialed. The data monitor receives all signals on the line and converts them into their corresponding characters and transmits these characters, to the personal computer where the characters are stored in a buffer in dynamic memory. The personal computer compares the received data stream against a set of known characters strings looking for a match. If an on-hook signal (indicating the end of the call) is received without a match, the data stored in dynamic memory thus far is erased. If any series of sequential characters matches one of the known strings, the buffered data is written to the computer'"'"'s disk. In addition, the personal computer collects the call record information from the dialed number recorder and appends this information to the data file.
98 Citations
15 Claims
-
1. An apparatus for collecting evidence of unauthorized access to equipment connected to the telecommunications network from a telephone subscriber line suspected of being a possible source of calls resulting in unauthorized access, said apparatus comprising:
-
a high-impedance bridge coupled to the suspect telephone line for unobtrusively tapping all signals on the suspect telephone subscriber line; a data monitor connected to said high-impedance bridge for receiving said signals and for converting said signals into a stream of characters; a buffer memory, an analysis processor, a control processor connected to said data monitor for receiving said stream of characters and for routing said stream of characters to said buffer memory for capturing all data traffic on the suspect telephone line and to said analysis processor for finding a match between strings of data in said buffer memory and known data strings; and a non-volatile memory into which said control processor writes all data from said buffer memory into a call record when said analysis processor finds a match between strings of data in said buffer memory and said known strings of data. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for operating a data processing system for collecting evidence of unauthorized access to a host computer system from a telephone line suspected of being a possible source of calls resulting in unauthorized access, comprising the steps, executed in real time of:
-
monitoring the telephone line for a signal indicating the beginning of a call; capturing in volatile memory all data traffic on the telephone line for said call; analyzing the data traffic for content that identifies said call as an unauthorized access to said host computer; writing to non-volatile memory a file containing said captured data traffic and all subsequent data traffic upon determination during said analyzing step that said call has accessed said host computer; and erasing from said volatile memory said captured data upon the detection of the end of the call occurring before identification of said call as an unauthorized access. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A method of collecting evidence of unauthorized access from a potential intruder'"'"'s line to equipment connected to the telecommunication network comprising the steps, executed in real time, of:
-
monitoring all signals appearing on the subscriber'"'"'s line on initiation and during a communication session established by the intruder; storing in a store said monitored signals and information identifying the communication session; responsive to said monitoring step comparing said monitored signals known to indentify equipment to which the intruder does not have legitimate access; detecting the end of a communication session; and deleting from the store the priorly stored information on detection of the end of a communication session before the identification of equipment to which the intruder does not have legitimate access. - View Dependent Claims (14, 15)
-
Specification