Remote collection of computer forensic evidence
First Claim
1. A method comprising:
- receiving, with a forensic device coupled to a target computing device via a communication link, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device;
acquiring the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence;
storing the computer evidence on the forensic device; and
presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the computer evidence acquired from the target computing device.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.
-
Citations
95 Claims
-
1. A method comprising:
-
receiving, with a forensic device coupled to a target computing device via a communication link, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device; acquiring the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence; storing the computer evidence on the forensic device; and presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the computer evidence acquired from the target computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
-
-
44. A system comprising:
-
a target computing device; a forensic device coupled to the target computing device via a customer network of the target computing device; a client device; and a user interface module to present a user interface for the forensic device that is remotely accessible by the client device, wherein the forensic device receives input via the user interface that identifies computer evidence to acquire from a target computing device and, in response, acquires the computer evidence from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence, stores the computer evidence, and presents the computer evidence to the remote user for analysis via the user interface. - View Dependent Claims (45, 46, 47, 48, 71, 72, 73)
-
-
74. An interrogation method to remotely acquire computer forensic evidence comprising:
-
receiving input from a remote user that identifies computer evidence to be acquired from a target computing device; determining an order in which to perform acquisition operations to acquire the computer evidence from the target computing device with reduced impact on other data stored on the target computing device, wherein acquisition operations to acquire at least one of an log file and communication statistics occur in the order prior to any other acquisition operations; and communicating commands to initiate the acquisition operations on the target computing device in accordance with the determined order without pre-loading acquisition software on the target computing device. - View Dependent Claims (75, 76, 77, 78, 79, 80)
-
- 81. A forensic analysis device that is adapted to operate as an intermediate device between a target computing device and a client device associated with a remote forensic investigator, wherein the analysis device comprises an acquisition module to acquire state information from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence and store the state information on the forensic device while the target device remains active.
-
85. A computer-readable medium comprising instructions that cause a processor to:
-
receive, with a forensic device coupled to a target computing device via a customer network of the target computing device, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device; acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence; store the computer evidence on the forensic device; and present a user interface for the forensic device through which the remote user views and analyzes, with the client device, the computer evidence acquired from the target computing device. - View Dependent Claims (86, 87, 88, 89, 90, 91, 92, 93, 94, 95)
-
Specification