Remote collection of computer forensic evidence

US 7,496,959 B2
Filed: 06/23/2003
Issued: 02/24/2009
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a forensic device coupled to a target computing device via a communication link, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device;

acquiring the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence;

storing the computer evidence on the forensic device; and

presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the computer evidence acquired from the target computing device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.

Citations

95 Claims

1. A method comprising:
- receiving, with a forensic device coupled to a target computing device via a communication link, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device;
  
  acquiring the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence;
  
  storing the computer evidence on the forensic device; and
  
  presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the computer evidence acquired from the target computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 2. The method of claim 1, wherein presenting the user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device comprises presenting the user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device on-line.
  - 3. The method of claim 1, further comprising acquiring additional computer evidence while the remote user views and analyzes the previously acquired computer evidence.
  - 4. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring the computer evidence from the target computing device while the target computing device is active.
  - 5. The method of claim 1, further comprising receiving input from the remote user instructing the forensic device to analyze the computer evidence.
  - 6. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring state information from the target computing device that includes at least one of running process information and open network ports with associated processes.
  - 7. The method of claim 1, wherein receiving input from the remote user that identifies computer evidence to acquire comprises receiving input from the remote user that identifies at least one acquisition operation to perform, and further wherein acquiring the computer evidence from the target computing device comprises performing the acquisition operation to acquire the computer evidence.
  - 8. The method of claim 7, wherein performing the acquisition operation comprises communicating commands associated with the acquisition operation to the target computing device to acquire corresponding computer evidence.
  - 9. The method of claim 8, further comprising:
    - automatically selecting at least one of a plurality of access methods via which to perform the acquisition operation based on the target computing device and the type of computer evidence to acquire; and
      
      communicating commands associated with the acquisition operation to the target computing device via the selected acquisition methods.
  - 10. The method of claim 9, wherein the access methods include at least one of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 11. The method of claim 7, wherein the remote user identifies a plurality of the acquisition operations to perform, and wherein acquiring the evidence comprises performing the acquisition operations in an order that reduces the impact on other data stored on the target computing device.
  - 12. The method of claim 11, further comprising performing a subset of the acquisition operations to acquire at least one of an log file and communication statistics prior to performing the other acquisition operations.
  - 13. The method of claim 12, further comprising performing the acquisition operation to acquire the communication statistics after performing the acquisition operation to acquire the log file.
  - 14. The method of claim 12, further comprising performing the acquisition operation to acquire the log file after performing the acquisition operation to acquire the communication statistics.
  - 15. The method of claim 12, further comprising performing an acquisition operation to acquire general system information from the target computing device after performing the subset of the acquisition operations to acquire the at least one of the log file and communication statistics prior to any other acquisition operations.
  - 16. The method of claim 12, wherein the log file comprises one of a system event log, an application event log, and a security event log, web server log file, Unix SYSLOG file, a mail log file, an accounting log file, and a router flow log file.
  - 17. The method of claim 12, wherein the communications statistics comprises one of Ethernet statistics and network protocol statistics.
  - 18. The method of claim 12, further comprising determining an order in which to perform acquisition operations.
  - 19. The method of claim 1, further comprising receiving authentication information from the user to verify the identity of the user.
  - 20. The method of claim 19, wherein the authentication information comprises one of a digital certificate or a username and password.
  - 21. The method of claim 1, further comprising:
    - receiving case information and target device information from a user to define a new inquiry;
      
      creating a new inquiry based on the received information; and
      
      associating the new inquiry with a case.
  - 22. The method of claim 21, wherein the case information comprises at least one of a case number, case name, principle investigator, location to store the collected data, and a time zone for date/time reporting.
  - 23. The method of claim 21, wherein the target computing device information includes at least one of a target computing device host name, IP address, operating system, access methods and password.
  - 24. The method of claim 1, further comprising storing a copy of the computer evidence originally acquired from the target computing device.
  - 25. The method of claim 1, further comprising:
    - normalizing the acquired computer evidence to a common format; and
      
      storing the normalized computer evidence.
  - 26. The method of claim 25, wherein normalizing the acquired computer evidence to a common format comprises at least one of converting timestamp data from a local time zone of the target computing device to a standard time zone, converting data having host names and IP addresses to all host names, converting data having host names and IP addresses to all IP addresses, and normalizing the clock of the target computing device to that of the forensic device.
  - 27. The method of claim 1, further comprising:
    - performing a cryptographic hash on the computer evidence; and
      
      storing the resulting hash value.
  - 28. The method of claim 1, further comprising maintaining an audit log of transactions performed by the forensic device.
  - 29. The method of claim 28, wherein maintaining the audit log comprises at least one of tracking computer evidence downloaded from the target computing device, browsing of the computer evidence by the remote user, and analyses performed on the computer evidence, and wherein the audit log comprises a timestamp corresponding to each transaction, an investigator identifier corresponding to the investigator performing each transaction, and a description of each transaction.
  - 30. The method of claim 1, wherein the computer evidence comprises at least one log file, the method further comprising:
    - receiving input from the user to analyze the log file for tampering;
      
      analyzing the log file to detect log file tampering; and
      
      displaying to the user the results of the analysis.
  - 31. The method of claim 30, wherein analyzing the log file to detect log file tampering comprises determining whether the entries in the log file are in ascending order.
  - 32. The method of claim 30, wherein analyzing the log file to detect log file tampering comprises:
    - computing time gaps between entries of the log file;
      
      identifying anomalous time gaps; and
      
      displaying to the user the identified anomalous gaps.
  - 33. The method of claim 30, wherein analyzing the log file to detect log file tampering comprises:
    - computing time gaps between entries of the log file;
      
      generating a graphical representation of the time gaps; and
      
      displaying the graphical representation to the user.
  - 34. The method of claim 30, wherein analyzing the log file to detect log file tampering comprises:
    - receiving input that identifies a periodic event;
      
      detecting an absent periodic event within the log file; and
      
      alerting the user of the absent periodic events.
  - 35. The method of claim 34, wherein receiving input that identifies the periodic event comprises:
    - receiving input that identifies a period of the periodic event; and
      
      receiving input that identifies an identifier associated with the periodic event.
  - 36. The method of claim 35, wherein detecting absent periodic events within the log file comprises:
    - searching for the log file for the periodic event identifier;
      
      computing the amount of time that elapsed between each of the periodic event identifiers; and
      
      comparing the period of the event with the computed elapsed times to detect absent periodic events.
  - 37. The method of claim 34, wherein identifying the periodic event comprises receiving input from the user identifying the periodic event.
  - 38. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring an image of at least one of a disk attached to the target computing device and a memory of the target computing device, and further comprising examining the acquired image to identify at least one of files, process or operating system data structures, boot information, deleted files or directories, and data hidden in unallocated space.
  - 39. The method of claim 1, wherein the communication link comprises a customer network of the target computing device.
  - 40. The method of claim 1, wherein the client device is coupled to the forensic device via one of a public network, a customer network of the target computing device, a phone line, a universal serial bus (USB), a wireless port, a serial port, a parallel port and an infrared link.
  - 41. The method of claim 1, wherein the target computing device comprises one of a personal computer, a handheld computer, a laptop, a workstation, a router, a gateway device, a firewall device, a web server, a file server, a database server, a mail server, a print server, a network-enabled personal digital assistant, and a network-enabled phone.
  - 42. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring the computer evidence from the target computing device without the target computing device being shut down.
  - 43. The method of claim 1, further comprising obtaining an image of a memory of the target computing device.
  - 49. The system of claim 43, wherein the forensic device receives input from the remote user that identifies at least one acquisition operation to perform, automatically selects at least one of a plurality of access methods via which to perform the acquisition operation based on the target computing device and type of computer evidence to acquire, and communicates commands associated with the acquisition operation to the target computing device to acquire corresponding computer evidence via the selected acquisition methods.
  - 50. The system of claim 49, wherein the access methods include at least one of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 51. The system of claim 43, wherein the remote user identifies a plurality of acquisition operations to perform and the forensic device performs the acquisition operations in an order that reduces the impact on other data stored on the target computing device.
  - 52. The system of claim 51, wherein the forensic device performs the acquisition operations to acquire at least one of a log file and communication statistics prior to any other acquisition operations.
  - 53. The system of claim 52, wherein the forensic device performs an acquisition operation to acquire general system information from the target computing device after performing the acquisition operations to acquire the at least one of the log file and communication statistics prior to any other acquisition operations.
  - 54. The system of claim 52, wherein the log file comprises one of a system event log, an application event log, a security event log, web server log file, Unix SYSLOG file, a mail log file, an accounting log file, and a router flow log file.
  - 55. The system of claim 52, wherein the communications statistics comprises one of Ethernet statistics and network protocol statistics.
  - 56. The system of claim 43, wherein the forensic device receives authentication information from the user to verify the identity of the user, the authentication information comprising one of a digital certificate or a username and password.
  - 57. The system of claim 43, wherein the forensic device receives case information and target device information from a user to define a new inquiry, creates a new inquiry based on the received information, and associates the new inquiry with a case.
  - 58. The system of claim 57, wherein the case information comprises at least one of a case number, case name, principle investigator, location to store the collected data, and a time zone for date/time reporting.
  - 59. The system of claim 57, wherein the target computing device information includes at least one of a target computing device host name, IP address, operating system, access methods and password.
  - 60. The system of claim 53, wherein the forensic device stores a copy of the computer evidence originally acquired from the target computing device, normalizes the acquired computer evidence to a common format, stores the normalized computer evidence, performs a cryptographic hash on the computer evidence, and stores the resulting hash value.
  - 61. The system of claim 43, wherein the forensic device maintains an audit log of transactions to track at least one of computer evidence downloaded from the target computing device, browsing of the computer evidence by the remote user, and analyses performed on the computer evidence, and wherein the audit log comprises a timestamp corresponding to each transaction, an investigator identifier corresponding to the investigator performing each transaction, and a description of each transaction.
  - 62. The system of claim 53, wherein the computer evidence comprises at least one log file, and wherein the forensic device analyzes the log file to detect log file tampering and displays to the user the results of the analysis.
  - 63. The system of claim 62, wherein the forensic device determines whether the entries in the log file are in ascending order.
  - 64. The system of claim 62, wherein the forensic device computes time gaps between entries of the log file, identifies anomalous time gaps, and displays to the user the identified anomalous gaps.
  - 65. The system of claim 62, wherein the forensic device computes time gaps between entries of the log file, generates a graphical representation of the time gaps, and displays the graphical representation to the user.
  - 66. The system of claim 62, wherein the forensic device receives input identifying a period and an identifier associated with a periodic event, searches the log file for the periodic event identifier, computes the amount of time that elapsed between each of the periodic event identifiers, and compares the period of the event with the computed elapsed times to detect an absent periodic event, and alerts the user of the absent periodic event.
  - 67. The system of claim 43, wherein the forensic device acquires an image of at least one of a disk attached to the target computing device and a memory of the target computing device and examines the acquired image to identify at least one of files, process or operating system data structures, boot information, deleted files or directories, end data hidden in unallocated space.
  - 68. The system of claim 43, wherein the target computing device comprises one of a personal computer, a handheld computer, a laptop, a workstation, a router, a gateway device, a firewall device, a web server, a file server, a database server, a mail server, a print server, a network-enabled personal digital assistant, and a network-enabled phone.
  - 69. The system of claim 43, wherein the forensic device is coupled to a same local subnet as the target computing device.
  - 70. The system of claim 43, wherein the client device is coupled to the forensic device via one of a public network, a customer network of the target computing device, a phone line, a universal serial bus (USB), a wireless port, a serial port, a parallel port and an infrared link.

44. A system comprising:
- a target computing device;
  
  a forensic device coupled to the target computing device via a customer network of the target computing device;
  
  a client device; and
  
  a user interface module to present a user interface for the forensic device that is remotely accessible by the client device, wherein the forensic device receives input via the user interface that identifies computer evidence to acquire from a target computing device and, in response, acquires the computer evidence from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence, stores the computer evidence, and presents the computer evidence to the remote user for analysis via the user interface.
- View Dependent Claims (45, 46, 47, 48, 71, 72, 73)
- - 45. The system of claim 44, wherein the forensic device presents the user interface to the remote user to allow the remote user to view and analyze the data on-line.
  - 46. The system of claim 44, wherein the forensic device acquires additional computer evidence from the target computing device while the remote user views and analyzes the previously acquired computer evidence.
  - 47. The system of claim 44, wherein the forensic device acquires the computer evidence from the target computing device while the target computing device is active.
  - 48. The system of claim 44, wherein the forensic device acquires state information from the target computing device.
  - 71. The system of claim 44,wherein the client device is positioned remote from both the forensic device and the target computing device, andwherein the client device is coupled to the forensic device by at least one intermediate network.
  - 72. The system of claim 44, wherein the forensic device acquires the computer evidence from the target computing device without the target computing device being shut down.
  - 73. The system of claim 44, wherein the forensic device obtains an image of a memory of the target computing device.

74. An interrogation method to remotely acquire computer forensic evidence comprising:
- receiving input from a remote user that identifies computer evidence to be acquired from a target computing device;
  
  determining an order in which to perform acquisition operations to acquire the computer evidence from the target computing device with reduced impact on other data stored on the target computing device, wherein acquisition operations to acquire at least one of an log file and communication statistics occur in the order prior to any other acquisition operations; and
  
  communicating commands to initiate the acquisition operations on the target computing device in accordance with the determined order without pre-loading acquisition software on the target computing device.
- View Dependent Claims (75, 76, 77, 78, 79, 80)
- - 75. The interrogation method of claim 74, wherein communicating commands associated with the acquisition operations to the target computing device comprises:
    - communicating commands associated with an acquisition operation to acquire at least one log file to the target computing device; and
      
      communicating commands associated with an acquisition operation to acquire at least one set of communication statistics to the target computing device after the commands associated with the acquisition operation to acquire the log file.
  - 76. The interrogation method of claim 75, further comprising communicating commands associated with an acquisition operation to acquire general system information to the target computing device after the commands associated with the acquisition operation to acquire the communication statistics.
  - 77. The interrogation method of claim 74, wherein communicating commands associated with the acquisition operations to the target computing device comprises:
    - communicating commands associated with an acquisition operation to acquire communication statistics to the target computing device;
      
      communicating commands associated with an acquisition operation to acquire log file to the target computing device after the commands associated with the acquisition operation to acquire the communication statistics.
  - 78. The interrogation method of claim 77, further comprising communicating commands associated with an acquisition operation to acquire general system information to the target computing device after the commands associated with the acquisition operation to acquire the log file.
  - 79. The interrogation method of claim 74, wherein the log comprises one of a system event log, an application event log, a security event log, web server log file, Unix SYSLOG file, a mail log file, an accounting log file, and a router flow log file.
  - 80. The interrogation method of claim 74, wherein the communications statistics comprises one of Ethernet statistics and network protocol statistics.

81. A forensic analysis device that is adapted to operate as an intermediate device between a target computing device and a client device associated with a remote forensic investigator, wherein the analysis device comprises an acquisition module to acquire state information from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence and store the state information on the forensic device while the target device remains active.
- View Dependent Claims (82, 83, 84)
- - 82. The forensic analysis device of claim 81, further comprising a user interface that allows the remote forensic investigator to view and analyze the previously acquired computer evidence on-line while the acquisition module acquires additional state information.
  - 83. The forensic analysis device of claim 81, wherein the acquisition module acquires the computer evidence from the target computing device without the target computing device being shut down.
  - 84. The forensic analysis device of claim 81, wherein the acquisition module obtains an image of a memory of the target computing device.

85. A computer-readable medium comprising instructions that cause a processor to:
- receive, with a forensic device coupled to a target computing device via a customer network of the target computing device, input from a remote user of a client device that identifies computer evidence to acquire from the target computing device;
  
  acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence;
  
  store the computer evidence on the forensic device; and
  
  present a user interface for the forensic device through which the remote user views and analyzes, with the client device, the computer evidence acquired from the target computing device.
- View Dependent Claims (86, 87, 88, 89, 90, 91, 92, 93, 94, 95)
- - 86. The computer-readable medium of claim 85, wherein instructions to cause the processor to present the user interface for the forensic device include instruction to present the user interface for the forensic device through which the remote user views and analyzes the computer evidence acquired from the target computing device on-line.
  - 87. The computer-readable medium of claim 85, further comprising instructions to cause the processor to acquire additional computer evidence while the remote user views and analyzes the previously acquired computer evidence.
  - 88. The computer-readable medium of claim 85, wherein instructions to cause the processor to acquire the computer evidence from the target computing device includes instructions to cause the processor to acquire the computer evidence from the target computing device while the target computing device is active.
  - 89. The computer-readable medium of claim 85, wherein instructions to cause the processor to acquire the computer evidence from the target computing device includes instructions to cause the processor to acquire state information from the target computing device.
  - 90. The computer-readable medium of claim 85, wherein instructions to cause the processor to receive input from the remote user that identifies computer evidence to acquire comprises instructions to cause the processor to receive input from the remote user that identifies at least one acquisition operation to perform, and further comprising instructions to cause the processor to:
    - automatically select at least one of a plurality of access methods via which to perform the acquisition operation based on the target computing device and the type of computer evidence to acquire; and
      
      issue commands associated with the acquisition operation to the target computing device via the selected acquisition methods to acquire the computer evidence.
  - 91. The computer-readable medium of claim 90, wherein instructions to cause the processor to issue commands associated with the acquisition operations comprises instructions to cause the processor to issue commands associated with the acquisition operations in an order that reduces the impact on other data stored on the target computing device.
  - 92. The computer-readable medium of claim 85, further comprising instructions to cause the processor to:
    - store a copy of the computer evidence originally acquired from the target computing device;
      
      normalize the acquired computer evidence to a common format;
      
      store the normalized computer evidence;
      
      perform a cryptographic hash on the computer evidence; and
      
      store the resulting hash value.
  - 93. The computer-readable medium of claim 85, further comprising instructions to cause the processor to maintain art audit log of transactions performed by the forensic device.
  - 94. The computer-readable medium of claim 85, wherein instructions to acquire the computer evidence from the target computing device comprise instructions to acquire the computer evidence from the target computing device without the target computing device being shut down.
  - 95. The computer-readable medium of claim 85, further comprising instructions to obtain an image of a memory of the target computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
Architecture Technology Corporation
Inventors
Joyce, Robert, Adelstein, Frank N., Stillerman, Matthew A.
Primary Examiner(s)
Parthasarathy; Pramila

Application Number

US10/608,767
Publication Number

US 20040260733A1
Time in Patent Office

2,073 Days
Field of Search

None
US Class Current

726/21
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/14 for detecting or protecting...

Remote collection of computer forensic evidence

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

95 Claims

Specification

Solutions

Use Cases

Quick Links

Remote collection of computer forensic evidence

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

95 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links