Remote collection of computer forensic evidence

US 8,176,557 B2
Filed: 02/12/2009
Issued: 05/08/2012
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

interrogating, with a forensic device, a target computing device to acquire a log file;

executing, on the forensic device, a time analysis tool that analyzes the log file to detect log file tampering by receiving input from a user that identifies a period and an identifier for a periodic event, searching the log file for periodic event identifiers that match the identifier received from the user, computing time gaps between each of the periodic event identifiers within the log file, and comparing the period of the event as specified by the user with the computed time gaps within the log file to detect at least one absent periodic event; and

displaying to a user the results of the analysis to alert the user of the absent periodic event.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.

Citations

30 Claims

1. A method comprising:
- interrogating, with a forensic device, a target computing device to acquire a log file;
  
  executing, on the forensic device, a time analysis tool that analyzes the log file to detect log file tampering by receiving input from a user that identifies a period and an identifier for a periodic event, searching the log file for periodic event identifiers that match the identifier received from the user, computing time gaps between each of the periodic event identifiers within the log file, and comparing the period of the event as specified by the user with the computed time gaps within the log file to detect at least one absent periodic event; and
  
  displaying to a user the results of the analysis to alert the user of the absent periodic event.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein executing a time analysis tool to analyze the log file and detect log file tampering comprises the time analysis tool analyzing entries within the log file to determine whether the entries in the log file are in ascending order.
  - 3. The method of claim 1,executing the time analysis tool to identify any anomalous time gaps;
    - anddisplaying the identified anomalous time gaps to the user.
  - 4. The method of claim 3, wherein executing the time analysis tool comprises the time analysis tool classifying the computed time gaps into bins of equal logarithmic size.
  - 5. The method of claim 4, wherein classifying the computed time gaps into bins of equal logarithmic size includes the time analysis tool classifying the computed time gaps into bins of equal logarithmic size in accordance with the equation Bin#=floor(((log(gap_i)−
    - log(min))/(log(max)−
      
      log(k)))*bins_max), wherein min is a dynamically calculated minimum gap size, max is a dynamically calculated maximum gap size, bins_maxis a maximum number of bins, k is a minimum number of the smallest bin, and gap_iis an i^thgap size.
  - 6. The method of claim 1, wherein analyzing the log file to detect log file tampering comprises the time analysis tool:
    - generating a graphical representation of the time gaps; and
      
      displaying the graphical representation to the user.

7. An apparatus comprising:
- an abstraction module, executing on a processor, that acquires data identified by a remote user from a target computing device and stores the computer evidence;
  
  a data analysis module that includes one or more analysis tools for viewing and analyzing the computer evidence, wherein the data analysis module includes a time analysis tool configured to analyze a system log file of the target computing device to detect log file tampering by computing time gaps between entries of the log file and identifying anomalous time gaps; and
  
  a user interface module that presents the remote user with a user interface for the remote user to view and analyze the computer evidence, wherein the user interface displays the identified anomalous time gaps to the user.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 8. The apparatus of claim 7, wherein the user interface module presents the user interface to the remote user to allow the remote user to view and analyze the data on-line.
  - 9. The apparatus of claim 7, wherein the apparatus acquires additional computer evidence from the target computing device while the remote user views and analyzes the previously acquired computer evidence.
  - 10. The apparatus of claim 7, wherein the abstraction module acquires the computer evidence from the target computing device while the target computing device is active.
  - 11. The apparatus of claim 7, wherein the abstraction module acquires state information of the target computing device.
  - 12. The apparatus of claim 7, wherein the abstraction module acquires the computer evidence from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence.
  - 13. The apparatus of claim 7, further comprising a data acquisition module that receives input from the remote user identifying at least one acquisition operation to perform and communicates the acquisition operations requested by the remote user to the abstraction module, which automatically selects at least one of a plurality of access methods via which to perform the acquisition operation based on the target computing device and type of computer evidence to acquire, and issues commands associated with the acquisition operation to the target computing device to acquire corresponding computer evidence via the selected acquisition methods.
  - 14. The apparatus of claim 13, wherein the access methods include at least one of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 15. The apparatus of claim 7, wherein the remote user identifies a plurality of acquisition operations to perform and abstraction module performs the acquisition operations in an order that reduces the impact on other data stored on the target computing device.
  - 16. The apparatus of claim 15, wherein the abstraction module performs the acquisition operations to acquire at least one of a log file and communication statistics prior to any other acquisition operations.
  - 17. The apparatus of claim 7, wherein the apparatus receives case information and target device information from the remote user to define a new inquiry, creates a new inquiry based on the received information, and associates the new inquiry with a case.
  - 18. The apparatus of claim 7, further comprising a data normalization module and a data preservation module, wherein the abstraction module stores a copy of the computer evidence originally acquired from the target computing device, the data normalization module normalizes the acquired computer evidence and stores the normalized computer evidence, and the data preservation module performs a cryptographic hash on the computer evidence and stores the resulting hash value.
  - 19. The apparatus of claim 7, further comprising a tracking module that maintains an audit log of transactions to track at least one of computer evidence downloaded from the target computing device, browsing of the computer evidence by the remote user, and analyses performed on the computer evidence, and wherein the audit log comprises a timestamp corresponding to each transaction, an investigator identifier corresponding to the investigator performing each transaction, and a description of each transaction.
  - 20. The apparatus of claim 7, wherein the abstraction module acquires an image of at least one of a disk attached to the target computing device and a memory of the target computing device, and the data analysis module includes analysis tools for examining the acquired image to identify at least one of files, process or operating system data structures, boot information, deleted files or directories, and data hidden in unallocated space.
  - 21. The apparatus of claim 7, wherein the time analysis tool is configured to compute time gaps between entries of the log file, generate a graphical representation of the time gaps, and output an interface to display the graphical representation to the user.
  - 22. The apparatus of claim 21, wherein the time analysis tool is configured to classify the computed time gaps of the log file into a set of bins and generate the graphical representation as a histogram illustrating the number of time gaps that are in each of the bins.

23. An apparatus comprising:
- a data acquisition module executing on a processor within the apparatus that identifies one or more acquisition operations to acquire computer evidence;
  
  an abstraction module that performs the acquisition operations to acquire the computer evidence from a target computing device, wherein the abstraction module includes a plurality of interrogation agents that issue commands associated with the acquisition operations based on the type of operating system executed on the target computing device and the type of computer evidence desired;
  
  a data analysis module that includes one or more data analysis tools, wherein the data analysis tools includes a time analysis configured to analyze a system log file of the target computing device to detect log file tampering by computing time gaps between entries of the log file and identifying anomalous time gaps; and
  
  a user interface module to present a user interface for a remote user to interact with the data analysis module to view and analyze the collected computer evidence.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The apparatus of claim 23, wherein each of the interrogation agents is configured to communicate with a particular type of operating system and the analysis module selects one of the plurality of interrogation agents based on the type of operating system executed on the target computing device.
  - 25. The apparatus of claim 23, wherein the interrogation agents use one of a plurality of access methods to acquire data from the target computing device.
  - 26. The apparatus of claim 25, wherein the access methods include at least one of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 27. The apparatus of claim 23, wherein the computer evidence comprises at least one log file, and the remote user interacts with the data analysis module to analyze the log file to detect log file tampering.
  - 28. The apparatus of claim 23, further comprising a data preservation module that performs a cryptographic hash on the computer evidence and stores the resulting hash value.
  - 29. The apparatus of claim 28, wherein the data preservation module compares the resulting hash value with a hash value performed by the target computing device to ensure the integrity of the computer evidence in transit.
  - 30. The apparatus of claim 23, further comprising a data normalization module to normalize the computer evidence to a common format to aid in analysis of the computer evidence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
Architecture Technology Corporation
Inventors
Adelstein, Frank N., Stillerman, Matthew A., Joyce, Robert
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US12/370,447
Publication Number

US 20090150998A1
Time in Patent Office

1,181 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/14 for detecting or protecting...

Remote collection of computer forensic evidence

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Remote collection of computer forensic evidence

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links