Remote collection of computer forensic evidence
First Claim
1. A method comprising:
- interrogating, with a forensic device, a target computing device to acquire a log file;
executing, on the forensic device, a time analysis tool that analyzes the log file to detect log file tampering by receiving input from a user that identifies a period and an identifier for a periodic event, searching the log file for periodic event identifiers that match the identifier received from the user, computing time gaps between each of the periodic event identifiers within the log file, and comparing the period of the event as specified by the user with the computed time gaps within the log file to detect at least one absent periodic event; and
displaying to a user the results of the analysis to alert the user of the absent periodic event.
8 Assignments
0 Petitions
Accused Products
Abstract
The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.
-
Citations
30 Claims
-
1. A method comprising:
-
interrogating, with a forensic device, a target computing device to acquire a log file; executing, on the forensic device, a time analysis tool that analyzes the log file to detect log file tampering by receiving input from a user that identifies a period and an identifier for a periodic event, searching the log file for periodic event identifiers that match the identifier received from the user, computing time gaps between each of the periodic event identifiers within the log file, and comparing the period of the event as specified by the user with the computed time gaps within the log file to detect at least one absent periodic event; and displaying to a user the results of the analysis to alert the user of the absent periodic event. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
an abstraction module, executing on a processor, that acquires data identified by a remote user from a target computing device and stores the computer evidence; a data analysis module that includes one or more analysis tools for viewing and analyzing the computer evidence, wherein the data analysis module includes a time analysis tool configured to analyze a system log file of the target computing device to detect log file tampering by computing time gaps between entries of the log file and identifying anomalous time gaps; and a user interface module that presents the remote user with a user interface for the remote user to view and analyze the computer evidence, wherein the user interface displays the identified anomalous time gaps to the user. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
a data acquisition module executing on a processor within the apparatus that identifies one or more acquisition operations to acquire computer evidence; an abstraction module that performs the acquisition operations to acquire the computer evidence from a target computing device, wherein the abstraction module includes a plurality of interrogation agents that issue commands associated with the acquisition operations based on the type of operating system executed on the target computing device and the type of computer evidence desired; a data analysis module that includes one or more data analysis tools, wherein the data analysis tools includes a time analysis configured to analyze a system log file of the target computing device to detect log file tampering by computing time gaps between entries of the log file and identifying anomalous time gaps; and a user interface module to present a user interface for a remote user to interact with the data analysis module to view and analyze the collected computer evidence. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification