Digital forensic analysis using empirical privilege profiling (EPP) for filtering collected data
First Claim
1. A method comprising:
- capturing empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances of the software application executing on top of a plurality of instances of a platform;
dynamically generating an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based on the empirical information;
receiving, with a forensic device coupled to a target computing device via a communication link, input from user that identifies computer evidence to acquire from the target computing device;
acquiring the computer evidence from the target computing device with the forensic device;
filtering the computer evidence on the forensic device with the application profile; and
presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device.
1 Assignment
0 Petitions
Accused Products
Abstract
A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance.
42 Citations
33 Claims
-
1. A method comprising:
-
capturing empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances of the software application executing on top of a plurality of instances of a platform; dynamically generating an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based on the empirical information; receiving, with a forensic device coupled to a target computing device via a communication link, input from user that identifies computer evidence to acquire from the target computing device; acquiring the computer evidence from the target computing device with the forensic device; filtering the computer evidence on the forensic device with the application profile; and presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
capturing empirical information relating to the exercise of privileges by a software application instance executing within a client device; logging the empirical information to a log file with a wrapper included within the client device; and generating an application profile with an empirical privilege profiler (EPP) system that describes the aggregate exercise of privileges by the software application instance; communicating the application profile to a forensic device; receiving, with the forensic device coupled to a target computing device via a communication link, input from a user that identifies computer evidence to acquire from the target computing device; acquiring the computer evidence from the target computing device with the forensic device; filtering the acquired computer evidence on the forensic device with the application profile; and presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A method comprising:
-
receiving log files uploaded by a plurality of client devices, wherein log files include information relating to the exercise of privileges by a plurality of instances of a software application executing on top of a plurality of instances of a platform residing within the plurality of client devices; executing computer-implemented privilege profiling software to dynamically generate an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based the uploaded log files; and communicating the application profile to a forensic device for filtering forensic evidence. - View Dependent Claims (22)
-
-
23. A system comprising:
-
a plurality of client computing devices that capture empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances executing on top of a plurality of instances of a platform residing within the plurality of client computing devices; an empirical privilege profiler system that dynamically generates an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based the empirical information; and a target computing device; a forensic device coupled to the target computing device via a customer network of the target computing device; and an access device executing a user interface module to present a user interface for the forensic device that is remotely accessible by the access device, wherein the forensic device acquires computer evidence from the target computing device, filters the computer evidence using the application profile generated by the empirical privilege profiler by identifying resources within the computer evidence that do not match the application profile, and presents the filtered computer evidence to the remote user for analysis via the user interface. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification