Remote collection of computer forensic evidence

US 8,474,047 B2
Filed: 05/07/2012
Issued: 06/25/2013
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a forensic device, input from a user that identifies a target computing device coupled to the forensic device via a communication link;

automatically selecting, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device;

communicating commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to initiate the acquisition operations on the target computing device to acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to initiating the acquisition; and

presenting a user interface for the forensic device through which the remote views the computer evidence acquired from the target computing device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.

49 Citations

View as Search Results

63 Claims

1. A method comprising:
- receiving, with a forensic device, input from a user that identifies a target computing device coupled to the forensic device via a communication link;
  
  automatically selecting, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device;
  
  communicating commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to initiate the acquisition operations on the target computing device to acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to initiating the acquisition; and
  
  presenting a user interface for the forensic device through which the remote views the computer evidence acquired from the target computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The method of claim 1, wherein automatically selecting at least one of a plurality of access methods comprises automatically selecting the at least one of a plurality of access methods based on both:
    - (1) a type of data to be acquired from the target computing device as forensic evidence, and (2) a type of operating system executed by the target computing device.
  - 3. The method of claim 1, wherein the plurality of access methods includes at least two or more of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 4. The method of claim 1, further comprises automatically determining, with the forensic device, an order for performing the acquisition operations that reduces the impact on other data stored on the target computing device.
  - 5. The method of claim 1, wherein presenting the user interface for the forensic device through which the user views and analyzes the computer evidence acquired from the target computing device comprises presenting the user interface for the forensic device through which the user views and analyzes the computer evidence acquired from the target computing device on-line.
  - 6. The method of claim 1, further comprising acquiring additional computer evidence while the user views and analyzes the previously acquired computer evidence.
  - 7. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring the computer evidence from the target computing device while the target computing device is active.
  - 8. The method of claim 1, further comprising receiving input from the user instructing the forensic device to analyze the computer evidence.
  - 9. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring state information from the target computing device that includes at least one of running process information and open network ports with associated processes.
  - 10. The method of claim 1, further comprising performing a subset of the acquisition operations to acquire at least one of an log file and communication statistics prior to performing the other acquisition operations.
  - 11. The method of claim 10, further comprising performing the acquisition operation to acquire the communication statistics after performing the acquisition operation to acquire the log file.
  - 12. The method of claim 10, further comprising performing the acquisition operation to acquire the log file after performing the acquisition operation to acquire the communication statistics.
  - 13. The method of claim 10, further comprising performing an acquisition operation to acquire general system information from the target computing device after performing the subset of the acquisition operations to acquire the at least one of the log file and communication statistics prior to any other acquisition operations.
  - 14. The method of claim 10, wherein the log file comprises one of a system event log, an application event log, and a security event log, web server log file, Unix SYSLOG file, a mail log file, an accounting log file, and a router flow log file.
  - 15. The method of claim 10, wherein the communications statistics comprises one of Ethernet statistics and network protocol statistics.
  - 16. The method of claim 10, further comprising determining an order in which to perform acquisition operations.
  - 17. The method of claim 1, further comprising:
    - receiving case information and target device information from a user to define a new inquiry;
      
      creating a new inquiry based on the received information; and
      
      associating the new inquiry with a case.
  - 18. The method of claim 17, wherein the case information comprises at least one of a case number, case name, principle investigator, location to store the collected data, and a time zone for date/time reporting.
  - 19. The method of claim 17, wherein the target computing device information includes at least one of a target computing device host name, IP address, operating system, access methods and password.
  - 20. The method of claim 1, further comprising storing a copy of the computer evidence originally acquired from the target computing device.
  - 21. The method of claim 1, further comprising:
    - normalizing the acquired computer evidence to a common format; and
      
      storing the normalized computer evidence.
  - 22. The method of claim 21, wherein normalizing the acquired computer evidence to a common format comprises at least one of converting timestamp data from a local time zone of the target computing device to a standard time zone, converting data having host names and IP addresses to all host names, converting data having host names and IP addresses to all IP addresses, and normalizing the clock of the target computing device to that of the forensic device.
  - 23. The method of claim 1, further comprising:
    - performing a cryptographic hash on the computer evidence when acquired; and
      
      storing the resulting hash value representative of an unaltered stated of the computer evidence.
  - 24. The method of claim 1, further comprising maintaining an audit log of transactions performed by the forensic device.
  - 25. The method of claim 24, wherein maintaining the audit log comprises at least one of tracking computer evidence downloaded from the target computing device, browsing of the computer evidence by the user, and analyses performed on the computer evidence, and wherein the audit log comprises a timestamp corresponding to each transaction, an investigator identifier corresponding to the investigator performing each transaction, and a description of each transaction.
  - 26. The method of claim 1, wherein the computer evidence comprises at least one log file, the method further comprising:
    - receiving input from the user to analyze the log file for tampering;
      
      analyzing the log file to detect log file tampering; and
      
      displaying to the user the results of the analysis.
  - 27. The method of claim 26, wherein analyzing the log file to detect log file tampering comprises determining whether the entries in the log file are in ascending order.
  - 28. The method of claim 26, wherein analyzing the log file to detect log file tampering comprises:
    - computing time gaps between entries of the log file;
      
      identifying anomalous time gaps; and
      
      displaying to the user the identified anomalous gaps.
  - 29. The method of claim 26, wherein analyzing the log file to detect log file tampering comprises:
    - computing time gaps between entries of the log file;
      
      generating a graphical representation of the time gaps; and
      
      displaying the graphical representation to the user.
  - 30. The method of claim 26, wherein analyzing the log file to detect log file tampering comprises:
    - receiving input that identifies a periodic event;
      
      detecting an absent periodic event within the log file; and
      
      alerting the user of the absent periodic events.
  - 31. The method of claim 30, wherein receiving input that identifies the periodic event comprises:
    - receiving input that identifies a period of the periodic event; and
      
      receiving input that identifies an identifier associated with the periodic event.
  - 32. The method of claim 31, wherein detecting absent periodic events within the log file comprises:
    - searching for the log file for the periodic event identifier;
      
      computing the amount of time that elapsed between each of the periodic event identifiers; and
      
      comparing the period of the event with the computed elapsed times to detect absent periodic events.
  - 33. The method of claim 30, wherein identifying the periodic event comprises receiving input from the user identifying the periodic event.
  - 34. The method of claim 1, wherein acquiring the computer evidence from the target computing device comprises acquiring an image of at least one of a disk attached to the target computing device and a memory of the target computing device, and further comprising examining the acquired image to identify at least one of files, process or operating system data structures, boot information, deleted files or directories, and data hidden in unallocated space.
  - 35. The method of claim 1, wherein the communication link comprises a customer network of the target computing device.
  - 36. The method of claim 1, wherein a client device is coupled to the forensic device via one of a public network, a customer network of the target computing device, a phone line, a universal serial bus (USB), a wireless port, a serial port, a parallel port and an infrared link.
  - 37. The method of claim 1, wherein the target computing device comprises one of a personal computer, a handheld computer, a laptop, a workstation, a router, a gateway device, a firewall device, a web server, a file server, a database server, a mail server, a print server, a network-enabled personal digital assistant, and a network-enabled phone.

38. A system comprising:
- a target computing device;
  
  a forensic device coupled to the target computing device via a customer network of the target computing device;
  
  a client device; and
  
  a user interface module to present a user interface for the forensic device that is remotely accessible by the client device,wherein the forensic device receives input via the user interface that identifies computer evidence to acquire from a target computing device,wherein, in response, the forensic device automatically selects, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device and communicates commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to acquire the computer evidence from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence, stores the computer evidence, andwherein the forensic device presents the computer evidence to the remote user for analysis via the user interface.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 39. The system of claim 38, wherein the forensic device automatically selects the at least one of a plurality of access methods based on a type of data to be acquired from the target computing device as forensic evidence and a type of operating system executed by the target computing device.
  - 40. The system of claim 38, wherein the plurality of access methods includes at least two or more of Windows Management Instrumentation (WMI), Server Message Block (SMB), Secure Shell (SSH), Remote Shell (RSH), Network File System (NFS), Apple Filing Protocol (AFP), File Transfer Protocol (FTP), and Hypertext Transfer Protocol (HTTP).
  - 41. The system of claim 38, wherein the forensic device presents the user nterface to the remote user to allow the remote user to view and analyze the data on-line.
  - 42. The system of claim 38, wherein the forensic device acquires additional computer evidence from the target computing device while the remote user views and analyzes the previously acquired computer evidence.
  - 43. The system of claim 38, wherein the forensic device acquires the computer evidence from the target computing device while the target computing device is active.
  - 44. The system of claim 38, wherein the forensic device acquires state information from the target computing device.
  - 45. The system of claim 38, wherein the remote user identifies a plurality of acquisition operations to perform and the forensic device performs the acquisition operations in an order that reduces the impact on other data stored on the target computing device.
  - 46. The system of claim 45, wherein the forensic device performs the acquisition operations to acquire at least one of a log file and communication statistics prior to any other acquisition operations.
  - 47. The system of claim 46, wherein the forensic device performs an acquisition operation to acquire general system information from the target computing device after performing the acquisition operations to acquire the at least one of the log file and communication statistics prior to any other acquisition operations.
  - 48. The system of claim 47, wherein the forensic device stores a copy of the computer evidence originally acquired from the target computing device, normalizes the acquired computer evidence to a common format, stores the normalized computer evidence, performs a cryptographic hash on the computer evidence, and stores the resulting hash value.
  - 49. The system of claim 47, wherein the computer evidence comprises at least one log file, and wherein the forensic device analyzes the log file to detect log file tampering and displays to the user the results of the analysis.
  - 50. The system of claim 49, wherein the forensic device determines whether the entries in the log file are in ascending order.
  - 51. The system of claim 49, wherein the forensic device computes time gaps between entries of the log file, identifies anomalous time gaps, and displays to the user the identified anomalous gaps.
  - 52. The system of claim 49, wherein the forensic device computes time gaps between entries of the log file, generates a graphical representation of the time gaps, and displays the graphical representation to the user.
  - 53. The system of claim 49, wherein the forensic device receives input identifying a period and an identifier associated with a periodic event, searches the log file for the periodic event identifier, computes the amount of time that elapsed between each of the periodic event identifiers, and compares the period of the event with the computed elapsed times to detect an absent periodic event, and alerts the user of the absent periodic event.
  - 54. The system of claim 46, wherein the log file comprises one of a system event log, an application event log, a security event log, web server log file, Unix SYSLOG file, a mail log file, an accounting log file, and a router flow log file.
  - 55. The system of claim 46, wherein the communications statistics comprises one of Ethernet statistics and network protocol statistics.
  - 56. The system of claim 38, wherein the forensic device receives case information and target device information from a user to define a new inquiry, creates a new inquiry based on the received information, and associates the new inquiry with a case.
  - 57. The system of claim 56, wherein the case information comprises at least one of a case number, case name, principle investigator, location to store the collected data, and a time zone for date/time reporting.
  - 58. The system of claim 56, wherein the target computing device information includes at least one of a target computing device host name, IP address, operating system, access methods and password.
  - 59. The system of claim 38, wherein the forensic device maintains an audit log of transactions to track at least one of computer evidence downloaded from the target computing device, browsing of the computer evidence by the remote user, and analyses performed on the computer evidence, and wherein the audit log comprises a timestamp corresponding to each transaction, an investigator identifier corresponding to the investigator performing each transaction, and a description of each transaction.
  - 60. The system of claim 38, wherein the forensic device acquires an image of at least one of a disk attached to the target computing device and a memory of the target computing device and examines the acquired image to identify at least one of files, process or operating system data structures, boot information, deleted files or directories, and data hidden in unallocated space.
  - 61. The system of claim 38, wherein the target computing device comprises one of a personal computer, a handheld computer, a laptop, a workstation, a router, a gateway device, a firewall device, a web server, a file server, a database server, a mail server, a print server, a network-enabled personal digital assistant, and a network-enabled phone.
  - 62. The system of claim 38, wherein the forensic device is coupled to a same local subnet as the target computing device.
  - 63. The system of claim 38, wherein the client device is coupled to the forensic device via one of a public network, a customer network of the target computing device, a phone line, a universal serial bus (USB), a wireless port, a serial port, a parallel port and an infrared link.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
Architecture Technology Corporation
Inventors
Adelstein, Frank N., Stillerman, Matthew A., Joyce, Robert A.
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US13/465,859
Publication Number

US 20120221633A1
Time in Patent Office

414 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/14 for detecting or protecting...

Remote collection of computer forensic evidence

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

63 Claims

Specification

Use Cases

Quick Links

Others

Remote collection of computer forensic evidence

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

63 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others