Remote collection of computer forensic evidence
First Claim
1. A method comprising:
- receiving, with a forensic device, input from a user that identifies a target computing device coupled to the forensic device via a communication link;
automatically selecting, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device;
communicating commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to initiate the acquisition operations on the target computing device to acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to initiating the acquisition; and
presenting a user interface for the forensic device through which the remote views the computer evidence acquired from the target computing device.
8 Assignments
0 Petitions
Accused Products
Abstract
The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.
49 Citations
63 Claims
-
1. A method comprising:
-
receiving, with a forensic device, input from a user that identifies a target computing device coupled to the forensic device via a communication link; automatically selecting, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device; communicating commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to initiate the acquisition operations on the target computing device to acquire the computer evidence from the target computing device with the forensic device without pre-loading acquisition software on the target computing device prior to initiating the acquisition; and presenting a user interface for the forensic device through which the remote views the computer evidence acquired from the target computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A system comprising:
-
a target computing device; a forensic device coupled to the target computing device via a customer network of the target computing device; a client device; and a user interface module to present a user interface for the forensic device that is remotely accessible by the client device, wherein the forensic device receives input via the user interface that identifies computer evidence to acquire from a target computing device, wherein, in response, the forensic device automatically selects, based on the target computing device, at least one of a plurality of access methods via which to perform acquisition operations to acquire computer evidence from the target computing device and communicates commands associated with the acquisition operations from the forensic device to the target computing device via the selected acquisition methods to acquire the computer evidence from the target computing device without pre-loading acquisition software on the target computing device prior to acquiring the computer evidence, stores the computer evidence, and wherein the forensic device presents the computer evidence to the remote user for analysis via the user interface. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
-
Specification