Digital forensic acquisition kit and methods of use thereof

US 8,656,095 B2
Filed: 02/02/2011
Issued: 02/18/2014
Est. Priority Date: 02/02/2010
Status: Active Grant

First Claim

Patent Images

1. An electronic forensics tool comprising:

a physical portable memory device, wherein said physical portable memory device is capable of connecting to a target device; and

a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device, wherein the forensic acquisition script calculates digital signatures, message digests or hash values of available data storage devices in said target device and said physical portable memory device to verify that no modifications are made to the devices by comparing the corresponding digital signatures, message digests or hash values to each other;

wherein a virtual machine file is generated based on the forensic acquisition script which, when executed by a virtual machine in a virtual machine environment, provides an exact copy of the target device to enable a user to navigate files of the target device in the virtual machine environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are compositions, methods, and kits, for issuing and conducting automated imaging and preservation for obtaining digital forensic data from active (i.e., powered-on) and non-active (i.e., powered-off) computer systems. In certain embodiments, the invention further encompasses providing a customer base a preliminary report of data. In other embodiments, the invention encompasses the option to receive a virtual machine file set of the acquired information for additional viewing and examination by the customer. The invention further encompasses methods and systems for implementing the embodiments of the invention. The invention also encompasses methods, apparatuses, and systems for secure forensic investigation of a target machine.

30 Citations

View as Search Results

23 Claims

1. An electronic forensics tool comprising:
- a physical portable memory device, wherein said physical portable memory device is capable of connecting to a target device; and
  
  a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device, wherein the forensic acquisition script calculates digital signatures, message digests or hash values of available data storage devices in said target device and said physical portable memory device to verify that no modifications are made to the devices by comparing the corresponding digital signatures, message digests or hash values to each other;
  
  wherein a virtual machine file is generated based on the forensic acquisition script which, when executed by a virtual machine in a virtual machine environment, provides an exact copy of the target device to enable a user to navigate files of the target device in the virtual machine environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The electronic forensics tool of claim 1, wherein the physical portable memory device comprises one or more external USB Hard Drive or other external media to be connected and/or inserted to execute a data collection process.
  - 3. The electronic forensics tool of claim 1, wherein the forensic acquisition script is an autorun forensic acquisition script comprising pre-loaded software, which will automate the collection, and at the interface level of this software no user input is required, making for a fully autonomous forensic data capture.
  - 4. The electronic forensics tool of claim 1, wherein the physical portable memory device comprises a varying capacity external hard drive.
  - 5. The electronic forensics tool of claim 1, wherein the forensic acquisition script examines said target device while it is in read-only mode.
  - 6. The electronic forensics tool of claim 1, wherein the forensic acquisition script examines data in the target device while it is in read-only mode, wherein data is stored only in random access memory, without creating evidence of forensic activity on said target device.
  - 7. The electronic forensics tool of claim 1, wherein the forensic acquisition script documents and logs information about said target device and documents and logs activity of the forensic acquisition script.
  - 8. The electronic forensics tool of claim 1, wherein the forensic acquisition script documents and logs information about said target device and documents and logs activity of said client program for authentication, and wherein the forensic acquisition script is digitally encrypted, signed and stored.
  - 9. The electronic forensics tool of claim 1, wherein examination results are displayed in limited examination result form, which comprise one or more of:
    - data existence, numbers of keywords match, and one or more file attributes.
  - 10. The electronic forensics tool of claim 9, wherein said limited examination result form further comprises one or more of keyword searching, keyword searching with context, data filtering, binary file signature searching, keyword searching through archives such as compressed or zipped files, keyword searching through encrypted or password protected files, physical keyword searching, Internet usage history parsing, searching by relevance, de-duping data, excluding data searches based on presence of data in one or more search databases;
    - and including searches based on presence of data in one or more search databases.
  - 11. The electronic forensic tool of claim 1, further comprising an encrypted copy of entire data storage device of said target device or make an encrypted copy of data identified by said examination or command-block enabled examination of said target device.

12. A method of obtaining forensic data from a target computer comprising:
- connecting a physical portable memory device to a target device;
  
  running a forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device, wherein said forensic acquisition script calculates digital signatures, message digests or hash values of available data storage devices in said target device and said physical portable memory device to verify that no modifications are made to the devices by comparing the corresponding digital signatures, message digests or hash values to each other; and
  
  generating, based on the forensic acquisition script, a virtual machine file which, when executed by a virtual machine in a virtual machine environment, provides an exact copy of the target device to enable a user to navigate files of the target device in the virtual machine environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the physical portable memory device comprises one or more external USB Hard Drive or other external media to be connected and/or inserted to execute a data collection process.
  - 14. The method of claim 12, wherein the autorun forensic acquisition script comprises pre-loaded software, which will automate the collection, and at the interface level of this software no user input is required, making for a fully autonomous forensic data capture.
  - 15. The method of claim 12, wherein the physical portable memory device comprises a varying capacity external hard drive.
  - 16. The method of claim 12, wherein the forensic acquisition script examines said target device while it is in read-only mode.
  - 17. The method of claim 12, wherein the forensic acquisition script examines data in the target device while it is in read-only mode, wherein data is stored only in random access memory, without creating evidence of forensic activity on said target device.
  - 18. The method of claim 12, wherein the forensic acquisition script documents and logs information about said target device and documents and logs activity of the forensic acquisition script.
  - 19. The method of claim 12, wherein client program documents and logs information about said target device and documents and logs activity of the forensic acquisition script for authentication, and wherein said log is digitally encrypted, signed and stored.
  - 20. The method of claim 12, wherein examination results are displayed in limited examination result comprise one or more of:
    - data existence, numbers of keywords match, and one or more file attributes.
  - 21. The method of claim 20, wherein said limited examination further comprises one or more of keyword searching, keyword searching with context, data filtering, binary file signature searching, keyword searching through archives such as compressed or zipped files, keyword searching through encrypted or password protected files, physical keyword searching, Internet usage history parsing, searching by relevance, de-duping data, excluding data searches based on presence of data in one or more search databases;
    - and including searches based on presence of data in one or more search databases.
  - 22. The method of claim 12, further comprising an encrypted copy of entire data storage device of said target device or make an encrypted copy of data identified by said examination or command-block enabled examination of said target device.

23. An electronic forensics tool comprising:
- a physical portable memory device, wherein said physical portable memory device is capable of connecting to a target device;
  
  bootup software stored on the physical portable memory device configured to boot the target devicea forensic acquisition script, wherein said forensic acquisition script is able to load onto said target device and analyze hardware and software configurations of said target device and copy physical memory from the target device to the physical portable memory device; and
  
  wherein a virtual machine file is generated based on the forensic acquisition script which, when executed by a virtual machine in a virtual machine environment, provides an exact copy of the target device to enable a user to navigate files of the target device in the virtual machine environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Coulter, Chris
Primary Examiner(s)
Verbrugge, Kevin

Application Number

US13/019,796
Publication Number

US 20110191533A1
Time in Patent Office

1,112 Days
Field of Search

None
US Class Current

711/112
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/554   involving event detection a...

G06F 21/575   Secure boot

G06F 21/64   Protecting data integrity, ...

G06Q 10/00   Administration; Management

Digital forensic acquisition kit and methods of use thereof

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Digital forensic acquisition kit and methods of use thereof

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links