Computer forensic tool
First Claim
1. A hardware accelerator for use with an analysis unit to analyze data on an external suspect device comprising a suspect computer or computer device, the hardware accelerator comprising:
- a first interface for connecting to the external suspect device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the external suspect device;
a second interface for connecting to the analysis unit, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface, the analysis unit, and the first data transfer rate; and
a processing unit comprising;
memory for storing instructions, firmware, or parameters received from the analysis unit via the second interface; and
a microprocessor and/or field programmable gate array (FPGA) for analyzing the data according to the instructions, firmware, or parameters,wherein the microprocessor and/or FPGA is configured to;
read the data from the external suspect device via the first interface at the first data transfer rate;
concurrently;
perform computer forensic analysis on the data, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and
transmit the data to the analysis unit via the second interface at the second data transfer rate; and
transmit results of the computer forensic analysis to the analysis unit,wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, andwherein the microprocessor and/or FPGA is further configured to analyze the data concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer forensic accelerator engine designed to speed up the forensic analysis process is disclosed. It is a device for use with an analysis device to analyze data on a suspect computer device, and includes a first interface for connecting to the suspect computer device, a second interface for connecting to the analysis device, and a processing unit programmed to read data from the suspect device via the first interface, perform analysis on the data, transmit the data to the analysis device via the second interface, and transmit results of the analysis to the analysis device via the second interface. A drive write protect module may be integrated in the computer forensic accelerator engine. The computer forensic accelerator engine allows data read from the suspect drive to be analyzed while acquiring the data. Also disclosed is a computer forensic analysis system and method using the computer forensic accelerator engine.
-
Citations
40 Claims
-
1. A hardware accelerator for use with an analysis unit to analyze data on an external suspect device comprising a suspect computer or computer device, the hardware accelerator comprising:
-
a first interface for connecting to the external suspect device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the external suspect device; a second interface for connecting to the analysis unit, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface, the analysis unit, and the first data transfer rate; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the analysis unit via the second interface; and a microprocessor and/or field programmable gate array (FPGA) for analyzing the data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is configured to; read the data from the external suspect device via the first interface at the first data transfer rate; concurrently; perform computer forensic analysis on the data, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the analysis unit via the second interface at the second data transfer rate; and transmit results of the computer forensic analysis to the analysis unit, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the microprocessor and/or FPGA is further configured to analyze the data concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 25)
-
-
10. A system adapted to analyze data on an external suspect computer device, the system comprising:
-
a processing device adapted to analyze data obtained from the external suspect computer device; and a hardware accelerator connected to the processing device, the hardware accelerator comprising; a second interface for connecting to the processing device, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface and the processing device; a first interface for connecting to the external suspect computer device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the external suspect computer device; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the processing device via the second interface; and a microprocessor and/or field programmable gate array (FPGA) for analyzing the data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is adapted to; read the data from the external suspect device via the first interface at the first data transfer rate; concurrently; perform computer forensic analysis on the data, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the processing device via the second interface at the second data transfer rate, the second data transfer rate being further limited by the first data transfer rate; and transmit results of the computer forensic analysis to the processing device, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the microprocessor and/or FPGA is further adapted to analyze the data concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method for forensically analyzing data on a suspect computer device, comprising:
-
connecting a hardware accelerator to a processing device via a second interface and to the suspect computer device via a first interface, the hardware accelerator being external to the suspect computer device and including a processing unit comprising memory and a microprocessor and/or field programmable gate array (FPGA), the memory being configured to store instructions, firmware, or parameters received from the processing device via the second interface, the microprocessor and/or FPGA being configured to analyze the data according to the instructions, firmware, or parameters, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the suspect computer device, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface, the processing device, and the first data transfer rate; reading the data from the suspect computer device into the hardware accelerator via the first interface at the first data transfer rate; concurrently; forensically analyzing the data by the hardware accelerator, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmitting the data from the hardware accelerator to the processing device via the second interface at the second data transfer rate; and transmitting results of the forensic analysis from the hardware accelerator to the processing device, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the forensically analyzing the data takes place concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (18, 19)
-
-
20. A method for forensically analyzing data on a suspect computer device, comprising:
-
connecting a computer forensic hardware accelerator to an analysis device via a second interface, the computer forensic hardware accelerator including a processing unit comprising memory and a microprocessor and/or field programmable gate array (FPGA), the memory being configured to store instructions, firmware, or parameters received from the analysis device via the second interface, the microprocessor and/or FPGA being configured to analyze the data according to the instructions, firmware, or parameters, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface and the analysis device; connecting the computer forensic hardware accelerator to the suspect computer device via a first interface, the computer forensic hardware accelerator being external to the suspect computer device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the suspect computer device; programming search, compression, decompression, or hash parameters or instructions into the computer forensic hardware accelerator or sending the search, compression, decompression, or hash parameters or instructions to the computer forensic hardware accelerator via the second interface; reading the data from the suspect computer device into the computer forensic hardware accelerator via the first interface at the first data transfer rate; concurrently; forensically analyzing the data by the computer forensic hardware accelerator, comprising searching, compressing, decompressing, or hashing the data using the search, compression, decompression, or hash parameters or instructions; and transmitting the data from the computer forensic hardware accelerator to the analysis device via the second interface at the second data transfer rate, the second data transfer rate being further limited by the first data transfer rate; and transmitting the results of the forensic analysis from the computer forensic hardware accelerator to the analysis device, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the forensically analyzing the data takes place concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (21, 22)
-
-
23. A method for analyzing data on a multiplicity of suspect computer devices using a respective multiplicity of hardware accelerators, comprising:
-
connecting each hardware accelerator of the multiplicity of hardware accelerators to a respective suspect computer device of the multiplicity of suspect computer devices via a respective first interface, each hardware accelerator being external to the respective suspect computer device, each first interface being configured to transfer the data at a respective first data transfer rate, each first data transfer rate being limited by the respective first interface and the respective suspect computer device; connecting the multiplicity of hardware accelerators together with a high speed data transfer mechanism comprising SATA, USB, 1394, or Ethernet via a respective multiplicity of second interfaces, each hardware accelerator including a processing unit comprising memory and a microprocessor and/or field programmable gate array (FPGA), the memory being configured to store instructions, firmware, or parameters received from an analysis device via a respective second interface of the multiplicity of second interfaces, the microprocessor and/or FPGA being configured to store the data according to the instructions, firmware, or parameters, each second interface of the multiplicity of second interfaces being configured to transfer the data at a respective second data transfer rate, each second data transfer rate being limited by the respective second interface, the high speed data transfer mechanism, the analysis device, and the respective first data transfer rate; and connecting the analysis device to the high speed data transfer mechanism, wherein each hardware accelerator is configured to; read the data from the respective suspect computer device via the respective first interface at the respective first data transfer rate; concurrently; perform computer forensic analysis on the data, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the analysis device via the respective second interface at the respective second data transfer rate; and transmit results of the respective computer forensic analysis to the analysis device, wherein the respective first data transfer rate and the respective second data transfer rate are not limited by the processing unit, and wherein each hardware accelerator is further configured to analyze the data concurrently and without slowing the respective first data transfer rate or the respective second data transfer rate while reading the data from the respective suspect computer device.
-
-
24. A method for analyzing data on a multiplicity of suspect computer devices using a respective multiplicity of hardware accelerators, comprising:
-
connecting each hardware accelerator of the multiplicity of hardware accelerators to a respective suspect computer device of the multiplicity of suspect computer devices via a respective first interface, each hardware accelerator being external to the respective suspect computer device, each first interface being configured to transfer the data at a respective first data transfer rate, each first data transfer rate being limited by the respective first interface and the respective suspect computer device; connecting the multiplicity of hardware accelerators together with a high speed data transfer mechanism comprising SATA, USB, 1394, or Ethernet via a respective multiplicity of second interfaces, each hardware accelerator including a processing unit comprising memory and a microprocessor and/or field programmable gate array (FPGA), the memory being configured to store instructions, firmware, or parameters received from one of a multiplicity of analysis devices via a respective second interface of the multiplicity of second interfaces, the microprocessor and/or FPGA being configured to analyze the data according to the instructions, firmware, or parameters, each second interface of the multiplicity of second interfaces being configured to transfer the data at a respective second data transfer rate, each second data transfer rate being limited by the respective second interface, the high speed data transfer mechanism, the one of the multiplicity of analysis devices, and the respective first data transfer rate; and connecting the multiplicity of analysis devices to the high speed data transfer mechanism, wherein each hardware accelerator is configured to; read the data from the respective suspect computer device via the respective first interface at the respective first data transfer rate; concurrently; perform computer forensic analysis on the data, comprising searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the one of the multiplicity of analysis devices via the respective second interface at the respective second data transfer rate; and transmit results of the respective computer forensic analysis to the one of the multiplicity of analysis devices, wherein the respective first data transfer rate and the respective second data transfer rate are not limited by the processing unit, and wherein each hardware accelerator is further configured to analyze the data concurrently and without slowing the respective first data transfer rate or the respective second data transfer rate while reading the data from the respective suspect computer device.
-
-
26. A hardware accelerator for use with an analysis unit to analyze suspect data from the analysis unit, comprising:
-
a high-speed interface for connecting to the analysis unit, the high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the suspect data at a data transfer rate, the data transfer rate being limited by the high-speed interface and the analysis unit; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the analysis unit via the high-speed interface; and a microprocessor and/or field programmable gate array (FPGA) for analyzing the suspect data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is configured to; concurrently; read the suspect data from the analysis unit via the high-speed interface at the data transfer rate; and perform computer forensic analysis on the suspect data, comprising searching, compressing, decompressing, or hashing the suspect data, in accordance with the instructions, firmware, or parameters; and transmit results of the computer forensic analysis to the analysis unit via the high-speed interface at the data transfer rate, wherein the data transfer rate is not limited by the processing unit, and wherein the microprocessor and/or FPGA is further configured to analyze the suspect data concurrently and without slowing the data transfer rate while reading the suspect data from and transmitting the results of the computer forensic analysis to the analysis unit.
-
-
27. A hardware accelerator for use with a multiplicity of analysis units to analyze suspect data from the multiplicity of analysis units, the hardware accelerator comprising:
-
an interface for connecting to a high speed data transfer mechanism comprising SATA, USB, 1394, or Ethernet, the multiplicity of analysis units being connected to the high speed data transfer mechanism, the interface being configured to transfer the suspect data at a data transfer rate, the data transfer rate being limited by the interface and one or more of the multiplicity of analysis units; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the one or more of the multiplicity of analysis units via the interface; and a microprocessor and/or field programmable gate array (FPGA) for analyzing the suspect data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is configured to; concurrently; read the suspect data from the one or more of the multiplicity of analysis units via the interface at the data transfer rate; and perform computer forensic analysis on the suspect data, comprising searching, compressing, decompressing, or hashing the suspect data, in accordance with the instructions, firmware, or parameters; and transmit results of the computer forensic analysis to the one or more of the multiplicity of analysis units via the interface at the data transfer rate, wherein the data transfer rate is not limited by the processing unit, and wherein the microprocessor and/or FPGA is further configured to analyze the suspect data concurrently and without slowing the data transfer rate while reading the suspect data from and transmitting the results of the computer forensic analysis to the one or more of the multiplicity of analysis units.
-
-
28. A multiplicity of hardware accelerators for use with an analysis unit to analyze suspect data from the analysis unit, each hardware accelerator of the multiplicity of hardware accelerators comprising:
-
an interface for connecting to a high speed data transfer mechanism comprising SATA, USB, 1394, or Ethernet, the analysis unit being connected to the high speed data transfer mechanism, the interface being configured to transfer the suspect data at a respective data transfer rate, the respective data transfer rate being limited by the interface and the analysis unit; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the analysis unit via the interface; and a microprocessor and/or field programmable gate array (FPGA) for analyzing the suspect data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is configured to; concurrently; read the suspect data from the analysis unit via the interface at the respective data transfer rate; and perform computer forensic analysis on the suspect data, comprising searching, compressing, decompressing, or hashing the suspect data, in accordance with the instructions, firmware, or parameters; and transmit results of the computer forensic analysis to the analysis unit via the interface at the respective data transfer rate, wherein the respective data transfer rate is not limited by the processing unit, and wherein the microprocessor and/or FPGA is further configured to analyze the suspect data concurrently and without slowing the respective data transfer rate while reading the suspect data from and transmitting the results of the computer forensic analysis to the analysis unit.
-
-
29. A hardware accelerator for use with an analysis unit to analyze data on an external computer or computer device, the hardware accelerator comprising:
-
a first interface for connecting to the external computer or computer device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the external computer or computer device; a second interface for connecting to the analysis unit, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface, the analysis unit, and the first data transfer rate; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the analysis unit via the second interface; and a microprocessor and/or field programmable gate array (FPGA) for pre-processing and analyzing the data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is configured to; read the data from the external computer or computer device via the first interface at the first data transfer rate; pre-process the data, comprising one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; concurrently; perform analysis on the data in addition to pre-processing the data, comprising another one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the analysis unit via the second interface at the second data transfer rate; and transmit results of the analysis to the analysis unit, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the microprocessor and/or FPGA is further configured to analyze the data concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (30, 31, 32)
-
-
33. A system adapted to analyze data on an external computer device, the system comprising:
-
a processing device adapted to analyze data obtained from the external computer device; a hardware accelerator connected to the processing device, the hardware accelerator comprising; a second interface for connecting to the processing device, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface and the processing device; a first interface for connecting to the external computer device, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the external computer device; and a processing unit comprising; memory for storing instructions, firmware, or parameters received from the processing device via the second interface; and a microprocessor and/or field programmable gate array (FPGA) for pre-processing and analyzing the data according to the instructions, firmware, or parameters, wherein the microprocessor and/or FPGA is adapted to; read the data from the external computer device via the first interface at the first data transfer rate; pre-process the data, comprising one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; concurrently; perform analysis on the data in addition to pre-processing the data, comprising another one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmit the data to the processing device via the second interface at the second data transfer rate, the second data transfer rate being further limited by the first data transfer rate; and transmit results of the analysis to the processing device, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the microprocessor and/or FPGA is further adapted to analyze the data concurrently and without slowing first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (34, 35, 36)
-
-
37. A method for analyzing data on a computer device, comprising:
-
connecting a hardware accelerator to a processing device via a second interface and to the computer device via a first interface, the hardware accelerator being external to the computer device and including a processing unit comprising memory and a microprocessor and/or field programmable gate array (FPGA), the memory being configured to store instructions, firmware, or parameters received from the processing device via the second interface, the microprocessor and/or FPGA being configured to pre-process and analyze the data according to the instructions, firmware, or parameters, the first interface being configured to transfer the data at a first data transfer rate, the first data transfer rate being limited by the first interface and the computer device, the second interface being a high-speed interface comprising SATA, USB, 1394, or Ethernet and configured to transfer the data at a second data transfer rate, the second data transfer rate being limited by the second interface, the processing device, and the first data transfer rate; reading the data from the computer device into the hardware accelerator via the first interface at the first data transfer rate; pre-processing the data, comprising one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; concurrently; analyzing the data by the hardware accelerator in addition to pre-processing the data, comprising another one of searching, compressing, decompressing, or hashing the data, in accordance with the instructions, firmware, or parameters; and transmitting the data from the hardware accelerator to the processing device at the second data transfer rate; and transmitting results of the analysis from the hardware accelerator to the processing device, wherein the first data transfer rate and the second data transfer rate are not limited by the processing unit, and wherein the analyzing the data takes place concurrently and without slowing the first data transfer rate or the second data transfer rate while the data passes through the hardware accelerator. - View Dependent Claims (38, 39, 40)
-
Specification