Obtaining complete forensic images of electronic storage media
First Claim
1. A method of a first computer system obtaining a complete forensic image of an electronic storage media that is part of a second computer system containing electronic data, by collecting forensic data, the storage media being part of the second computer system which includes a display screen, the method comprising the steps of:
- a. using the first computer system to store a data collection program on a password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, the first computer system modifying the data collection program,i. to select a desired level of encryption,ii. to require specific input of information from a custodian of the electronic data,iii. to select switches to capture RAM,iv. to select a drive to be imaged,v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;
verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;
operating system version, logged-on user name, hard drive size, and electronic serial numbers;
b. sending the external storage device to the custodian of the electronic data, together with means for the custodian to easily return the external storage device;
c. the custodian connecting the external storage device to the second computer system containing the storage media, once connected, the data collection program displaying a splash screen on the display screen;
d. the data collection program, via the splash screen, using the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data;
e. the data collection program encrypting the external storage device;
f. the data collection program auditing the forensic image; and
g. the data collection program preserving an exact copy of the forensic image onto the external storage device without making changes to the forensic image.
3 Assignments
0 Petitions
Accused Products
Abstract
In a method of obtaining a complete forensic image of an electronic storage media containing electronic data, the storage media is part of a computer system. The method includes the steps of: (a) storing a data collection program on an external storage device; (b) sending the external storage device to a custodian of the electronic data, together with means for the custodian to easily return the external storage device; (c) requiring the custodian to connect the external storage device to a computer system containing the storage media; (d) requiring the custodian to use the data collection program to forensically collect the electronic data to create a complete forensic image of the storage media containing the electronic data; (e) authenticating the forensic image; and (f) preserving an exact copy of the forensic image without making changes to the forensic image.
-
Citations
14 Claims
-
1. A method of a first computer system obtaining a complete forensic image of an electronic storage media that is part of a second computer system containing electronic data, by collecting forensic data, the storage media being part of the second computer system which includes a display screen, the method comprising the steps of:
-
a. using the first computer system to store a data collection program on a password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, the first computer system modifying the data collection program, i. to select a desired level of encryption, ii. to require specific input of information from a custodian of the electronic data, iii. to select switches to capture RAM, iv. to select a drive to be imaged, v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;
verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;
operating system version, logged-on user name, hard drive size, and electronic serial numbers;b. sending the external storage device to the custodian of the electronic data, together with means for the custodian to easily return the external storage device; c. the custodian connecting the external storage device to the second computer system containing the storage media, once connected, the data collection program displaying a splash screen on the display screen; d. the data collection program, via the splash screen, using the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data; e. the data collection program encrypting the external storage device; f. the data collection program auditing the forensic image; and g. the data collection program preserving an exact copy of the forensic image onto the external storage device without making changes to the forensic image. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory, computer-readable, encrypted, portable storage medium with an executable program stored thereon, the portable storage medium receiving all of its operating power via a USB interface, wherein the program instructs a microprocessor to perform the following steps:
-
a. creating a sector-by-sector forensic image of a storage media, that is part of a computer system, by calling a data collection program; b. storing the forensic image on the portable storage medium; c. verifying the integrity of the forensic image; d. performing an audit of the forensic image, and storing the resulting information in a file on the portable storage medium; e. displaying a message advising that (i) the process is completed, and (ii) the portable storage medium can now be disconnected from the storage media; and f. preserving an exact copy of the forensic image without making changes to the forensic image. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A data collection system comprising a first computer system, a password-encrypted external storage device, and a second computer system comprising a display screen and an electronic storage media containing electronic data, wherein:
-
a. the first computer system is programmed to store a data collection program on the password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, and wherein the first computer system is programmed to modify the data collection program; i. to select a desired level of encryption, ii. to require specific input of information from a custodian of the electronic data, iii. to select switches to capture RAM, iv. to select a drive to be imaged, v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;
verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;
operating system version, logged-on user name, hard drive size, and electronic serial numbers;b. when the external storage device is connected to the second computer system, the data collection program; i. displays a splash screen on the display screen; ii. via the splash screen, uses the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data; iii. encrypts the external storage device; iv. audits the forensic image; and v. preserves an exact copy of the forensic image onto the external storage device without making changes to the forensic image.
-
Specification