Automation of collection of forensic evidence

US 9,680,844 B2
Filed: 07/06/2015
Issued: 06/13/2017
Est. Priority Date: 07/06/2015
Status: Active Grant

First Claim

Patent Images

1. A system for automated collection of user-specified forensic data from a target computer associated with a case, the system comprising:

a computer apparatus having at least one processor and a memory in communication with the processor; and

a software module stored in the memory, executable by the processor and configured to;

initiate a case;

provide a user interface to allow a user to select a target computer within a network by entering into the user interface the Internet Protocol (IP) address or computer name of the target computer, select one or more user profiles associated with the target computer, and specify one or more types of forensic data to be collected from the target computer;

create at least one subfolder in a folder linked to the case and one or more files in the subfolder for storing the specified forensic data, wherein the one or more files have a filename that comprises (i) the entered IP address or computer name and (ii) a timestamp associated with a time that the software module is being run;

connect the computer apparatus to the target computer and scan the target computer to determine the Operating System (OS) thereof; and

collect the specified forensic data and save the collected data to the files.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are directed to systems, methods and computer program products for automated collection of user-specified forensic data from a target computer associated with a case. In particular, embodiments herein disclosed provide for a system that is configured to provide a user interface to allow a user to select a target computer within a network, select one or more user profiles associated with the target computer, and specify one or more types of forensic data to be collected from the target computer. The system is also configured to create a subfolder in a folder linked to the case and one or more files in the subfolder for storing the user-specified data; connect the computer apparatus to the target computer; and collect the specified data and save the collected data to the files.

Citations

22 Claims

1. A system for automated collection of user-specified forensic data from a target computer associated with a case, the system comprising:
- a computer apparatus having at least one processor and a memory in communication with the processor; and
  
  a software module stored in the memory, executable by the processor and configured to;
  
  initiate a case;
  
  provide a user interface to allow a user to select a target computer within a network by entering into the user interface the Internet Protocol (IP) address or computer name of the target computer, select one or more user profiles associated with the target computer, and specify one or more types of forensic data to be collected from the target computer;
  
  create at least one subfolder in a folder linked to the case and one or more files in the subfolder for storing the specified forensic data, wherein the one or more files have a filename that comprises (i) the entered IP address or computer name and (ii) a timestamp associated with a time that the software module is being run;
  
  connect the computer apparatus to the target computer and scan the target computer to determine the Operating System (OS) thereof; and
  
  collect the specified forensic data and save the collected data to the files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the case is a new or an existing case, in which forensic data is sought, located, collected and searched for a purpose of using the forensic data as evidence in a legal proceeding, an audit, a regulatory investigation, a civil or criminal investigation, or the like.
  - 3. The system of claim 1, wherein the subfolder is created on the computer apparatus or on a computer-readable medium.
  - 4. The system of claim 1, wherein the subfolder and the one or more files are created automatically via the software module.
  - 5. The system of claim 1, wherein the forensic data comprises Windows data comprising log files, page files, registry keys, event logs, application data, antivirus files, a recycle bin and link files.
  - 6. The system of claim 1, wherein the forensic data comprises user profile data comprising one or more email exchange servers, files in Desktop and Documents folders, emails, contact lists and Internet browsing history.
  - 7. The system of claim 1, wherein the forensic data comprises a full image of Random Access Memory (RAM).
  - 8. The system of claim 1, wherein the forensic data comprises boot records comprising a Master Boot Record (MBR) and globally unique identifiers Partition Table (GPT).
  - 9. The system of claim 1, wherein at least one of the created files is a logical evidence file (LEF).
  - 10. The system of claim 1, wherein the software module is further configured to scan one or more hard drives on the target computer to identify at least one logical volume and mount the identified logical volume.
  - 11. The system of claim 1, wherein the software module is further configured to output collection status to a console and to an acquisition log, wherein the acquisition log is saved in the subfolder.

12. A computer-implemented method for automated collection of user-specified forensic data from a target computer associated with a case, the method comprising:
- initiating a case;
  
  providing a user interface to allow a user to select a target computer within a network by entering into the user interface the Internet Protocol (IP) address or computer name of the target computer, select one or more user profiles associated with the target computer, and specify one or more types of forensic data to be collected from the target computer;
  
  creating at least one subfolder in a folder linked to the case, on the computer apparatus or a computer-readable medium, and one or more files in the subfolder for storing the specified forensic data, wherein the one or more files have a filename that comprises (i) the entered IP address or computer name and (ii) a timestamp associated with a time that the software module is being run;
  
  connecting the computer apparatus to the target computer and scanning the target computer to determine the OS thereof; and
  
  collecting the specified forensic data and saving the collected data to the files.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein initiating a case comprises creating a new case or opening an existing case, in which forensic data is sought, located, collected and searched for a purpose of using the forensic data as evidence in a legal proceeding, an audit, a regulatory investigation, a civil or criminal investigation, or the like.
  - 14. The method of claim 12, wherein specifying the data comprises specifying Windows data comprising log files, page files, registry keys, event logs, application data, antivirus files, a recycle bin and link files.
  - 15. The method of claim 12, wherein specifying the data comprises specifying user profile data comprising one or more email exchange servers, files in Desktop and Documents folders, emails, contact lists and Internet browsing history.
  - 16. The method of claim 12, wherein specifying the data comprises specifying one or memory files comprising a full image of RAM.
  - 17. The method of claim 12, wherein specifying the data comprises specifying boot records comprising a MBR and GPT.
  - 18. The method of claim 12, wherein saving the collected data comprises writing the collected data to a LEF.
  - 19. The method of claim 12 further comprising scanning one or more hard drives on the target computer to identify at least one logical volume and mounting the identified logical volume.
  - 20. The method of claim 12 further comprising outputting collection status to a console and to an acquisition log, wherein the acquisition log is saved in the subfolder.

21. A computer program product for automated collection of user-specified forensic data from a target computer associated with a case, the computer program product comprising a non-transitory computer-readable medium having one or more computer-readable programs stored therein, and the computer-readable programs, when executed by a computer apparatus, cause the computer apparatus to perform the following steps:
- providing a user interface to allow a user to select a target computer within a network by entering into the user interface the Internet Protocol (IP) address or computer name of the target computer, select one or more user profiles associated with the target computer, and specify one or more types of forensic data to be collected from the target computer;
  
  creating at least one subfolder in a folder linked to the case, on the computer apparatus or a computer-readable medium, and one or more files in the subfolder for storing the specified forensic data, wherein the one or more files have a filename that comprises (i) the entered IP address or computer name and (ii) a timestamp associated with a time that the software module is being run;
  
  connecting the computer apparatus to the target computer and scanning the target computer to determine the OS thereof; and
  
  collecting the specified forensic data and saving the collected data to the files.
- View Dependent Claims (22)
- - 22. The computer program product of claim 21, wherein the computer-readable medium comprises a Digital Versatile Disk (DVD), Compact Disk (CD), flash memory stick, and the like.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Thornbury, Thomas, Brock, Mark Allen, Redmon, John Daron, Texada, Jeffrey Wayne
Primary Examiner(s)
Dinh, Minh

Application Number

US14/792,185
Publication Number

US 20170012998A1
Time in Patent Office

708 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 50/18   Legal services

H04L 63/1408   by monitoring network traff...

H04L 63/30   for supporting lawful inter...

Automation of collection of forensic evidence

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Automation of collection of forensic evidence

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links