Obtaining complete forensic images of electronic storage media

US 9,087,207 B2
Filed: 03/18/2010
Issued: 07/21/2015
Est. Priority Date: 03/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method of a first computer system obtaining a complete forensic image of an electronic storage media that is part of a second computer system containing electronic data, by collecting forensic data, the storage media being part of the second computer system which includes a display screen, the method comprising the steps of:

a. using the first computer system to store a data collection program on a password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, the first computer system modifying the data collection program,i. to select a desired level of encryption,ii. to require specific input of information from a custodian of the electronic data,iii. to select switches to capture RAM,iv. to select a drive to be imaged,v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;

verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;

operating system version, logged-on user name, hard drive size, and electronic serial numbers;

b. sending the external storage device to the custodian of the electronic data, together with means for the custodian to easily return the external storage device;

c. the custodian connecting the external storage device to the second computer system containing the storage media, once connected, the data collection program displaying a splash screen on the display screen;

d. the data collection program, via the splash screen, using the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data;

e. the data collection program encrypting the external storage device;

f. the data collection program auditing the forensic image; and

g. the data collection program preserving an exact copy of the forensic image onto the external storage device without making changes to the forensic image.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method of obtaining a complete forensic image of an electronic storage media containing electronic data, the storage media is part of a computer system. The method includes the steps of: (a) storing a data collection program on an external storage device; (b) sending the external storage device to a custodian of the electronic data, together with means for the custodian to easily return the external storage device; (c) requiring the custodian to connect the external storage device to a computer system containing the storage media; (d) requiring the custodian to use the data collection program to forensically collect the electronic data to create a complete forensic image of the storage media containing the electronic data; (e) authenticating the forensic image; and (f) preserving an exact copy of the forensic image without making changes to the forensic image.

Citations

14 Claims

1. A method of a first computer system obtaining a complete forensic image of an electronic storage media that is part of a second computer system containing electronic data, by collecting forensic data, the storage media being part of the second computer system which includes a display screen, the method comprising the steps of:
- a. using the first computer system to store a data collection program on a password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, the first computer system modifying the data collection program,i. to select a desired level of encryption,ii. to require specific input of information from a custodian of the electronic data,iii. to select switches to capture RAM,iv. to select a drive to be imaged,v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;
  
  verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;
  
  operating system version, logged-on user name, hard drive size, and electronic serial numbers;
  
  b. sending the external storage device to the custodian of the electronic data, together with means for the custodian to easily return the external storage device;
  
  c. the custodian connecting the external storage device to the second computer system containing the storage media, once connected, the data collection program displaying a splash screen on the display screen;
  
  d. the data collection program, via the splash screen, using the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data;
  
  e. the data collection program encrypting the external storage device;
  
  f. the data collection program auditing the forensic image; and
  
  g. the data collection program preserving an exact copy of the forensic image onto the external storage device without making changes to the forensic image.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further including, after the step of connecting the external storage device to a computer system, the splash screen of the data collection program requiring the custodian to enter his name and email address.
  - 3. The method according to claim 1, further including, after the step of asking the custodian to enter his name and email address, the data collection program then requiring the custodian to select which electronic storage media to image.
  - 4. The method according to claim 1, further including, in the step of storing a data collection program on an external storage device, also encrypting the external storage device, wherein the encrypting is done without input from the custodian.
  - 5. The method according to claim 1, further including, in the step of storing a data collection program on an external storage device, setting the switches on the data collection program to designate which storage media inside the computer system, or attached to the computer system, are to be forensically imaged.
  - 6. The method according to claim 1, wherein the step of the data collection program forensically collecting the electronic data further includes preventing the custodian from deselecting certain files, and preventing the custodian from deleting and spoiling data.
  - 7. The method according to claim 1, wherein the step of storing a data collection program on an external storage device includes setting software switches in the data collection program so that the subsequent step of auditing the forensic image includes collecting the following data into a file for later review:
    - (a) the make and model of the computer system;
      
      (b) the make and model of the computer system'"'"'s storage media that was imaged;
      
      (c) the size and available capacity of that storage media;
      
      (d) the operating system install date and time;
      
      (e) the user log on statistics; and
      
      (f) the attached devices.

8. A non-transitory, computer-readable, encrypted, portable storage medium with an executable program stored thereon, the portable storage medium receiving all of its operating power via a USB interface, wherein the program instructs a microprocessor to perform the following steps:
- a. creating a sector-by-sector forensic image of a storage media, that is part of a computer system, by calling a data collection program;
  
  b. storing the forensic image on the portable storage medium;
  
  c. verifying the integrity of the forensic image;
  
  d. performing an audit of the forensic image, and storing the resulting information in a file on the portable storage medium;
  
  e. displaying a message advising that (i) the process is completed, and (ii) the portable storage medium can now be disconnected from the storage media; and
  
  f. preserving an exact copy of the forensic image without making changes to the forensic image.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The portable storage medium according to claim 8, wherein the step of creating a sector-by-sector forensic image further includes preventing deselecting certain files, and preventing deleting and spoiling data.
  - 10. The portable storage medium according to claim 8, wherein the step of storing the forensic image further includes storing the forensic image in 2 GB files on the portable storage medium.
  - 11. The portable storage medium according to claim 8, wherein the step of verifying the integrity of the forensic image further includes verifying the integrity of the forensic image using a hash algorithm.
  - 12. The portable storage medium according to claim 8, wherein the step of verifying the integrity of the forensic image further includes verifying the integrity of the forensic image using an MD5 hash algorithm.
  - 13. The portable storage medium according to claim 8, wherein the step of performing an audit includes collecting the following data into a file:
    - (a) the make and model of the computer system;
      
      (b) the make and model of the computer system'"'"'s storage media that was imaged;
      
      (c) the size and available capacity of that storage media;
      
      (d) the operating system install date and time;
      
      (e) the user log on statistics; and
      
      (f) the attached devices.

14. A data collection system comprising a first computer system, a password-encrypted external storage device, and a second computer system comprising a display screen and an electronic storage media containing electronic data, wherein:
- a. the first computer system is programmed to store a data collection program on the password-encrypted external storage device, the storage device having a USB 1.1 or greater interface, the storage device receiving all of its operating power via the USB interface, and wherein the first computer system is programmed to modify the data collection program;
  
  i. to select a desired level of encryption,ii. to require specific input of information from a custodian of the electronic data,iii. to select switches to capture RAM,iv. to select a drive to be imaged,v. to select data capturing switches, to be used during the process of capturing the forensic data, from the group of switches comprising;
  
  verification, chunked file sizes, logging options, and verification, andvi. to select audit switches, to be used to perform a system audit after termination of the imaging by the data collection program, from the group of audit switches comprising;
  
  operating system version, logged-on user name, hard drive size, and electronic serial numbers;
  
  b. when the external storage device is connected to the second computer system, the data collection program;
  
  i. displays a splash screen on the display screen;
  
  ii. via the splash screen, uses the second computer system to forensically collect the electronic data to create a complete forensic image, on the external storage device, of the storage media containing the electronic data;
  
  iii. encrypts the external storage device;
  
  iv. audits the forensic image; and
  
  v. preserves an exact copy of the forensic image onto the external storage device without making changes to the forensic image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ricoh Company Limited
Original Assignee
Ricoh Company Limited
Inventors
Greetham, David A.
Primary Examiner(s)
Nigh, James D

Application Number

US12/726,553
Publication Number

US 20100241977A1
Time in Patent Office

1,951 Days
Field of Search

705/50, 715/764, 707/639, 726/26
US Class Current

1/1
CPC Class Codes

G06F 11/1448   Management of the data invo...

G06F 16/13   File access structures, e.g...

G06F 21/62   Protecting access to data v...

G06F 21/78   to assure secure storage of...

G06F 2201/80   Database-specific techniques

G06F 3/0623   in relation to content

G06F 3/065   Replication mechanisms

G06F 3/0673   Single storage device

G06Q 50/00   Information and communicati...

G06Q 50/18   Legal services

G06Q 50/184   Intellectual property manag...

Obtaining complete forensic images of electronic storage media

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Obtaining complete forensic images of electronic storage media

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links