+

WO2007067424A2 - Outil judiciaire pour examen et recupération de donnees informatiques - Google Patents

Outil judiciaire pour examen et recupération de donnees informatiques Download PDF

Info

Publication number
WO2007067424A2
WO2007067424A2 PCT/US2006/045977 US2006045977W WO2007067424A2 WO 2007067424 A2 WO2007067424 A2 WO 2007067424A2 US 2006045977 W US2006045977 W US 2006045977W WO 2007067424 A2 WO2007067424 A2 WO 2007067424A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
command
client program
user
block
Prior art date
Application number
PCT/US2006/045977
Other languages
English (en)
Other versions
WO2007067424A3 (fr
Inventor
David Sun
Original Assignee
David Sun
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/294,560 external-priority patent/US7644138B2/en
Priority claimed from US11/294,562 external-priority patent/US7640323B2/en
Application filed by David Sun filed Critical David Sun
Publication of WO2007067424A2 publication Critical patent/WO2007067424A2/fr
Publication of WO2007067424A3 publication Critical patent/WO2007067424A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management

Definitions

  • Digital data Due to inherent properties of computer-produced digital data, one skilled in the art can often glean and use information using forensic methods. Digital data has inherent key differences as compared to traditional paper data. Because electronic data is easily created, duplicated and manipulated, there is generally a greater amount of computer data than paper data. Digital data can be far easier to organize, search and cull. As a result of the ease of creation, manipulation, duplication, and storage of digital media, many of the documents and files created today are stored only in computers. Computer data also contains unique electronic information not present in paper documents. Such information about the information, or "metadata", can include user information, transmission and edit data, and various time stamps. Computer data is also electronically searchable and sortable by both the actual file contents and its metadata. A user can specifically target and manage relevant information through keyword searching, filtering, data culling, indexing and de-duping.
  • Safeguards may include simply comparing the size and creation dates of files to more advanced techniques such as conducting cyclical redundancy checks and calculating a message digest. Additional forensic steps may include detailing and logging the steps of recovery process and verifying the accuracy of the copied data.
  • Authentication and chain of custody are also important considerations.
  • the gathered evidence In order for the gathered evidence to be useful in court, it is important that the data not be damaged or compromised. Without verifiable safeguards, admissibility and reliability of the gathered evidence may be challenged and excluded. Also, to avoid raising suspicion, for example in an on-going investigation, it may be desirable to avoid leaving traces of forensic activity on the target device. Because of these concerns, forensic experts are often used.
  • the present invention addresses these concerns by allowing a user (a non- forensic expert) to conduct electronic discovery in a forensically sound manner and by allowing the user to employ an integrated mechanism to export data for analysis by a forensic expert should one be necessary.
  • the present invention preferably automatically logs detailed information about the target computer and the examination.
  • the log file is preferably encrypted, digitally signed, and stored for future validation.
  • the present invention allows a user to conduct a preliminary examination of a target machine in a forensically sound manner before making a decision about incurring the cost of retaining a forensics expert.
  • the present invention allows a non-expert to conduct a forensically sound electronic discovery without expert assistance.
  • the present invention concerns a tool for conducting electronic discovery and computer forensic analysis.
  • software a client software or program
  • the user is able to determine if a target device likely contains files or other data of interest.
  • the client component of the present invention is preferably a self contained CD with an operating system kernel that recognizes associated hardware and software and allows for retrieval of forensic data.
  • the software may be distributed through various channels as known in the art.
  • GUI graphical user interface
  • keyword searches and predefined or custom filters will assist the non-expert in determining whether a given digital medium, possibly a drive, in the computer contains data of interest.
  • Data displayed to the user at this point will generally be statistical.
  • the file's existence and numbers of keyword hits are displayed. Additional information, such as file name, date stamps, time of modification, and file size, may also be displayed.
  • the user may repeatedly examine a particular drive of a target computer.
  • the user may also use the client software repeatedly on multiple drives and on different computers.
  • the command block directs the client program to perform specific directives or functionalities, such as conducting specific searches and retrieving desired data from a target computer to an external storage device for further analysis.
  • the user must access a control server website, preferably from a computer different than the target computer, to purchase a command block.
  • the control server will preferably offer different types of command blocks with different features and categories.
  • the user obtains, i.e., purchases, a command block, it is preferably transferred using an external memory device, such as a USB memory device, to the target computer.
  • the external storage device may also function as a destination drive for downloading information of interest from the target computer.
  • each command block is customized for use only with a specific drive on a specific computer.
  • each command block is customized for use with the specific drive before any alteration is made to the drive either physically or logically.
  • the command block may be configured to operate only on a specifically unique drive. This may be accomplished by using a drive key, which is calculated and provided by the client program to serve as a unique identifier of each hard drive. Should a user access the computer without forensic safeguards and thereby modify the drive, the command block will no longer work on the specific drive.
  • a user may wish to forensically copy the entire contents of the computer for analysis by a forensic expert.
  • the user may create a forensically sound copy of any storage devices and export the copy to an external storage device. This copy will be encrypted and digitally signed, and along with a log of the activity, can be validated at a later time.
  • the external storage device can be physically delivered to a third party expert for analysis.
  • the present invention also allows a user to conduct electronic discovery in a forensically sound manner. Examining and recovering data in a target computer does not alter the electronic evidence on the target computer.
  • the client program operates the target computer in a read-only mode to prevent modification of underlying data.
  • the client software and its data are stored only in the random access memory, thus preventing the creation of any new data or modification of the underlying data of the drive or device under examination.
  • the client program also documents the examination process for future authentication by automatically generating logs. As part of the examination process for example, the client program recognizes and logs the system configuration of the target machine, including information about connected drives.
  • the present invention also concerns a method for allowing a user to examine a target computer as described using client software and a command server for providing, i.e. selling, customizable command blocks.
  • the user is able to reuse the client program to repeatedly make preliminary examinations of drives of interest without incurring additional cost and without needing additional functionalities as enabled through a command block.
  • the client program may be used repeatedly on one or more drives and on one or more computers.
  • the client program allows a user to repeatedly determine whether various drives contain information of interest. Each time a determination is made, however, the user will need to visit a vendor center to obtain a command block to retrieve the desired underlying information.
  • the command block is an execution command code that allows and directs the client program to retrieve specific data from a specific hard drive of the target computer to an external drive (such as a USB drive) for detailed analysis.
  • the command block contains a drive key, provided by the customer at time of creation, which uniquely identifies a drive.
  • each command block is preferably executable only on a specific drive matching the drive key calculated by the client program.
  • the command block can preferably only be executed on a drive before it is changed either logically or physically. Once the target computer is used without the appropriate forensic safeguards and the underlying drive is altered, the command block will no longer be usable on the altered drive.
  • the present invention also contemplates a method of distributing client software, which can be used repeatedly to carry out a specific set of functions without incurring additional costs.
  • the present invention also contemplates making available additional functionalities that may be purchased at additional cost.
  • the client software is electronic forensic software that allows a user to make preliminary examinations of target computers and drives repeatedly using a single client software program. To further realize the capabilities of the client software, however, the user must contact the vendor and purchase additional features or commands.
  • Such additional functionalities, features or commands are customizable by the user.
  • a user visiting the vendor site will be able to specify and customize the exact types of functionalities to be purchased.
  • a person investigating a target computer using forensic client software will be able to visit the control server to purchase a command block and specifically tailor the exact type of data that is to be retrieved and downloaded onto an external drive.
  • the feature or command is limited for use only to a specific target.
  • the feature or command is specific to a device, such as a computer.
  • the customizable feature or command is purchased, it is usable with the client program only on a specific computer.
  • the feature or command is usable only with a specific hardware device within a computer.
  • the feature or command is specific to a specific hardware in a specific state. For example, using the example of forensic software and the command block, the command block is executable only with a given specific computer, with a only given specific hard drive in said given specific computer, and only in a specified state of the specific hard drive.
  • the present invention comprises reusable client software, which can repeatedly execute limited functionalities on various devices.
  • the present invention further comprises additional device-specific, component-specific (i.e., drive-specific), and state-specific functionalities that may be separately purchased for execution by the client software only on a specified component, in a specified device, and in a specific state prior to alteration logically or physically.
  • This device-specific, component-specific, and state-specific functionality may be applied in various contexts outside computer forensics. For example, a song, a movie, an execution command, anti-virus software, an operating system patch, and other functionalities, can be delivered to a target drive on a target device for execution or operation for execution by the client software before the device is altered logically or physically. Financial applications, Internet commerce applications, software applications, and various other applications are contemplated by the present invention.
  • the present invention also concerns additional applications, wherein users and forensic investigative companies employ the present invention to compliment existing capabilities.
  • partnerships may be formed to incorporate customized versions of the present invention into existing product or service offerings with revenue sharing agreements. For example, some companies specialize in storing discovered evidence but do not recover the evidence themselves.
  • the present invention allows such storage companies to add forensic recovery services to their capability with a trackable, custom version of the invention.
  • Technology and consulting companies may incorporate the present invention into other existing services and technologies.
  • Command blocks may also be sold using different pricing models. For example, rates may be pre-negotiated for specific clients, and commissions may be integrated into the sale price for intermediary vendors. Volume discounts may also apply. For example, for resellers that exceed a predetermined dollar amount in sales may qualify for discounts.
  • the present invention generally comprises a client component and a control server component.
  • the client component comprises a digital memory storage device, which further comprises client software for booting and examining the target computer.
  • the control server component is the business center that provides command blocks, which enable the software component to download selected data from a target computer.
  • a digital memory storage device such as a CD containing the client software, is inserted or loaded into a target computer being analyzed.
  • the client software may be stored in a CD or any other suitable medium as known in the art.
  • the software may also be downloadable onto a USB memory device through the Internet.
  • a CD is used.
  • the user is able to use the client software repeatedly as desired to examine different drives and different computers.
  • the client software may be used repeatedly on a single computer drive.
  • the client software may also be used on different computer drives.
  • the client software may further be used on different computers as desired.
  • the user inserts the CD into a target computer and boots the target computer off of the CD.
  • the client software of the present invention starts up from the CD.
  • This client software may be displayed using simple, streamlined, intuitive graphical user interfaces (GUI).
  • GUI graphical user interfaces
  • the GUI may consist of a task oriented process flow which guides the non-expert through the necessary steps to conduct a forensic examination. The non-expert would be guided through advanced concepts and critical decisions encountered during the process by context specific tutorials and documentation provided within the client GUI.
  • the client software will preferably automatically recognize various hardware platforms and software configurations and allow for rapid examination of forensic information.
  • Available drives of the target machine are preferably recognized and documented.
  • the software preferably automatically displays a menu containing the drives, partitions or segments of available drives.
  • a digital fingerprint is preferably calculated for the relevant device or drive.
  • a hashing algorithm such as MD-5, SHA-I or SHA-256, a simple modification-detection scheme is implemented. This digital fingerprint is kept for later use to identify if the selected device or drive was modified during the analysis.
  • a user may specify search parameters for analyzing a selected drive. Once the client software analyzes and searches the drive, the user is provided a list of all data on the drive matching the query.
  • the software could display the information available about the files in the table of contents (TOC) for the drive, occasionally referred to as the File Allocation Table (FAT).
  • TOC table of contents
  • FAT File Allocation Table
  • Various filters and analysis of the TOC are allowed to facilitate understanding of the drive contents.
  • Different types of information may be displayed. For example, deleted files may be included with the initial display.
  • file data may also be included. Examples include directory location, file name, last modified, file size, and time stamps.
  • Information such as FAT details and statistics for data outside the FAT may also be displayed at no charge using the client software.
  • filtered selections of files can be de-duped to ensure the same file is not analyzed twice.
  • the displayed menu, or TOC may be manipulated to facilitate understanding of its contents.
  • the client program of the present invention is capable of analyzing NTFS, FAT(12/16/32), other common Unix/Linux file system types, and other systems types as known in the art.
  • predefined and customized sorts and reports can be built and executed to allow for even more functionality.
  • predefined filters which can be activated at the click of a button in the GUI, could allow users to see TOC entries specific to their investigation. Examples of these filters include the display of: only deleted files, only image and video files, only word processing documents, only e-mail files, only web surfing related files, and only archive files.
  • keyword searches may be used to provide the number of instances that a word or phase appears on the drive. Counts of encrypted, password protected files may also be determined. Unallocated and slack space may also be analyzed for files and fragments that may be of interest. Previously deleted files may be recovered from unallocated space using file signature matching techniques. A message digest maybe calculated for all files on the device and compared to a database of known files to include/preclude them for/from further investigation. Thus, through the various filters and searches provided, a user is able to identify a set of relevant documents or data fragments. The actual data, however, is not viewable at this time. Only limited information about the data of interest is revealed. These features of the client software provide an easy tool for determining whether data of interest resides on the target computer.
  • a copy of the underlying searched data must be extracted from the target machine either in part or in its entirety. This can be accomplished by obtaining a command block from a control server or by exporting the entire contents of the drive for analysis by a third party vendor.
  • a control server is generally a server that sells or otherwise provides command blocks. Without a command block, the user will not be able to use the client software to extract the actual data from the target computer.
  • the control server may also contain various other features as known in the art for a server, including an Internet website for selling command blocks with a help center, product information and descriptions, payment processing, contact information, disclaimers, and terms of use. Other methods of obtaining command blocks, from a control server such as by using a telephone, standard shipping or electronic mail, are also contemplated by the present invention.
  • a user will preferably access the control server through an online computer that is different from the target computer.
  • a user is able to create and/or purchase command blocks.
  • a user will thus be able to construct, pay and obtain command blocks from the control server in an automated fashion.
  • the command blocks are transferred to an external storage device, such as a USB drive.
  • a USB drive may be connected to the online computer to facilitate this process.
  • Command blocks may be priced according to various factors such as the type and size of information involved. Factors may include, among others, size of drives analyzed, whether visible files, deleted files, FAT data, unallocated space or slack space are included, and whether recovery of lost partitions, keyword searches, web page fragment analysis, recovering Internet surfing history through parsing of history files, and de-duping recovered data are also enabled. For example, exporting of visible and deleted files based on the FAT data may be priced differently from more complicated functions such as extraction of files from unallocated and slack space. Extraction of data based on keyword searches may incur an additional fee. Command block prices may also depend on drive size. Other functions such as parsing of Internet surfing history files and de-duping of recovered data may also incur additional charges.
  • Command blocks may also be sold for specific types of analysis at a set rate. For example, a "pornography investigation" command block would extract all images, movies and related web surfing activity involving pornographic material.
  • the present invention also contemplates pricing structures based on pre-purchased bundles or packages or on client status, such as the client being classified as a frequent user.
  • the command block stored on an external memory device is accessed by the target computer, wherein the software recognizes and authenticates the command block and allows the data of interest to be downloaded onto the external memory device without possibility of modifying other devices or drives in the target computer.
  • the desired data may be analyzed with a modification-detection scheme possibly involving MD-5, SHA-I or SHA-256 hashing to protect the integrity of the data on the external drive.
  • drive contents can be viewed by the user.
  • the user With the extracted data, the user not only gets statistical data about the files but also the files in their native format. The user is now able to access and view the actual files themselves including any related meta-data.
  • the command-block enhanced program allows the actual files and documents to be downloaded for further analysis.
  • a user may wish to forensically export the entire contents of the device for analysis by a forensic expert.
  • the user may create a forensically sound copy of the storage devices and export the copy to an external storage device.
  • the copy may be encrypted and analyzed with a modification- detection scheme possibly involving MD-5, SHA-I or SHA-256 hashing (or other methods as known in the art) to protect the integrity of the data on the external drive while it is physically delivered to a third party expert for analysis.
  • log file(s) is (are) encrypted, signed, and stored for future analysis. If data is exported in an encrypted format, an unencrypted index file is created describing the contents of the recovered data.
  • the data of interest can be delivered to a vendor to provide custom analysis of the data. This can be performed by delivering the destination drive containing either data extracted by the use of command blocks or a forensic copy of the entire contents of the target device/drive obtained by using a special feature in the client software.
  • the client software provides a mechanism for forensically exporting the entire contents of the target device/drive to the destination drive. Because digital evidence can be duplicated accurately using forensic techniques, a copy of the entire contents can be made for analysis by a forensic expert. By first copying the original evidence, the original evidence may be further protected against accidental or unintentional damage or alternation. These contents can be digitally signed and encrypted to ensure that they are not modified in transit. Upon delivery to a computer forensic expert, the contents can be decrypted and verified prior to forensic analysis. Such an option may be available to the user at any point in the process.
  • the present invention is preferably designed to operate with any known types of microprocessors and chip designs.
  • the target computer should preferably have hardware capabilities similar to those commonly available in the public.
  • the present invention may be designed to operate on computers with more exotic hardware as known in the art. Should a target computer not possess ⁇ the minimum hardware requirements for a particular version of the present invention, the user will be informed of the limitations, and the present invention may operate in a reduced mode with limited functionality. Moreover, as technology progresses, the present invention may be operated on more advanced systems.
  • the client boots off the CD.
  • the following is a description of one
  • a user boots the target computer from a CD containing the client software.
  • a logo for a product of the present invention may appear with a progress bar indicating boot progress.
  • a user may elect to display the verbose boot mode for detailed boot information. Any errors encountered are also preferably logged, preferably automatically.
  • the client system preferably supports Intel and AMD based computers. An operating system kernel and all required drivers will preferably be included in the CD.
  • Target system configuration is identified and documented.
  • the client program After booting, the client program will determine the configuration of the target computer and document the information.
  • the client program will record such information in an event log. Recorded details may include for example, the system-cock time and date, hard drives and partitions, available RAM, CPU type and speed, input-output interfaces, and the software version of the present invention. Preferably, such details are logged automatically onto the events log.
  • the present invention contemplates using various interfaces and memory devices for transferring the command block from the control server to the target computer.
  • a USB interface is used along with a USB memory device.
  • Other suitable interfaces may be used as known in the art. However if a suitable interface is not available, the user will be informed of the limitations, and the present invention may operate in a reduced mode with limited functionality such as a restriction to only viewing TOC and statistics.
  • the user may be informed that product capabilities may be limited. The user may then be prompted to contact the control server vendor for advanced services.
  • Client Software recognizes system drives and mounts them in read only mode. Once recognized, all drives that are not destination drives of the present invention will preferably be mounted in read only mode. Thus, other than for the destination drives of the client software, the drives of the target machine are not modifiable.
  • the client portion of the present invention will recognize all the available drives on the target computer. It will recognize devices, including but not limited to the following drives: parallel IDE drives; serial IDE drives; SCSI based drives (Narrow, UW, LVD, etc.); external USB/Flash drives; IOMEGA Zip and Jazz drives; CD/DVD, CD-R/RW, DVD-R/RW drives; and other known drive formats.
  • drives including but not limited to the following drives: parallel IDE drives; serial IDE drives; SCSI based drives (Narrow, UW, LVD, etc.); external USB/Flash drives; IOMEGA Zip and Jazz drives; CD/DVD, CD-R/RW, DVD-R/RW drives; and other known drive formats.
  • the client portion of the present invention will preferably provide for error handling for multiple drives. Preferably, a limitless number of physical drives and logical drives may be supported.
  • the client software will also preferably detect Host Protected Areas (or any other device level mechanisms for obscuring data) on a drive and log their existence.
  • Destination drive is recognized after bootup.
  • the client program of the present invention will recognize a destination drive to be used by the client program.
  • a destination drive preferably an initialized USB (hard drive based or memory chip based) drive is used.
  • Such drives may be distributed by a vendor pre-initialized or can be created from commercial off-the-shelf devices that have been modified as discussed.
  • the user will receive acknowledgement, preferably automatically, of the existence of the initialized drive.
  • the client software presents a graphical user interfaces that lists drives available for analysis.
  • a graphical user interface will preferably provide the user drive information and the ability to select specific drives to analyze.
  • the client program will display to the user all available drives indicating which drive, if any, may be selected for analysis.
  • one or more drives may be selected for simultaneous analysis.
  • one drive is selected at a time for analysis.
  • the user picks one drive for analysis.
  • the client software preferably begins to analyze , the FAT(s) of the drive selected, preferably displaying a progress bar.
  • the client program may display a table containing information about the selected physical drive. For example, a row may be displayed in the table for each physical drive detected. Information displayed in such tables may include, drive number, make and model, serial number of drive, size, numbers of logical partitions on physical drive, existence of write protect status, drive key, and existence of any obscured areas such as host protected areas and device configuration overlays.
  • a table of logical drives may also be displayed. Information in such tables may include individual drives, partition names and size, file system type, location on physical drive, write protect status, drive key, and presence of encryption.
  • one of the first steps in analyzing a drive will preferably be to obtain a digital signature of the physical drive selected upon which the logical drive selected resides. As discussed, these digital signatures will be recognized by the command blocks or used by other aspects of the invention.
  • the file allocation tables (PAT) of drives and partitions are examined. Once a physical or logical drive is selected for analysis, the FAT(s) residing on the selected drive will be examined. The detailed results may be provided in a table format with navigation capabilities.
  • a graphical user interface may appear with a table displaying all of the contents on the drive FAT (TOC).
  • the TOC will display the files in each drive/partition selected and may include the following information for files, creation date, last modified date, last accessed data, deletion date, file size, full path, name, and extension and other relevant information.
  • a "deleted" flag will indicate a deleted file
  • an "exported” flag will indicate an exported file.
  • the rows in the TOC may be sorted by each element.
  • the program may also allow secondary and tertiary sorts and allows columns in the TOC to be hidden or unhidden.
  • the ability to filter rows based on data values such as file extension, first letter of filename, date range, size range, deleted flag, exported flag and directory may also be supported.
  • Statistics on the data contents of the selected drive may be provided. Once a physical or logical drive is selected for analysis, the contents of the drive will preferably be examined in an abstract form. All portions of the drive will be examined including any unallocated or lost partitions on the drive and obscured disk areas. The results will be provided through statistics but no details will be provided.
  • Keyword searching may be supported. Keywords can be searched using literal or regular expressions. The results of keyword searches may only provide a count of the number of occurrences of the keyword on the drive requested. In one embodiment, the client program allows only one keyword search in any given session. In other embodiments, multiple keyword searches can be conducted per session and/or per drive. Optionally, the ability to search for multiple keywords within a defined file or similar data structure may also be provided. In continuing to log the various activities, the results of the keyword search will preferably be displayed and saved to the event log.
  • identification of encrypted or password protected files will also preferably be supported.
  • the results of encrypted or password protected search may only contain a count of the number of files that are encrypted or password protected. The locations of the files will not be stored or provided.
  • Additional statistics and information about the data may be displayed as known in the art. But the information displayed is limited so that the user must obtain one or more command blocks from the control server to be able to obtain and download the actual files or additional details. Alternatively, the user may export the entire contents of the drive using the client software for analysis by a third party expert.
  • a user may obtain command blocks from a control server.
  • a user can purchase a command block from the control server.
  • the command block is an instruction set that enables or allows the client program to search for and/or download data from the target computer onto its destination drive. The user navigates to a control server web site and configures a command block to be purchased.
  • control server recognizes an initialized USB drive attached to an online computer and downloads the desired command block to it. Once the command block is written to the drive, the destination drive is removed from the online computer and connected to the target machine where the client program can read and execute the command block.
  • the client program will provide a drive key to the user for entering into the web site of the control server.
  • Embedded in the drive key is information about the hard drive such as its signature, thus making the command block physically and logically hard drive specific. If information on the drive is changed, then the hard drive will change, and the command block will no longer work on the altered hard drive.
  • a command block may be configured to run repeatedly on a given hard drive.
  • the user next executes the command block.
  • the user connects a USB drive with a valid command block to the target machine.
  • the present invention supports the hot swapping of USB drives.
  • the client program will first scan the USB drive for command blocks. When the scan is completed, an interface may appear listing all command blocks residing on the USB drive and information about each command block, such as a specific description or indicating whether they have previously been executed.
  • the client program may verify that there is enough space on the destination drive to store the results, warning the user if insufficient space exists. Again, the execution of the command block and its contents are logged.
  • index file which contains info ⁇ nation about all the recovered data.
  • This index file preferably lists the exported data for the executed command block and includes any available FAT related data for the files, date and time of the command block execution, and operator's name.
  • Fragments, files from unallocated space, and other data without path information will be written to the destination drive in an appropriate directory. If requested, fragments of data containing keyword matches may retain the context in which the keyword appears on the media. For example, in one embodiment, a user may specify that a number of bytes or ASCII characters on the device immediately before and after the keyword be extracted along with the keyword itself. This would assist the user in understanding the context in which the keyword appears on the media in subsequent reviews.
  • the presence of files that are archived, encrypted, password protected or any combination thereof on the target drive shall preferably be displayed.
  • files include but are not limited to ZIP files, Pretty Good Privacy (PGP) volumes, password-protected Microsoft Office documents and password-protected ZIP files.
  • PGP Pretty Good Privacy
  • the searching of responsive documents and keywords within archive files may be supported.
  • the decryption and cracking of encoded or password protected files or archives may be provided to determine if responsive documents and keywords exist within these files or archives.
  • progress feedback may be displayed to the user. Additional feedback display options include: displaying recovered file names or paths during extraction; displaying a running or final count and breakdown of exported data. Any errors encountered may be displayed.
  • digital signatures will be created for all data retrieved. These signatures will also be logged in the event log for future reference. To maintain the integrity of the retrieved data, all retrieved data may be exported as read-only. Any data recovered using features that do not require payment will preferably be exported to the destination drive in an encrypted state. This data may be available for decryption pending payment.
  • a completion notification may be displayed when the data extraction process is completed.
  • the user may then physically remove the destination drive without any further action while still preserving the integrity of the data on the destination drive.
  • the user may also be provided with a prompt to review the data.
  • the present invention also contemplates an option of creating a data browser within the target computer without modifying the hard drive(s) of the target computer.
  • a graphical user interface will appear to allow the user to easily navigate and review the data.
  • the user may be able to review the exported data and files in their native format.
  • the files are Microsoft Word files for example, the user will be able to view them in a manner which recognizes and renders any text formatting that Microsoft Word would natively adhere.
  • the data consists of HTML data, a simple browser will render and display any available HTML data adhering the proper formatting.
  • the file is not complete, the user will be able to view the data in text mode. Further, in text mode, the user may have the ability to suppress display of non-ASCII characters to increase the readability of the data.
  • the destination drive is preferably a USB connected storage device, capable of containing any command blocks and data retrieved from the target machine.
  • the destination drive will comprise a storage device with a USB interface.
  • the device will preferably support NTFS, FAT12/16/32, and Linux file systems, among others.
  • the destination drive initialization process will preferably be supported on Windows, Macintosh and/or Linux environments, or other applications as known in the art. Prior to drive initialization, the user may be warned that all data on the device will be deleted. Upon connection to the target machine, the destination drive should preferably be recognized by the control server vendor without requiring a reboot or other interruption of the examination process. Subsequent analysis of the same drive should append to the logs on the destination drive or write new files using incremental file names. Additionally, warnings about overwriting the data on the destination drive should be provided.
  • the user Before exporting data to the destination drive, the user may be notified if available space in the destination drive is insufficient to store the amount of data to be exported. In the preferred embodiment, the user will be able to span the exported data across multiple destination drives thereby providing the ability to export a limitless amount of data.
  • a control server is a vendor site for selling command blocks.
  • the control server is an Internet, e-commerce website, providing graphical user interfaces for users to construct and purchase command blocks.
  • the control server may also contain various other features as known in the art for a server, including an Internet website for selling command blocks with a help center, product information and descriptions, payment processing, contact information, disclaimers, and terms of use.
  • the control server may ask for information, which may include drive key, operator name, partner identification, coupon codes, etc.
  • command blocks include, for example, features such as parsing through Internet surfing history files, whose output should be stored to a file on the destination drive in the same directory hierarchy as other restored data.
  • Another option includes de-duping of files on the destination drive. All files that were de-duped shall be fully logged in a de-duping log/table which includes the path location of the master file and full path locations of all identical files that were deleted.
  • the output event log described herein is a forensically sound log as known in the art.
  • the output log is preferably a forensically minded activity log.
  • the log would contain, among other data: time and date stamps; various system information about the hard drives and partitions, memory, CPU, USB, versions; software version of the present invention; drive keys and external memory devices data; mounting times and types of digital devices; information regarding data that has been exported and their digital signatures; and command blocks run.
  • a command block is generated and configured by a user from the control server.
  • the control server provides a convenient graphical user interfaces for defining search criteria. Once a command block has been specifically configured, defined, and purchased, the control server displays or exports the command block. The command block is then transferred to the client program running on the target computer. Once the command block is loaded onto the target computer, it is recognized by the client program. Preferably automatically, the command block will direct the client program to carry out specific features and commands as configured by the user.
  • a command block directs the client program to perform various types of forensic analysis. Searches not available with the client program alone may be conducted once a command block is introduced to the client program. The command block may also direct the client program to download data of interest from the target computer.
  • a command block allows files to be extracted by different filter criteria, including among others, file name, file type, file extension, date, time stamp, author, location, and edit date.
  • a command block may also enable recovery of deleted files, which may be carved out from unallocated space using file signatures. Additional options include performing keyword searches using literal or regular expressions, including searching files, slack space, unallocated space, swap space and lost partitions for keyword hits.
  • a command block allows extraction of files with responsive keywords. The command block may also be configured to recover fragments, sections of slack space, unallocated space, swap space or lost partitions that contain the keyword and its context.
  • the client software of the present invention accepts only commands blocks generated by an authorized control server. This may be accomplished for example by encrypting the command blocks with private keys, which are validated and recognized by the client software used in the present invention. Other methods as known in the art may also be used.
  • an input-output external interface such as a USB memory device, is used to transfer the command block from the control server to the target computer.
  • a command block may be cut-and-pasted or typed into the client software running on the target computer.
  • each command block works only on a specific hard drive of a specific computer.
  • the present invention also contemplates a single command block that works on multiple drives of a single computer or multiple drives of multiple computers.
  • a command block that work for a predetermined number of drives is also contemplated.
  • Command blocks can be priced according to various factors such as the type and size of information involved.
  • Factors may include, among others, size of drives analyzed, whether visible files, deleted files, FAT data, unallocated space or slack space are included, and whether recovery of lost partitions, keyword searches, web page fragment analysis, recovering Internet surfing history through parsing of history files, and de-duping recovered data are also enabled
  • exporting of visible and deleted files based on the FAT data may be priced differently from more complicated functions such as extraction of files from unallocated and slack space.
  • Extraction of data based on keyword searches may incur an additional fee based on the number and/or complexity of the keyword(s).
  • Command block prices may also depend on drive size.
  • Command blocks may also be sold for specific types of analysis at a set rate. For example, a "pornography investigation" command block would extract all images, movies and related web surfing activity involving pornographic material.
  • the present invention also contemplates pricing structures based on pre-purchased bundles or packages or on client status, such as the client being classified as a frequent user.
  • the control server will preferably assign a unique ASCII key for a particular device or drive to ensure its logical and physical identity.
  • Various specific data encoded in the drive key may include information such as the hardware serial number, hardware size, hardware make, version of software of the present invention, and message digest of the device or drive.
  • Version numbers can indicate where the disc was distributed and, approximately, the date they are distributed. Knowing the version number of the software of the present invention will assist the control serve in providing authenticated, working command blocks specific to the version being used.
  • a command block is an encrypted file that contains scripts designed to be executed by the client program to perform specific functions on a specific device or drive. These scripts generally extract data from the hard drive and save the data on the destination drive as described. The extracted data can direct data recovery from the hard drive or interpretation of data residing on the drive.
  • the syntax of the command block is generally modeled after Structured Query Language.
  • Commands within command blocks will allow for direct analysis and extraction of drive data. Direct analysis of drive data is analysis that does not require outside translators and data parsers. These commands incorporate "SQL like" syntax. Commands will preferably adhere to the following basic syntax: ⁇ action> ⁇ FROM ⁇ location> ⁇ ⁇ qualifier> ⁇ .
  • Commands within command blocks will allow for interpretation of drive data. These commands will take data files and provide an interpreted output for user review.
  • An example of such a command includes the parsing of all Internet surfing history files to provide an output file for each history file with the appropriate columns and interpreted data.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Tourism & Hospitality (AREA)
  • Theoretical Computer Science (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Marketing (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Development Economics (AREA)
  • Educational Administration (AREA)
  • Game Theory and Decision Science (AREA)
  • Storage Device Security (AREA)
  • Automatic Analysis And Handling Materials Therefor (AREA)

Abstract

La présente invention concerne un outil judiciaire électronique utilisé pour réaliser une recherche électronique et une analyse judiciaire informatique. Cette invention permet à un individu non spécialisé tel qu'un expert non judiciaire de réaliser une recherche électronique, ce qui élimine le besoin de recourir à un expert dans de nombreuses situations. Cette invention permet de réaliser une recherche électronique par voie légale. Cette invention concerne également un procédé commercial de recherche électronique impliquant un programme logiciel et un serveur de commande pour générer une fonctionnalité étendue. Le logiciel client peut être distribué à un coût minimal ou gratuitement, de préférence sous la forme d'un CD. A l'aide du logiciel client, un utilisateur démarre une machine cible pour déterminer si elle contient des données d'intérêt. Le logiciel client va néanmoins afficher uniquement des données restreintes telles que des informations relatives au fichier, la date, la dernière modification effectuée et la taille du fichier. Pour accéder aux données sous-jacentes réelles et les examiner, l'utilisateur doit obtenir une fonctionnalité supplémentaire, par exemple en achetant un bloc de commande du serveur de commande. La fonctionnalité supplémentaire permet au programme client d'extraire les données d'intérêt ou la totalité des contenus de la machine cible et de les transférer vers un dispositif externe en vue de leur analyse ultérieure.
PCT/US2006/045977 2005-12-06 2006-12-01 Outil judiciaire pour examen et recupération de donnees informatiques WO2007067424A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/294,560 US7644138B2 (en) 2005-12-06 2005-12-06 Forensics tool for examination and recovery and computer data
US11/294,562 2005-12-06
US11/294,562 US7640323B2 (en) 2005-12-06 2005-12-06 Forensics tool for examination and recovery of computer data
US11/294,560 2005-12-06

Publications (2)

Publication Number Publication Date
WO2007067424A2 true WO2007067424A2 (fr) 2007-06-14
WO2007067424A3 WO2007067424A3 (fr) 2009-06-04

Family

ID=38123390

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2006/045978 WO2007067425A2 (fr) 2005-12-06 2006-12-01 Outil judiciaire pour examen et recupération de donnees informatiques
PCT/US2006/045977 WO2007067424A2 (fr) 2005-12-06 2006-12-01 Outil judiciaire pour examen et recupération de donnees informatiques

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/US2006/045978 WO2007067425A2 (fr) 2005-12-06 2006-12-01 Outil judiciaire pour examen et recupération de donnees informatiques

Country Status (1)

Country Link
WO (2) WO2007067425A2 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008156328A3 (fr) * 2007-06-21 2009-02-26 Ubitas Co Ltd Système et procédé d'expertise numérique
GB2454715A (en) * 2007-11-19 2009-05-20 Ali Jahangiri Computer program for extracting forensic data form a target computer
US7835811B2 (en) 2006-10-07 2010-11-16 Voxelogix Corporation Surgical guides and methods for positioning artificial teeth and dental implants
GB2470198A (en) * 2009-05-13 2010-11-17 Evidence Talks Ltd Digital forensics using a control pod with a clean evidence store
EP2525300A4 (fr) * 2010-03-29 2013-09-25 Ubic Inc Système, procédé, et logiciel de police judiciaire
US8799317B2 (en) 2010-03-29 2014-08-05 Ubic, Inc. Forensic system, forensic method, and forensic program
CN111858479A (zh) * 2020-07-29 2020-10-30 湖南泛联新安信息科技有限公司 一种基于目标装备的软件样本便携式采集方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9864878B2 (en) 2015-07-27 2018-01-09 International Business Machines Corporation Event log tamper detection
KR101864790B1 (ko) * 2016-11-30 2018-06-07 충북대학교 산학협력단 디지털 포렌식을 위한 드라이브 접근시스템 및 방법

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6687700B1 (en) * 2000-11-09 2004-02-03 Accenture Llp Communications system for supporting inter-dependent data messages
US20020152397A1 (en) * 2001-04-06 2002-10-17 Mckay Drew Virtual investigator
US6792545B2 (en) * 2002-06-20 2004-09-14 Guidance Software, Inc. Enterprise computer investigation system
US7370072B2 (en) * 2002-07-08 2008-05-06 Electronic Evidence Discovery, Inc. System and method for collecting electronic evidence data
US7496959B2 (en) * 2003-06-23 2009-02-24 Architecture Technology Corporation Remote collection of computer forensic evidence

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7835811B2 (en) 2006-10-07 2010-11-16 Voxelogix Corporation Surgical guides and methods for positioning artificial teeth and dental implants
WO2008156328A3 (fr) * 2007-06-21 2009-02-26 Ubitas Co Ltd Système et procédé d'expertise numérique
GB2454715A (en) * 2007-11-19 2009-05-20 Ali Jahangiri Computer program for extracting forensic data form a target computer
GB2470198A (en) * 2009-05-13 2010-11-17 Evidence Talks Ltd Digital forensics using a control pod with a clean evidence store
EP2525300A4 (fr) * 2010-03-29 2013-09-25 Ubic Inc Système, procédé, et logiciel de police judiciaire
US8793277B2 (en) 2010-03-29 2014-07-29 Ubic, Inc. Forensic system, forensic method, and forensic program
US8799317B2 (en) 2010-03-29 2014-08-05 Ubic, Inc. Forensic system, forensic method, and forensic program
US9244920B2 (en) 2010-03-29 2016-01-26 Ubic, Inc. Forensic system, forensic method, and forensic program
CN111858479A (zh) * 2020-07-29 2020-10-30 湖南泛联新安信息科技有限公司 一种基于目标装备的软件样本便携式采集方法

Also Published As

Publication number Publication date
WO2007067425A3 (fr) 2009-06-04
WO2007067425A2 (fr) 2007-06-14
WO2007067424A3 (fr) 2009-06-04

Similar Documents

Publication Publication Date Title
US7644138B2 (en) Forensics tool for examination and recovery and computer data
US7640323B2 (en) Forensics tool for examination and recovery of computer data
US8656095B2 (en) Digital forensic acquisition kit and methods of use thereof
WO2007067424A2 (fr) Outil judiciaire pour examen et recupération de donnees informatiques
Casey Handbook of computer crime investigation: forensic tools and technology
Garfinkel et al. Remembrance of data passed: A study of disk sanitization practices
US8782089B2 (en) Selective file erasure using metadata modifications and apparatus
US20080281962A1 (en) Information asset management system, log analysis server, log analysis program, and portable medium
US8862600B2 (en) Content migration tool and method associated therewith
US20050210054A1 (en) Information management system
US20080195543A1 (en) Digital Evidence Bag
Boddington Practical digital forensics
Steel Windows forensics: The field guide for conducting corporate computer investigations
CN112560031B (zh) 一种勒索病毒检测方法及系统
CN111177475A (zh) 用于生成回收的航空航天装备零件的不可变记录和电子列表的系统和方法
US20240089104A1 (en) Systems and methods for generating and managing tokens for authenticated assets
JP4857199B2 (ja) 情報資産管理システム、ログ分析装置、及びログ分析用プログラム
Prem et al. Disk memory forensics: Analysis of memory forensics frameworks flow
Guo et al. Data recovery function testing for digital forensic tools
WO2006126006A1 (fr) Sac pour preuves numeriques
JP2005135367A (ja) 著作権保護システム及び該プログラムを記録した記録媒体
Sonnekus A comparison of open source and proprietary digital forensic software
Mangnes The use of Levenshtein distance in computer forensics
Kizza et al. Digital Crime Investigation and Forensics
JP2004070569A (ja) 表計算プログラム、それを記憶した記録媒体、表計算システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06838764

Country of ref document: EP

Kind code of ref document: A2

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载