US 20090164522A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2009/0164522 A1 Fahey (54) (43) Pub. Date: COMPUTER FORENSICS, E-DISCOVERY Publication Classi?cation AND INCIDENT RESPONSE METHODS AND (51) SYSTEMS (75) Inventor: Jun. 25, 2009 Andrew L. Fahey, Parker, CO (US) (52) Correspondence Address: BUCHANAN, INGERSOLL & ROONEY PC POST OFFICE BOX 1404 ALEXANDRIA, VA 22313-1404 (US) Int. Cl. G06F 17/30 G06F 9/44 G06F 15/16 (2006.01) (2006.01) (200601) US. Cl. .................... .. 707/104.1; 717/106; 709/202; 707/E 1 7.044 (57) ABSTRACT Systems and methods for collection of volatile forensic data from active systems are described. In an embodiment of the - . - (73) Asslgnee' 6461156’ Inc" Cemenmal’ CO (Us) (21) Appl' NO‘: 12/318,083 (22) Dec. 22, 2008 methods, a selected set of forensics data items canbe selected. Runtime code capable of launching data collection modules from a removable storage device With little or no user input is Filed: generated and stored on the device. The collection of forensic data can then be accomplished covertly using the removable storage device by a person With minimal training. In another embodiment, pre-deployed agents in communication With Related US Application Data servers and controlled by console software can collect foren sic data covertly according to schedule, immediately at the (60) Provisional application No. 61/008,295, ?led on Dec. command of an analyst using a remote administrative con 20, 2007. sole, or in response to a triggering event. 41 1 Log In To System l-d‘ 42 Select Agents —J K- 43 45w E-disoovery Run Audit Query Agents By Search Criteria Computer Forensics Local De duplication 48 Database Storage on Server Database Storage on Server Analyze And Report Global De duplication and Storage 47 Patent Application Publication Jun. 25, 2009 Sheet 1 0f 4 FIG. 1 US 2009/0164522 A1 Patent Application Publication Jun. 25, 2009 Sheet 2 0f 4 FIG. 2 US 2009/0164522 A1 Patent Application Publication Jun. 25, 2009 Sheet 4 of4 US 2009/0164522 A1 41 ( Log In To System l-J 42 Select Agents E-disoovery Incident Respons - Run Audit -—-J Select Action Query Agents By Search Criteria Computer Forensics Local De duplication 46 Run Data Acquisition 48 Database Storage on Server Database Storage on Server Analyze And Report FIG. 4 Global De duplication and Storage 47 US 2009/0164522 A1 COMPUTER FORENSICS, E-DISCOVERY AND INCIDENT RESPONSE METHODS AND SYSTEMS BACKGROUND   1. Field of the Invention The invention relates to methods and systems for computer forensics, e-discovery, and incident response.  2. Description of the Related Art  The forensic acquisition of volatile data has been knoWn for the last feW years. The bootable incident response CD-ROM, Helix3TM, has enabled users to acquire volatile data from systems since its release. LaW enforcement and intelligence communities are aWare of the practice of acquir ing volatile data but have been very sloW to accept it.  Volatile data analysis shoWs a Wealth of information that has typically been ignored. With the advent of stronger encryption and neWer operating systems such as Microsoft Vista, it has become very dif?cult for traditional forensic practices to yield useful data. This has led to a dichotomy in the forensics World. There is noW a split betWeen traditional Jun. 25, 2009 forms. Many public computer facilities such as internet cafes around the World utiliZe non-WindoWs operating systems such as Mac OS X or various Linux distributions. No single tool does exists that Works across all platforms.  There are very feW programs or options that are available. Helix3TM Was the ?rst inclusive utility that alloWed the simple acquisition of volatile data from running systems. Helix3TM has continued to develop and mature and is updated on a regular basis. Some of the solutions that Helix3TM uses are: Incident Response Collection Report (IRCR) available at tools.phantombyte.com; WindoWs Forensic Toolchest (WFT) available at WWW.foolmoon.net/security/Wft; The Forensic Server Project (FSP) available at WWW.WindoWs-ir. com/fsp.html. Each of these tools has the capability to be scripted to run on WindoWs systems and acquire volatile data. None of them hoWever, run covertly or are cross platform aWare, i.e. they only Work on WindoWs operating systems. There are a feW other options that have some similar capa forensics and What is referred to as live forensics. It is noW bilities. These include EnCase FIM and Technology Path Ways ProDiscover. HoWever, all these options are limited. The biggest issue With these products is that in order to use them to collect volatile data, an agent program must already imperative to capture volatile data before powering off a be installed on the system to be analyZed or must be installed system and starting the traditional computer forensics imag prior to running. Thus these options Will not Work in an ing and analysis. uncontrolled or covert environment.   Incident Response/Forensics in the corporate or governmental enterprise environment poses different chal Unfortunately there is little training on the collec tion and analysis of volatile data. The tool sets to conduct such operations are limited and not Well packaged. The Helix3TM CD alleviated this problem by pulling together the most effec lenges. Today’s globally netWorked society is exposed to frequent cyber attacks. The threat to government, corporate tive incident response tools in use by various government and private netWorks is very real. In an attempt to mitigate the agencies and corporate forensic professionals. This CD made external threat, netWorks are defended through layered it very easy for a trained individual to acquire not only physi cal images of hard drives but also the volatile data. Helix3TM defenses consisting of Intrusion Detection Systems (IDS), ?reWalls, anti-virus/malicious logic applications and Intru has noW become a standard in the forensics community sion Prevention Systems (IPS). Layered netWork defenses are effective against external threats. HoWever, layered defenses around the World. Helix3TM continues to develop and improve, but there is a void that still needs to be ?lled. offer little in terms of mitigating the insider threat and in the  The laW enforcement and intelligence communities around the World need to be able to forensically acquire case of a breach, streamlined incident response. volatile data in a very simple and robust manner. While it is true that acquiring volatile data can be conducted using Works typically takes place at a remote consolidated facility. Helix3TM, the Helix3TM CD cannot be used covertly because a trained user must launch the selected tools from the CD. It also requires a fair amount of training and knowledge in order to obtain the data in a forensically sound manner.  There is a need to be able to acquire volatile data from computer systems that a subject has used. Examples  Management or operations of large enterprise net This central NetWork Operations and Security Center (NOSC) is the focal point for management of system outages and incident response. Responding to system outages is usu ally a Well established and predictable process. In global netWorks, incident response is not predictable and at best, challenging. Incident response is triggered for various rea sons. Commonly, a netWork defense analyst Will respond to include computer systems in an internet cafe or corporate an alert raised by a netWork defense sensor, intrusion detec environment. HoWever, the problem is hoW to easily and tion system or anti-virus application. The analyst then directs surreptitiously recover the volatile data from such systems. This is especially true if the subject has not saved anything to the hard drive, or if they have “erased” all their activity. Add a ?eld technician at the affected site to take investigative to this dilemma, a scenario in Which a government agent is forced to use a covert source (also knoWn as con?dential informants) to obtain the data and the problem becomes even more dif?cult. The source’s level of computer knowledge may be extremely limited. It may be impossible to send a lay person to collected volatile and perishable data, eg evidence of criminal activity, and minimiZe or eliminate the chances action. These initial actions Will likely consist of running special softWare to reveal knoWn hacker ?les or applications. More often than not, hoWever, ?eld technicians are not skilled in analyZing the results of the forensic application and must then forWard the results to the netWork defense analyst. If the netWork defense analyst concludes the initial ?ndings War rant further data from the affected Workstation, the ?eld tech nician is contacted again and retrieves the data requested by the analyst. This cycle repeats until the issue is resolved. the source (or agent for that matter) might inadvertently or Resolving incidents in this manner can take days to complete. intentionally type the Wrong command and actually destroy Unlike other forensic investigations, computer crimes take data?  Another issue that needs to be addressed is that fractions of a second to commit, and the volatile forensic evidence is available for a ?nite period of time. While WindoWs has the largest market share of deployed desktop systems there are many other non-WindoWs plat time to investigate and resolve suspect activity is excessive.  In today’s netWork operational environment, the US 2009/0164522 A1 Time is the enemy during incident response. The entire enter prise network and supported missions remain in a highly vulnerable state until the incident is fully investigated and the Jun. 25, 2009 puter, is capable of launching a de?ned sequence of data collection modules for collecting the selected computer forensic data items on an active target computer from a method of exploitation (if any) is revealed. removable storage device Without user input. The executable  Electronic discovery for litigation is another area of need. The Federal Rules of Civil Procedure provide regula tions regarding hoW organiZations should gather and prepare runtime code is stored on an initialiZed removable storage device. The removable storage device can then be connected to an active target computer. The executable runtime code electronic evidence. HoWever, there are very feW standards may be automatically or manually activated Whereupon the that organizations can turn to When collecting and preserving evidence. Currently, organiZations use in house procedures to collect and preserve electronic information. Once collected, the information is then provided to a service provider for processing. The service provider then uses specialiZed meth thereby collecting the selected computer forensic data items from the active target computer.  In preferred embodiments, the removable storage de?ned sequence of data collection modules is launched device is a USB ?ash drive. The drive can be a U3 ?ash drive ods and tools to extract the desired information from the comprising a read-only partition, in Which case the device can media and prepare it for revieW by internal and external counsel. The attorneys manually revieW the information and be programmed by Writing to the Writable partition and/ or the eliminate non-pertinent documents.  The greatest expense in electronic discovery results from: (1) the amount of information organiZations collect and provide to service providers for processing, and (2) the amount of time attorneys spend revieWing and eliminating documents of no value to the case. More often than not, organiZations do not have the resources or technology avail able to quickly eliminate redundant or non-pertinent infor mation from a dataset. Organizations lacking an organic data reduction capability are at the mercy of businesses Who pro vide (expensive) data reduction processing services. Organi Zations are typically faced With processing fees approaching or exceeding as much as $2,500 per gigabyte. Another draW back to outsourcing data reduction is the time involved With locating a service provider and the in addition to the time to process the data. This lessens the time in-house counsel has to prepare case strategies.  Today, there exist multiple softWare options for inci dent response, security and e-discovery on an enterprise level. In mo st cases, they are expensive, dif?cult to integrate into an enterprise operation, problematic and fail to focus on insider threats, anomaly detection or e-discovery. SUMMARY  A preferred embodiment is an automated system that can be used by government and corporate investigators (or their assets) to acquire volatile evidence from an individu al’s computer activity. The data may be acquired overtly or covertly. In preferred embodiments, applications of the sys read-only partition.  In preferred embodiments of the method, the data is collected covertly. This can be accomplished by displaying a camou?aged vieW to the user While the data is being col lected, for example a vieW selected from among a Web broWser, a card game, and an image broWser, or the execut able runtime code may not display any WindoW to the user. Alternatively the user may choose overt data collection, in Which case a WindoW may be displayed reporting the status of data collection.  In some embodiments of this method, the execut able runtime code is activated automatically upon connection of the removable storage device to the active target computer. Preferably, the runtime code is generated so that at the time that it is activated, a user can cause command the runtime code to either store the data items to be collected on the removable storage medium or securely transmit the data items to an internet drop site. When the collected data is stored on the removable device, the collected data items can be stored on in an encrypted database that is recoverably deleted prior to deactivation and removal of the removable storage medium from the target computer.  In an alternative embodiment, a system may com prise softWare agents pre-deployed on netWorked host com puters, each agent being in communication With a server. The servers canbe deployed in a tiered netWork comprising super visory servers. The agents can be accessed by console admin istrative tools in communication With the servers. The system permits the user of the console to command the agents, through the servers, to collect forensic data from the softWare tem Will attempt to avoid antivirus and intrusion detection agents or access historical data stored on the servers. In this systems, and Will safeguard the collected data using encryp Way, the system provides the ability, among other things, to covertly collect volatile computer forensic data from host tion and/or masking techniques. In preferred embodiments, the applications and/or acquired data can only be recovered using computer forensic techniques.  In preferred embodiments, the system includes an application that permits persons that are not trained in com computers, to build a case ?le recording activity over time, to search an entire netWork for evidence of malicious usage or malicious softWare, or to collect all data meeting speci?ed criteria. puter forensics to locate, decrypt, document and validate the  A system for collecting and managing data relating collected data in a manner that ensures admissibility in court to the activity of a user of a netWorked host computer can if needed. The system can be designed to be used by laW comprise a plurality of softWare agents active on host com enforcement and intelligence o?icers and agents and adapted to the respective roles and responsibilities of such persons.  Accordingly, a method for collecting volatile data puter systems, one or more servers in netWork communica tion With one or more of the softWare agents and one or more from an active target computer can comprise selecting one or more computer forensic data items for including at least one volatile data item for collection from an active target com console administrative tools residing on computer systems capable of netWork communication With the servers. The puter from among a plurality of computer forensic data items. softWare agents each comprise means for covertly and foren sically collecting volatile data from the computer upon Which the softWare agent resides and securely transmitting the data The method then comprises generating integrated executable to one or more of the servers. The servers each comprise runtime code that, once activated on an active target com means for securely storing data received from one or more of US 2009/0164522 Al the software agents, means for securely receiving instructions Jun. 25, 2009 plishing the steps are Written, and the practices and prefer from a console administrative tool subject to an administra ences of an individual computer programmer. The steps tive permission rule, means for securely transmitting instruc require physical manipulations of physical entities. Usually, tions to one or more agents, and means of transmitting foren though not necessarily, these entities take the form of electri sic data to the console administrative tools. The console administrative tools each comprise means of securely com municating With the servers, means of requesting forensic data from the servers and from the agents through the servers, cal or magnetic signals capable of being stored, transferred, combined, compared and otherWise manipulated. It has proven convenient at times, principally for reasons of com mon usage, to refer to these signals as data, signals, netWork and means of verifying, analyZing and presenting forensic communications, and the like. It should be borne in mind, data received from the softWare agents through the servers. hoWever, that these and similar terms can be associated With BRIEF DESCRIPTION OF THE DRAWINGS appropriate physical embodiments and are merely convenient labels applied to these embodiments. Unless speci?cally stated otherWise, it Will be appreciated that throughout the  FIG. 1 illustrates an malicious insider detection solution that implements a tiered architecture consisting of Console Administrative Tools (CAT), servers and agents.  FIG. 2 illustrates a hierarchical arrangement of supervisory servers and site level servers in Which supervi sory servers can be located in a global netWork operations and security center (NOSC) and regional NOSCs. These external supervisory servers may communicate With and collect data from one or more internal NOSC supervisory servers, each of Which may communicate With and collect data from one or more site level servers, Which communicate With individual softWare agents on a local area netWork. The CAT (not shoWn) can access the servers at any level of the hierarchy in accordance With authorizations granted by an administrator. One or more agents may be associated With each site level server.  FIG. 3 illustrates an exemplary flow chart for foren sic data acquisition using a removable storage device.  FIG. 4 illustrates an exemplary ?oW chart for using agents. description of the present invention, use of terms such as “processing”, “computing”, “calculating”, “determining”, “displaying”, “searching”, “collecting”, “storing”, “generat ing” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipu lates and transforms data represented as physical (electronic) quantities Within the computer system’s registers, memories and data storage devices into other data similarly represented as physical quantities Within the computer system memories or registers or other information storage device, transmission or display devices.  As indicated beloW, embodiments of the present invention are instantiated in computer softWare, that is, com puter readable instructions, Which, When executed by one or more computer processors/ systems, instruct the processors/ systems to perform the designated functions. Such computer softWare may be resident in one or more computer readable media, such as hard drives, CD-ROMs, DVD-ROMs, read only memory, read-Write memory and so on. Such softWare may be distributed on one or more of these media, or may be distributed across one or more computer netWorks (e.g., the DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Internet). Regardless of the format, the computer program ming, rendering and processing techniques discussed herein  Described herein are computer-based systems and methods for collecting forensic data, including volatile com puter forensic data, from target computer systems in con trolled and uncontrolled environments. The systems provide the ability to collect the desired forensic data covertly or overtly as circumstances may require. Although the systems are simply examples of the types of programming, rendering and processing techniques that may be used to implement and methods Will be discussed With reference to various illus trated examples, these examples should not be read to limit the broader spirit and scope of the present invention. The general concepts and reach of the present invention are broader than the examples provided beloW.  Some portions of the description that folloWs are aspects of the present invention. These examples should in no Way limit the present invention, Which is best understood With reference to the claims that folloW this description.  The methods and systems described beloW provide for the forensic collection of volatile and static data from an active target computer system. Of interest because of its tem poral nature, volatile data is data that is subject to being routinely deleted or altered as the system is used or in the event that the system is poWered doWn. This includes the contents of memory Whether physical, virtual, or sWap, tem presented in terms of means, programs, and modules With a stated function that represent operations on data stored on a storage medium or in a computer memory. Such functional porary ?les, lists of recently accessed ?les, internet addresses, descriptions are used by those skilled in the computer science Ways in Which the data can be collected can include the arts to effectively convey the substance of their Work to others skilled in the art. A means, module, tool, application, or solution for accomplishing a function in a computer is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result that can be embodied in computer readable and executable instructions. A person of ordinary skill in the art Will recogniZe that there are many different Ways to embody a means for accomplishing a func tion in a computer that Will vary depending on the particulars of the computer or computers on Which the mean are intended to operate, the operating systems of those computers, the computer readable language in Which the instructions accom lists of open connections, lists of attached devices, and the like. A non-limiting list of volatile data items and exemplary folloWing:  Internet History  Internet ExploreriCreate a summary of online activity including one or more of the folloWing:  BookmarksiAll pages that have been marked as a favorite or shortcut.  HistoryiDetails on all pages visited.  CookiesiData items stored by Web servers for future reference.  DoWnloadsiURL and ?le name of ?les that have been doWnloaded. US 2009/0164522 A1  FirefoxiCreate a summary of online activity including one or more of the following:  BookmarksiAll pages that have been marked as a favorite or shortcut.  HistoryiDetails on all pages visited.  CookiesiData items stored by web servers for future reference.  DownloadsiURL and ?le name of ?les that have been downloaded.  Auto ?lliData strings used to auto com plete forms, this includes addresses and often pur chasing information used for online purchases.  Apple Safari4Create a summary of online activity including one or more of the following:  BookmarksiAll pages that have been marked as a favorite or shortcut.  HistoryiDetails on all pages visited.  CookiesiData items stored by web servers for future reference.  DownloadsiURL and ?le name of ?les that have been downloaded.  Chat Logs  SkypeiCreate a summary of online activity including one or more of the following:  VoIP calls, including the name or phone number.  Instant messages including the name of the third party, content of the message, and the date and time of the message.  SMS messages, including the phone number of the third party, and content of the message.   File Transfers. Buddy list and details including addresses imported from other systems by Skype.  System Passwords  NTLM and Lan Man Pas sword GrabberiOut put the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM).  Apple Key chain ExtractoriAll passwords stored in the key chain can be extracted.  Network Information  Analysis of the network activity on the agent computer. This information includes Address Resolu tion Protocol (ARP) tables, network interfaces, rout ing tables, and network connections/ statistical activ ity.  work will be directed. All IP-enabled devices, includ ing routers and switches, use routing tables.  Network statistics and connection is similar to NetStat which displays network connections (both incoming and outgoing), and a number of network interface statistics. The processes and executable paths associated to each connection are also shown.  Memory  Clipboard4Capture any text contents, graph ics, or binary data such as ?les found in the clipboard.  RAM searching & collectioniforensically acquire RAM from all platforms as well as the ability to search and preview the contents of what is in RAM prior to acquisition.  Disk Image  Forensically acquire physical and logical disks which are court acceptable world wide. The images allow for compression as well as siZe segmentation.  Environment Variables  System InformationiCreate a pro?le of the hardware in use including (but is not limited to) the following;  User Name  Computer Name  Operating System  System Serial number  Processor  Model  UUID  Time Zone  Country Code  OS Registration Information  Installed Drivers  Volume (Drive) Information  Process Information  ProcessesiAnalysis of all running processes on the system to include the full executable path infor mation, memory usage and associated dynamic library ?les.  ServicesiAnalysis of all system services to include ones that are running or stopped.  Registry Information  Extract all settings from the Windows registry which is a directory that stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions, and Windows Mobile.  System Logs ARP converts an Internet Protocol (IP) address to its corresponding physical network address. ARP is a low-level network protocol, operating at Layer 2 of the OSI model. The ARP table shows what computers were connected to a machine on the local network.  Jun. 25, 2009 Interface tables describe what interfaces are in use on the system and what the individual MAC  Extract the system, application, and security logs from Microsoft Windows systems.  Active Data  Screen shot4Capture and save a screen shot of the main screen on the system.  KeyLogger4Capture all keystrokes and show both the raw and converted versions. address is for each of them. The Media Access Con trol (MAC) address is a quasi-unique identi?er assigned to most network adapters or network inter  It is the responsibility of the investigator to ensure the completeness, integrity and accuracy of the data in the face cards (NICs) by the manufacturer for identi?ca tion. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identi forensics that are advantageously taken into consideration in a system for acquiring data as follows: Reconnaissance, Reli ?cation number.  The routing table is a set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) net investigator collects as much evidence as possible. This is evidence acquisition process. Three principles of computer ability and Relevancy. Reconnaissance is the principle that an applied in the acquisition phase. The principle of reliability applies to the storage phase is where the data needs to be preserved in an optimum format to preserve evidentiary value US 2009/0164522 A1 and veri?ability. The ?nal principle is to accurately identify all of the relevant evidence. This principle is applied primarily in the analysis phase. The systems and methods described below are capable of acquiring volatile computer forensics data in a forensically sound manner.  Acquiring Computer Forensic Data in an Uncon trolled Environment.  Acquisition of volatile computer forensic data in an uncontrolled or public environment presents different chal lenges than acquisition of data in a corporate or enterprise environment. The trained forensic investigator may not have access to the target system, rather it may be necessary to rely upon an untrained agent such as an informant, cooperating Witness, or intelligence asset. Therefore, it is advantageous to Jun. 25, 2009 may be stored such that it can only be recovered by the management console softWare that generated the runtime code for the device.  In preferred embodiments of the method, the data is collected covertly. This can be accomplished by displaying a camou?aged vieW to the user While the data is being col lected, for example a vieW selected from among a Web broWser, a card game, and an image broWser, or the execut able runtime code may not display any WindoW to the user. Alternatively the user may choose overt data collection, in Which case a WindoW may be displayed reporting the status of data collection.  The active target computer in the above method can be a public computer in a library, hotel, intemet cafe, school, and the like, or may be a personal computer left running divide the procedure into phases, Wherein the data acquisition unattended in a home or business and the like. The target phase can be carried out overtly or covertly by a person Who has little or no training, but Who does have physical access to an active target system.  In an embodiment of the system and methods described herein, a computer forensics data acquisition sys tem and method is provided in Which a customiZed selection of computer forensics data items can be chosen from a list presented by console softWare running on a computer. Runt computer can be any computer that has recently been used by a subject under investigation, preferably a computer in Which ime code comprising modules for collecting the selected data items is then generated by the console softWare and packaged the subject has not shutdoWn or restarted the system after use.  Volatile data refers to data created during the use of a computer that is subject to being erased, overWritten, or lost With further use or upon poWering doWn or restarting the system. Volatile data includes the contents of RAM, memory caches, CPU state data, CPU cache, temporary ?les created by active applications such as Web caches, cookies, book marks, sWap ?les, WindoWs registry contents, lists of recently in one or more integrated applications that can be executed accessed ?les and intemet pages, contents of the “recycle bin” from a removable storage device, preferably Without causing any persistent change to the target computer. The executable or “trash can,” data on active applications and netWork con system, and the executable runtime code is activated. The nections. Thus, in accordance With the requirements of a particular job, volatile data that can be collected by the vari ous modules include: date; time, volatile memory from physi cal memory; volatile memory from page?le and sWap drive; executable runtime code can launch the modules for collect volatile memory from virtual memory; netWork connection ing the selected computer forensics items in a de?ned sequence Without further user input. Collection may be per data, lists of open TCP or UDP ports, NetBIOS, neighboring netWork connection information; currently logged on user, user accounts; current executing processes, services; sched uled jobs; open ?les and registry database; broWser auto runtime code is then loaded onto a removable storage device. The programmed device is then connected to an active target formed covertly or overtly. Following completion of the data collection, the programmed device can be inactivated and removed from the target system. In a preferred embodiment, the device is returned to the computer running the console softWare for recovery and analysis of the collected data items.  The system comprises system management console softWare running on a computer programmed With system management console softWare and a removable storage device. The management console softWare comprises code for a collection of computer forensics modules, each module being capable of collecting a forensic data item from a target completion data, passWords; screen capture; chat logs from program like Skype, AOL, Yahoo; SAM passWord ?les, and the like. A trained user selects a set of forensics data to be collected as required for a particular job.  The plurality of computer forensics modules com prised in the management console softWare may include the tools found on the Helix3TM CD. The Helix3TM CD contains a comprehensive set of tools and a GUI interface for launch ing the tools. HoWever, the Helix3TM CD, or the like, is not computer. The management console softWare permits the suitable for use as the removable storage device in the above user to select a customized set of data items, preferably including at least one item of volatile forensic data from a list method, because the Helix3TM CD does not contain runtime code capable of launching a selected set of tools in a de?ned of the available modules. The management console softWare sequence on an active target computer from a removable also comprises a module to generate runtime code that can launch modules for collecting the selected items on an active target computer from a removable storage device. The man agement console softWare comprises a module to program the storage device Without user input. Use of the Helix3TM CD requires substantial expertise, and cannot be used in a covert removable storage device With the package of runtime code. Thus, after the device is programmed, the system also com manner. In a preferred embodiment, unlike the tools on the Helix3TM CD, the plurality of computer forensics modules comprised in the management console softWare includes modules that have been Written so as not to rely upon any prises a removable storage device comprising a custom gen native operating system API calls. The data collection mod erated package of runtime code for collecting the selected set of data items. The management console softWare can also ules can utiliZe loW level code alloWing the modules to avoid detection by anti-virus or computer intrusion detection sys comprise modules for recovery and analysis of data collected by the computer forensics modules. HoWever, in some embodiments, for example Where the data collection modules tems and may also avoid causing any persistent change in the host computer. In addition, it must be recogniZed that Win doWs Vrsta and XP service Pack 3 changed the Way in Which used are standard tools, the data may be recovered and ana an individual can acquire the physical memory. In order to lyZed on a separate system. In other embodiments, the data acquire the physical memory from a Vista computer running US 2009/0164522 Al on Vista, a special device driver is preferably used to access the kernel space Where the memory resides.  The system and methods described above can be Jun. 25, 2009 USB, ?reWire, or e-SATA connectors and behave in a manner computer may require simply connecting the removable stor analogous to a USB key When connected to an active system. LikeWise, removable memory cards for such devices can contain USB connectors or be inserted into card readers that may be built-in or removably connected to a target system. age device to an active target computer. Alternatively, the system and method may be con?gured to utiliZe a launcher ing the data collection modules in a de?ned sequence on an such as found on U3 enabled USB ?ash devices to alloW the user to activate the runtime code With a single action. The active target computer from a removable storage device With out user input. The proper execution order for the de?ned executable runtime code may then proceed to collect the data Without further user input. The selected data forensic data errors as the program modules are executed on a target com designed so that collecting volatile data from the active target collection modules are launched in a de?ned sequence upon activation of the runtime code so that data collection can be carried out in a covert manner.  The executable runtime code prepared by the man agement console software can comprise one or more execut able ?les prepared in the form of one or more portable appli  The executable runtime code is capable of launch sequence is preferably arranged to minimiZe possible fault or puter. For example, the launching of tools executed from the removable storage medium can be arranged to be completed in order of volatility. The agent Who connects the removable storage device to the target computer may be required to activate the executable runtime code if the target computer is con?gured to prevent the automatic launching of programs cations and optionally script ?les for launching the tools. A collection utility can be created to acquire volatile data, using knoWn binary code comprising a plurality of computer foren upon connection of a storage device. Alternatively, upon con sic tools, With no or minimal alteration of the original data. In a preferred embodiment, one or more integrated applications device. HoWever, advantageously, the activated executable is created for launching the data collection modules. Each integrated application can contain a set of collection modules for collecting a selected set of data items and optionally code permitting the application to masquerade as a commonly used application. Preferably, the entire procedure is a non-intrusive evidence extraction process. No softWare Will be installed on the target (suspect) machine. Preferably, there Will be very little or no forensic footprint left behind.  A portable application is a computer softWare pro gram that does not need to be installed or copied onto a computer’s hard drive to be executed, running instead from a nection of the device, the agent may be presented With a standard launch menu such as provided on a U3 enabled runtime code Will not require further action on the part of the agent to launch the data collection modules in a sequence that has been de?ned by the management console softWare When the executable runtime code Was generated. In preferred embodiments, the executable runtime code is activated auto matically upon connection of the removable storage device to the active target system.  Storing the executable runtime code on an initial iZed removable storage device is carried out by the manage ment console softWare. Initialization may be carried out by the management console softWare or the removable storage may be initialiZed prior to use. InitialiZation can comprise removable storage device such as a CD-ROM drive, USB forensically cleaning and preparing the removable storage ?ash drive, ?ash card, or ?oppy disk. Portable applications media device for use. The executable runtime code may com can be run on any computer system With Which they are to store its con?guration information and data on the storage prise a single integrated application or may comprise a launcher and separate modules. This code, together With any ?les required for automatic launching, for example a “auto media containing its program ?les. Thus, portable applica run.inf” ?le for use in a WindoWs environment, are stored on compatible. Portable softWare is usually designed to be able tions preferably leave the computer they run on exactly as they found it When ?nished. This means that the application preferably does not use the registry, nor store its ?les any Where on the machine other than in the application’s instal lation directory. Preferably, the integrated runtime code applications do not require any separate con?guration ?les.  A removable storage device is generally a computer device that can be irremovably connected to or inserted into an active target system. The removable storage device is capable of storing runtime code for execution on the target system. The removable storage device is preferably a com an initialiZed removable storage device according to the requirements of the code and the device. For example, U3 USB keys have particularpartitioning and ?le system require ments.  Connecting the removable storage device to an active target computer can comprise inserting a storage device into the appropriate receptacle on the target system. For example, the connector of a USB key is inserted into an unoccupied USB port. Flash memory cards can be inserted into onboard card reader slots or into a card reader connected to a USB port. Other ?ash memory devices, such as music monly available USB ?ash memory device (U SB key), most preferably a U3 enabled USB ?ash drive (U3 key). U3 keys players, cameras, telephones, may require a connection cable. are USB ?ash drives With a speci?c hardWare and softWare or may require an appropriate cable. Optical storage devices may be inserted into internal optical drives or into external setup. The hardWare con?guration causes WindoWs disk management to shoW tWo drives, a read-only ISO 9660 vol Removable hard disk drives can comprise built-in connectors readers connected by cable. ume on an emulated CD-ROM drive With an autorun con?gu  ration to execute a U3 LaunchPad, and a standard ?ash drive vated, collecting volatile data from the active target computer that includes a hidden “SYSTEM” folder With installed appli cations. The preinstalled U3 LaunchPad can be replaced so ules and Will not require further action on the part of the agent. that tools installed on the device can be launched upon con nection of the U3 drive Without user intervention.  Other types of removable storage devices may be used in the system. For example, many cellular telephones, digital music players, digital cameras, and the like contain Once the executable runtime code has been acti in a covert manner is carried out by the data collection mod In a covert manner means that the launching of the data collection modules Will not be apparent to an observer. The executable runtime code may be programmed to cause no change in the display of the target system. This may be accomplished in a launcher by activating a hidden menu and US 2009/0164522 A1 causing the application WindoW to open off-screen. Alterna tively, the executable runtime code may be programmed to present a camou?aged display giving the appearance that the agent is engaged in an innocuous activity such as Web broWs Jun. 25, 2009 performed. An advantageous aspect of the system is in the generation of the runtime executable that Will run from the removable storage media. Preferably the system is Written in a cross platform capable language so as to be portable across ing, playing a card game, broWsing image thumbnails, and the WindoWs, UNIX, and Macintosh systems. Runtime execut like. The executable runtime code may be programmed to covertly signal the agent that the collection has been com able code for programming a removable storage medium can be Written so as to run on a computer under each operating pleted through a change in the camou?aged display or by system. some other visual or audio cue.  The third element provides an analysis and report ing capability. The management tool can generate runtime  The method can comprise storing the collected data on the removable storage device for analysis. In this case, the code to collect data in a forensically sound manner so as to storage device cannot be an entirely read-only device. Upon completion of data collection the removable storage device is verify the integrity of the evidence after analysis.  Generally, methods of using the system may be separated into three primary phases. The ?rst is in the device preparation. The second is in the forensics acquisition and the third is the forensics analysis. deactivated and removed. Prior to deactivation, the ?le con taining the stored results may be marked as deleted in the ?le system of the removable media so that its presence Will not be apparent if the device is examined. When the removable device is a USB ?ash memory device such as a thumb drive, it may comprises a Writeable partition and a read-only parti tion, the runtime code can be stored on the read-only portion to prevent tampering or accidental destruction and the results of data collection can be stored back to the Writable portion. Thus, in a preferred embodiment, storing the executable runt ime code and tools on an initialiZed removable storage device comprises programming the read-only portion of the thumb drive. Such an embodiment can be carried out With a USB thumb drive programmed using U3 technology.  More generally, the system can be considered to have three elements. The ?rst element is a management inter face Which manages and controls the modules/programs that can be utiliZed in a live environment. The modules/programs may comprise tools that have been proven and tested by use in the forensics community or the modules/programs may com prise custom tools that utiliZe unique methodologies, such as not relying on any native operating system calls. The second element is the runtime executable code that is generated by the management interface and is stored onto a removable storage medium such as an industry standard USB key. The third element is an analysis and reporting capability.  Thus, as a ?rst element, the system includes a man agement console that any trained user can easily use to create  Device Preparation Phase: A user such as an agent’s handler Will preferably ?rst be trained in the use of the system to fully understand its poWer and use. That individual Would be able to initialiZe a removable storage media device such as a USB key. The user can select the appropriate data items for each speci?c case requirement. Upon selecting the appropri ate data items, the management console softWare can auto matically generate executable instructions, Which may be in the form of one or more runtime executable ?les and option ally additional script ?les that Would then be placed onto an initialiZed USB key. The system comprises all of the modules/ scripts and the like that the system needs in order to generate the executable instructions. Once the runtime code has been placed onto the removable storage media device by the man agement console, the device can be turned over to an agent. The agent Would require very little instruction in the use of the system, the device, or the runtime executable instructions.  Thus, referring to the ?rst column of FIG. 3, a How chart illustrates a method of using the system. A trained user starting the management console 31 is provided With the opportunity to select key information, for example a label for the removable storage device to be used, case name, user information, and the like. The user can select 33 Whether the system should generate code for covert or overt data collec tion. The user can select 34 the data items to be collected. The runtime code for a speci?c job. The console can be designed system Will then generate 35 the runtime code for that job. If to be used in the ?eld by agents or assets With little to no training. The management console can be setup on a system an initialiZed removable storage device is not already pre pared, the system can initialiZe a device. The runtime code is then stored to an initialiZed removable storage device. such that a trained user can select from a series of data items to collect on a particular operation and the manner in Which the data is to be collected.  Data Acquisition Phase: This phase, While simplis  As a second element, the system Will setup and generate executable runtime code to launch the tools in proper tic in use, can be the mo st complicated to perform. Executable instructions Will have been stored onto a USB thumb drive that Was prepared in phase one. In addition to the secure forensics execution order once the user chooses the tools for modules and the executable launch instructions, a portable that particular operation. The system may automatically place application program can also be stored on the removable the code on an initialiZed USB drive or other removable storage media. The code canbe con?gured to perform various storage medium. That programmed device can be given to any agent to connect to the target system, eg by inserting a pro grammed USB key into a port on the target system. Once the drive is inserted, the runtime code may be automatically activities While collecting the data. The time it takes to run the executable instruction set depends on Which data items Were activated or the agent may activate the runtime code to collect the volatile data With no further user interaction required. selected during the generation phase in the management con sole. Preferably, each data collection module has been tested and an average execution time has been calculated so that a grammed removable storage media or transmitted to a secure rough estimate of the total runtime Will be displayed in the management console, i.e. during selection and before the runtime code is generated. The most signi?cant variable in drop site on the internet. Once all the forensic tools have calculating the runtime is the amount of memory on the ?nished collecting data, the executable code may surrepti tiously signal the agent, Who can simply remove the storage system being acquired.  The data may be securely stored back to the pro medium and returns it to the handler Where analysis can be  In a preferred embodiment, the runtime code stores the collected data by Writing each item collected into an US 2009/0164522 A1 Jun. 25, 2009 encrypted database, which segregates the collected data by their activities. These adversaries have long used public com machine and collected item as well as by date and time. Once all the data has been collected the database is removed from puters to communicate with each other with little to no fear of the ?le system by deleting it. The database can be recovered using forensics techniques or by the console software. How ever, in a preferred embodiment, only the console software can reconstitute the deleted database and recover the data their activities being discovered. This system, in the hands of a skilled user, can level the high tech playing ?eld. No longer will internet cafe’s be considered a communication “safe haven.” With this system, those little scraps of perishable evidence that are typically ignored or not known about might within it. For example, the database may be encrypted using a secure encryption key (e.g. anAES 256 bit key) which only make the difference in the war on terror and general crime. the console software has. When the data is stored in this way, the key will appear to have the same ?les and siZe before and after an acquisition. This makes the key seem to be the same before and after a collection has occurred.  Thus, referring to the second column of FIG. 3, a ?ow chart illustrates an exemplary method of performing data Controlled Environment.  When the environment in which forensics data is to  Acquiring Volatile Computer Forensic Data in a be collected can be controlled, such as in a corporate enter prise environment, data may be collected by software agents deployed on target machines. Such a system may be capable of assisting ?rst responders and network defense analysts in acquisition using the system. The device that was prepared in the ?rst phase is connected 61 to the target computer. If the runtime code has been generated to be autorun 62, and the computer does not have autorun disabled, then the data col lection will begin immediately. Alternatively, the user may be istrators and security personnel with mechanisms to effec tively counter threats posed by insiders to the security and integrity of the corporate networks and the data contained presented with a launch menu. The user may be required to therein. In addition to the incident response capability this navigate the directory structure of the removable storage system can use the power of the network to assist in e-discov ery. When set up to have access to the entire network strata the device and activate the runtime code directly or activate the launch menu if autorun is disabled on the target computer. At the launch menu, the user may have the ability to select whether the collected data should be stored on the removable rapid and accurate assessment of suspicious workstation or network activity. This solution can provide network admin system can quickly and e?iciently locate responsive data to a litigation hold request.  Insider Detection/ Surveillance: Identi?cation of site. This may be accomplished covertly by using either a insider activity requires forensically sound and robust data harvesting techniques. System events and activity offer vital standard launch method 64 (eg left click on a runtime executable) or an alternative launch method 67 (eg shift clues to detect insider activities such as permission elevation, covert data tunnels, and data ex?ltration. An enterprise sys click, right click, or the like). Following runtime activation, tem for surveillance and detection of insider activity can be then the collection begins and proceeds without further inter comprised of software agents, servers, and console adminis tration tools (CATs). A schematic of an exemplary network design is illustrated in FIG. 1. Software agents are deployed storage device or transmitted over a network to a secure drop vention. If storage on the device was selected, then the results may be stored 65 in an encrypted database on the device. To hide the collected data, the database can recoverably “deleted” from the ?les system of the removable storage device. If transmission to a drop site was selected, then the data is collected and securely transmitted 68. Upon comple tion, the user is alerted 69 so that the device can be removed 70.  Report Generation Phase: Referring to the third col umn of FIG. 3, a ?owchart illustrates an exemplary sequence of steps for a report generation phase. After collection of the volatile information from the target machine, investigators can take the removable storage device and re-insert the device into the machine running the system management console for report generation 91. The “deleted” database is recovered and decrypted. Data transmitted to a secure internet location can be accessed and downloaded into the machine running the management console 95. Thus, however the data has been collected, the data can easily be recovered at a later time by the handler using the system management console. The con sole software comprises modules for analyZing and present ing the collected data 96.  The system is designed for the law enforcement and intelligence community to acquire volatile data on machines they would not normally have easy accesses to without draw ing attention. It is suitable for covert operations, especially undercover operations. However, there may just as well be on individual workstations 1. These agents are connected by network to servers 2. CATs 3, 4 communicate with the agents via the servers. The servers may be arranged in a hierarchy with regional servers 5 communicating with local servers 2 that are networked directly to the agents 1. The CATs 3,4 may be connected directly to the local network 3 or may access the agents remotely 4. CAl‘s can access the agents through the servers. Preferably, each component is a 32-bit application compiled for Windows Servers, Win 2000, Win XP and Microsoft Vista platforms. The CAT also preferably supports Linux and Mac OS X platforms.  Software Agents: A remote software agent can monitor, collect and search the volatile and non-volatile data present on a host computer. This comprehensive data collec tion capability allows administrators or analysts to rapidly determine the nature of suspect activity. These remote foren sic capabilities include, but are not limited to the collection and retrieval of any volatile data,.user information, network information and associated processes, screen captures and remote forensic disk and RAM imaging.  Agents may be pre-deployed using any existing software deployment or patch management solution. System servers may comprise modules that are capable of deploying agents to host computers. Preferably, the server deployment every type of serious crime. Typically, the technology the law enforcement and intelligence committees need to keep up with the threat has lagged behind the capabilities that crimi module is capable of interfacing with existing software deployment solutions. Agents and con?guration ?les can masquerade as routine system patches for deployment. The agents stand ready to provide information network defense analysts need to rapidly assess suspicious network activity. In nals and terrorists have at their disposal to plan and execute some circumstances, it may be desirable to run an agent on a corporate uses as well. Computers are now involved in almost US 2009/0164522 A1 machine which does not have an active agent. In this case, an agent may be run from a live CD. Such a CD may also be used to deploy an agent. The information provided by the agent can include often overlooked volatile data. The active agent pref erably masquerades as a routine process on the workstation and does not interact with the user. The agent produces no visual evidence of its existence. That is, no icons are dis played in the system tray or tool areas of the workstation. Preferably, the agent only accepts commands from a desig nated CAT (through a server) via encrypted TCP communi cation. The agent can be con?gured to beacon at workstation start so that servers may maintain a list of active agents. The beacon can also updates the CAT display to re?ect the node’s status on the network. Through the con?guration utility located on the CAT, the analyst can con?gure the agent to beacon at any desired interval. In addition, the CAT operator can direct each agent to “beacon” on demand.  The agent may be designed to operate on Windows 2K, XP, Vista, and Windows Servers as well as OS X and Linux platforms. Preferably, the agent does not interfere with the operation of anti-virus engines or other malicious logic detection applications. An agent monitor may reside on work stations and servers together with an agent to restart non responsive agents. However, this arrangement is not required.  Server Hierarchy: The server component can serve two major purposes. The server can pass requests from the CAT to the agent. The server can store data created by the agents for later access by a CAT. As illustrated in FIG. 2, the system can be deployed with a hierarchical server arrange ment on a global network. Site level servers 2 at each location communicate with and collect data from agents deployed on local workstations 1. Network operations and security centers (NSOCs) at each site comprise supervisory servers 5 that communicate with and collect data from site level servers 2. Jun. 25, 2009  The CAT can be a stand-alone device that does not interfere with the management, distribution or installation of software patch management solutions. A ?rst component of the CAT interface is a hierarchical list view of all network nodes. An analyst or administrator can have the capability to assign IP ranges or nodes into logical groups. This capability provides analysts or administrators the ?exibility to group nodes into entities that re?ect the structure of the organiZa tion.  The analyst can interact with each node in the hier archical list simply by activating a node or group icon to present a menu of data items the agent can return to the CAT via the server. These items include but are not limited to: Operating System Information; User Account Information; Volume (hard disk) Con?guration; Host Name; Clipboard Contents; System Uptime; Screen Capture; Key Stroke Log; Network Packet Capture; Network Con?guration; Running Service/Processes Information, Registry Information; Event Logs, Internet Browser History queries and alerts upon inser tion of removable storage media. System and RAM imaging may also be available. On demand through the CAT or in accordance with pre-con?gured options, each agent provides real-time remote access to volatile and other pertinent data. All of this information is date/time stamped using GMT/UTC and is obtainable either at workstation startup, on an analyst de?ned schedule, or in real time via the CAT. Logged agent activity is also con?gurable by the analyst or administrator. The system may be con?gured to provide an analyst with an alert upon detection of suspicious activity. The system can be con?gured to reduce data by eliminating duplicate data.  Each requested data item can be acquired by a rou tine that is a custom part of the agent without relying on any system code native to the target system. Data retrieval can be accomplished via custom Application Program Interface (API) calls. This means that preferably, no native operating system commands on the system are executed. This approach Above these, regional NSOCs 7 can be deployed to monitor and collect data from supervisory servers. A global NSOC 9 may comprise a supervisory server for monitoring all activity throughout the enterprise. The system may comprise one or mitigates the threat posed from native commands contami nated by malicious logic (rootkits). Data integrity can be more failover sites 8 in different cities. vented from changing the contents of any log ?le. System  The Console Administration Tool: The CAT is the focal point for agent command and control. The CAT may be deployed within a local area network or may access the sys tem servers from anywhere on the internet. Communication between CAT and server can be encryptions with DOD and NSA approved encryption methods such as the 256-bit AES standard.  Through the server, the CAT manages agents within an internal network or distributed across a global enterprise. An authorized user can log in to any server on a network using the CAT. The CAT provides a comprehensive view and opera tion of network workstations hosting agents while limiting access to only those groups of agents approved by the server administrator. This ensures that CAT operators (analysts) access only those agents within their respective areas of responsibilities. The CAT GUI can be divided into many areas, with each presenting different granular data views. maintained by a variety of means. The analyst may be pre administrators can limit each user’s access to speci?c catego ries of data. Workstation agents may be assigned security levels to which an analyst permissions may be limited. Access may be restricted to agents in speci?c locations or according to areas of responsibility, e.g. accounting, personnel, R&D, and the like.  All user activity on the agents and CATs is prefer ably archived to an audit log. The CATs and agents preferably implement a mechanism to uniquely identify the agent and CATs to facilitate auditing. Another major area in the CAT interface is the audit history window. This window displays a current view of each node’s audit history. The data displayed in the history window is contained in the server database. The window refreshes each time a new node is selected on the hierarchical list. This provides the analyst a quick view of the node’s audit history and includes the nodes IP address at the time, Start and Stop Time, the User responsible for executing  Preferably, the CAT implements an intuitive “point and click” interface for system operation and con?guration. the Audit, and the returned audit items. Audit notes can be added to any audit for either case activity or future reference. The CAT can be designed to require minimal training for Only audits with notes will display the note icon. In addition it is very simple to rename an audit to something descriptive for the analyst. Another major area of the CAT’s interface is the Recovered Results Window. This area presents the audit information associated to the linked audit list box. effective con?guration and operation. The simple interface relieves the owner of costly training, allows users to get up-to-speed in minimal time, and eliminates prolonged inte gration into an operational environment. US 2009/0164522 A1  The CAT contains an Options WindoW to adjust the Jun. 25, 2009 ever, the transfer of full hard disk or RAM images is an agents’ con?guration. The purpose of the con?guration ?le is exception. BandWidth throttling can be used When moving to establish critical communication settings.Additionally, the large ?les across a netWork. con?guration utility provides the analyst the ?exibility to  Most enterprises focus simply on the external threat and do very little or nothing to mitigate the threat from Within. con?gure each Agent to return speci?ed data to the CAT at Workstation boot. For example; if the analyst is monitoring a speci?c user, the utility can generate an Agent con?guration Studies consistently report the greatest threat to any operation comes from Within. The insider already has access to the ?le to start key logging and packet capture at the suspect’s operation (netWork account) and only requires a motive to terminal at system boot.  All netWork communication betWeen CATs, serv ers, and agents is preferably encrypted. One suitable encryp tion method is the 256-bit Advanced Encryption Standard (AES). Information stored Within the system database is pro exploit his access to information and operations. Given tra ditional netWork defenses, skilled inside attackers or systems compromised by professional hackers are dif?cult to isolate and identify. The skilled attacker Will have the tools and take measures to circumvent layered defenses. Securing the net tected using 256-bit AES encryption. The Advanced Encryp Work from careless users, external attackers or malicious tion Standard (AES) is a Federal Information Processing insiders is arduous. Rapidly assessing the magnitude of a compromise is nearly impossible Without a large team of incident response experts. In this day of expanding global operations and reliance on the internet, companies need to leverage technology to e?iciently use the skills of their feW Standards (FIPS) approved cryptographic algorithm for use in protecting electronic data.  Agent Incident Response: When an incident occurs or anomalous activity is suspected, the analyst operating the CAT can query one, some, or all terminals for desired infor mation. During an investigation, the investigator uses the CAT to send the agent a request for information. The agent uses this message as input to generate and return the infor mation requested. The commands collect and return the infor mation needed for timely incident response. For example, should a node on the internal netWork be suspected of com municating to a knoWn hostile site, the CAT can establish an encrypted link With the agent and command the agent to resident experts, or contracted consultants. In other Words, companies need to make the netWork Work for them, not against them. Reliance on traditional netWork defense tools is a recipe for failure. Skilled criminals Will bypass Well knoWn layered defenses. In the case of sensitive or proprietary data theft, skilled criminals Will not ex?ltrate data in an obvious manner. The data Will likely be encrypted and transferred across the netWork, transferred via modem or a covert Wire less netWork, or doWnloaded to removable media and carried return the suspect node’s intemet history, listening ports, out the front door. All of these scenarios easily circumvent screen captures and running processes and login of current “defense-in-depth”. user. In the case of suspected malicious activity on the Work station, the agent can be con?gured to collect and return the  In preferred embodiments, the agents of the system can monitor activity on every Workstation in the enterprise. The agents may be programmed to send an alert to the servers user’s keystrokes and screen captures.  Data Format and Storage: Upon receiving a com mand from the CAT, the agent executes the command(s) and prepares the data for transmission. Preferably, the agent con verts the data to XML format. Once in XML format, the data is then encrypted With 256-bit AES encryption and stored in limited to attempted access to restricted ?les, changes in permission levels, anomalous user log in (a user logs in to a the H3E server. connection of removable storage devices; and the like. upon detection of any suspicious activity, including but not Workstation other than her assigned Workstation), opening anomalous netWork connections, transfers of large data sets;  Agent Data Integrity: The agent preferably does not  rely on native operating system commands to retrieve infor mation. The agent implements custom Written API calls to retrieve accurate information. This mitigates the threat from using native commands replaced or altered by malicious logic. All Agent command activity is archived to an internal agent Will not be apparent to a user of the system on Which it resides or to a user of the netWork generally. Impact upon the Advantageously, the presence and activity of the audit log. This log is protected via 256-bit AES encryption. In addition, all data is encrypted and time stamped using GMT/ netWork can minimized by bandWidth throttling and all com munications among CAT, server, and agent can be encrypted. Preferably, the agent operates covertly on the Workstation or server on Which it is installed. The agents preferably do not present any icons to the user, for example in a start menu, UTC.  application toolbar, or the like. To be suf?ciently covert, it is not necessary to hide the agent from the operating system. NetWork Tra?ic: The amount of netWork tra?ic gen erated by the agent is preferably minimal and highly con?g Rather, the agent may be hidden in plain sight. For example, urable. The data can be returned on a scheduled basis or on the agent may masquerade as a common process in tools available to the user that list active processes and/ or processes demand. The returned data preferably consists of text ?les containing XML formatted data. These ?les preferably aver age approximately 3 KB in siZe. Screen captures are slightly With open netWork connections. The agent may be designed larger (on average these can be approximately 100 KB). restart automatically. The restarted agent may appear to have so that if a user attempts to stop the agent process, it Will Screen captures can be executed on demand or according to a a different process name. To minimiZe the apparent effect on schedule. The CATs can control netWork tra?ic saturation. That is, the analyst or administrator can control of the amount of data introduced to the netWork. The system may be con the resident system, the system resources used by an agent may be limited. For example, the agent may be limited to a designated percentage of CPU, memory, or disk resources. In one example, the agent may be set to reduce its activity if the ?gured to return analyst-de?ned data at de?ned intervals, for example either every minute, every hour, at Workstation boot system approaches maximum capacity, for example if CPU or only on demand. In this manner, it is possible to minimiZe the impact of the system on netWork traf?c. In most cases, the resource demand peaks above 90%. Preferably these limits can be con?gured in real time by the CAT communicating need to adjust agent bandWidth utiliZation is minimal. HoW With an agent through a server. For example, in routine moni US 2009/0164522 A1 Jun. 25, 2009 toring the frequency and amount of data retrieved by an agent servers store logged data transmitted by the agents and main may be limited so as to be unnoticeable by a user of the system tain communication With agents on active systems. The ana on Which the agent resides. However, these limits may be overridden by an analyst seeking real time data in response to lyst using the CAT can obtain and analyze live data or logged an incident alert. keyWord or unique ?le identi?ers such as ?le hash codes. Thus, for example, an analyst can locate all copies of a ?le of  The system permits an analyst using a CAT to per form real-time monitoring of the complete activity of a host data. The system preferably provides search capabilities by interest by searching the netWork for ?les containing key on Which an agent resides including complete screen shots, Words or identi?ers such as a MD5 hash. Servers may respond key stroke monitoring, active process monitoring, memory imaging, ?le system monitoring, netWork connections, to search queries by referencing logged data and/or by que rying agents. Proactive monitoring permits alerts to be trig gered by changes to or copies made of sensitive ?les. Agents broWser activity, and the like. The analyst can increase or eliminate resource and bandWidth limitations on an agent as can be programmed to recognize events that indicate suspi required. cious activity.  To reduce the use of netWork resources, the CAT in  The system employs information assessment meth data to collect. The set of data parameters to be collected may odology Which may be implemented at the server and agent level. At the agent level, events may trigger a graded level be conveniently set by selection of a pre-set recording level. response. For example, an event may be characterized as level For example, at a loW level collected data might be limited to user log in/out, ?le access, and internet connection logs. At a 1, 2, or 3 from most critical to least critical and the agent may respond by transmitting an alert to its associated server and higher level, key logging may be added, and at a higher level, taking other actions to increase monitoring for preservation of communication With servers can designate a limited set of screen capture images at set intervals may be added, and so on evidence. LikeWise, at the server level, events reported from up to the highest level Where a complete forensic image of the host might be collected.  To reduce the impact of agent activity on the host system and netWork, the agents and servers may employ de-duplicating logic. De-duplication at the agent and server levels can reduce the amount of data stored and transmitted by eliminating redundant copies of common data. De-duplica one or more agents may trigger a graded response that may involve increased monitoring at one or more agents. Super tion is advantageously employed during routine activity log ging, but may also be advantageous in real-time monitoring to reduce the load on the host system and netWork.  Data reduction logic can be included in agents. For example, agents can be programmed to track memory and ?le access so that the CAT can instruct agents to transmit to the server only recently accessed or changed volatile data, for example RAM imaging may be limited to recently active memory addresses, registry data may be limited to recently accessed or changed keys, and so on. When routinely logging RAM or disk contents, after transmitting a complete image, visory, regional, and global servers may be con?gured to respond to events on a regional or global netWork basis. Any server may be con?gured to alert one or more analysts through active CATs or by transmitting a message via e-mail or directly to a mobile device to responsible analysts.  The increasing complexities of enterprise netWorks have previously presented increasing challenges, this system leverages the poWer of the netWork by connecting agents to servers, and servers to a central console. A hierarchical sys tem of ubiquitous agents managed on local netWork segments by local servers, Which can be managed at a higher level by supervisory servers, Which can be managed by regional serv ers, all of Which can be tied to a global netWork operations server permits an analyst to see netWork operations at any level of speci?city. At each level, server logic may be trained an agent may transmit only subsequent changes. Alterna to distinguish normal from abnormal activity. De-duplication logic applied at each level permits a reduction of inspected tively, in a time sensitive incident response situation an agent can image the most recently accessed memory and ?les ?rst and then proceed to retrieve the remainder of a ho st RAM and the same time, this structure permits an analyst to drill-doWn to a speci?c region, local segment, or individual host to exam data to those events that are mo st likely to reveal a problem. At disk image. ine logs of past activity or collect data in real time. Complete  Deduplication logic incorporated at the server level is also advantageously used in e-discovery. In this case, forensics data collection can be initiated immediately and hashes of documents identi?ed by agents can be compared at covertly in response to suspicious activity. Information assessment methodology permits the system to begin to the server level so that only one copy of any document is respond to events and preserve evidence at all levels imme returned in a search. Most hashing techniques are designed to diately upon a triggering event. The ability to collect and log live volatile data remotely and Without detection provides the identify perfect matches. Fuzzy hashing techniques can be used to identify documents that may differ in only insigni? ability to collect evidence before a subject is aWare that data cant Ways. These documents may require the judgment of a is being collected and Without disrupting business operations. revieWer to determine Whether the documents are redundant.  The system preferably can identify and groups such docu ments in order to expedite the revieW process. In preferred potential sources of relevant documents as employees may embodiments, the system is programmed to recognize the company ?le server. These document storage locations along structure of formatted documents to distinguish the nature of differences. For example, the system can be programmed to With IT systems including messaging application servers, primary storage systems and tape archives, may have to be determine if tWo e-mail records are identical except for header information, or if tWo Word processing documents are identical except for differences in some metadata component of the ?le.  The CAT can access any agent on the netWork (sub processed as part of a discovery request. Depending on the scope of the request, an organization may need to capture, Words, a data range or a set of keyWords, as de?ned in the ject to permission levels) through its associated server. The discovery request. Ensuring that the results of the gathered E-Discovery: Organizations may be unaWare of the store messages on PDAs, in personal folders on a PC or on a collect and process information from all of these sources. Organizations must collect data based on custodians, key US 2009/0164522 A1 results are consistent is extremely di?icult and can often take multiple days. Once the appropriate data are identi?ed, an Jun. 25, 2009 tion can provide proven and forensically sound real-time monitoring capabilities to alloW netWork defense analysts to defend the organization’s data and technology. This enter organization must centralize the information to alloW attor neys to begin the revieW and data reduction process. As With prise solution can reduce incident response from days to other discovery processes, the information gathering and pro ces sing must adhere to chain-of-custody mandates preserving minutes and provides vital digital evidence needed to identify the malicious insider or compromised system. In litigation, the evidence for admission into court. It is di?icult for orga nizations to store data in a manner that alloWs for simple the enterprise solution can reduce expenses related to e-dis covery. collection of responsive data. As a result, responsive data is distributed across the entire enterprise. The distributed data requires the collection of massive amounts of data, of Which only a small portion is pertinent to the case. This complicates, prolongs and adds great expense to the collection process.  While the invention has been described in detail With reference to preferred embodiments thereof, it Will be apparent to one skilled in the art that various changes can be made, and equivalents employed, Without departing from the  Unfortunately there exist very feW options to easily ?lter large datasets and collect only the pertinent information. scope of the invention. What is claimed is: 1. A method for collecting volatile data from an active There are a feW softWare applications to reduce the amount of target computer, comprising: email data Which admittedly does make up a majority of most legal proceedings. HoWever, there is currently nothing avail able that Will quickly, easily and inexpensively reduce the total amount of data to a manageable size.  The system can comprise an optional plugin that can be used to quickly and easily reduce the data in a case. The e-discovery plugin can expedite the e-discovery process and save clients money. The plugin implements search algorithms selecting one or more computer forensic data items, includ ing at least one volatile data item, to be collected from an active target computer from among a plurality of com puter forensic data items; generating executable runtime code comprising one or more data collection modules for collecting the selected computer forensic data items from an active target com puter Wherein the executable runtime code is con?gured to reduce and remove the nonresponsive data. The plugin is such that once activated on an active target computer the capable of isolating ?les by date/time stamps, keyWords, con executable runtime code is capable of launching said tainer ?les (email, zip ?les, etc), and de-duplicate ?les by modules in a de?ned sequence from a removable storage hash value. Preferably the plugin operates With tWo things in mind: accuracy and speed. The plugin may eliminate approxi device Without further user input; storing the executable runtime code on an initialized mately 90% of non-responsive data. This translates to cost savings for the customer. As an example, instead of process connecting the removable storage device to an active target ing 2 terabytes of data, using the plugin the data requiring expensive processing can be reduced to 200 gigabytes, pro ducing a considerable cost savings to the client. Preferably, the plugin can process betWeen 500 MB and 1 GB per minute.  Referring to FIG. 4, a ?owchart illustrates some of the exemplary steps that may be carried out With this system. A user Will generally log into 41 the system using credentials that Will have been assigned appropriate permission levels. removable storage device; computer; and, activating the executable runtime code to collect the selected computer forensic data items from the active target computer. 2. The method of claim 1, Wherein the removable storage device is con?gured such that connecting the removable stor age device to an active target computer causes the executable runtime code to be activated automatically. 3. The method of claim 1, Wherein, at the time that the may access. Active agents Will be indicated. The user can executable runtime code is activated, a user can command the runtime code to either store the data items to be collected on select from several actions including incident response audit, collection of forensic data, and compiling an e-discovery the removable storage medium or securely transmit the data items to an intemet drop site. response. For incident response, the user may run an audit 44 The user Will be presented With a list of agents that the user server database 48. The user may conduct a forensic investi 4. The method of claim 1, further comprising deactivating and removing the removable storage medium folloWing completion of the step of collecting the selected data items, gation 46 on one or more agents by selecting data items to be Wherein the collected data items are stored on the removable collected by the agents and transmitting commands to the agents and receiving data from the agents through their asso storage medium in an encrypted database that is recoverably deleted prior to deactivation and removal of the removable ciated servers 49. The user may also conduct an e-discovery storage medium. 5. The method of claim 1, Wherein the removable storage of system events and data reported by agents and stored in a 45 by commanding the agents to search for and collect data matching speci?ed criteria. The agents and each level of the server hierarchy may conduct de-duplication 47 of the col device is a USB ?ash drive. 6. The method of claim 5, Wherein the USB ?ash drive lected data so that the server storage only contains a single instance of a particular data item. comprises a Writeable partition and a read-only partition.  Corporations across the globe rely on data netWorks to operate and achieve their business objectives. Malicious insiders and hackers pose a signi?cant threat to data, technol ogy and the survivability of the corporation. Focus on the external threat and layered defenses are effective against external threats, but do very little to mitigate threat of rogue insiders or the unsafe netWork practices of employees. This enterprise solution can offer a strong defense against the rogue insider or compromised system. This enterprise solu comprises U3 technology and storing the executable runtime 7. The method of claim 6, Wherein the USB ?ash drive code and tools on an initialized removable storage device comprises programming the read-only portion of the thumb drive With a custom launch program. 8. The method of claim 1, Wherein the data is collected covertly. 9. The method of claim 8, further comprising displaying a camou?aged vieW to the user While the data is being col lected. US 2009/0164522 A1 10. The method of claim 9, wherein the camou?aged view appears to be a view selected from among a web browser, a card game, and an image browser. 11. The method of claim 8, wherein the data is collected without any change to the target computer display. 12. A system for collecting and managing data relating to the activity of a user of a networked host computer, compris ing: a plurality of software agents, each agent active on a host computer system; one or more servers, each server in network communica tion with one or more of said software agents; and, one or more console administrative tools residing on com puter systems capable of network communication with said servers; wherein said software agents each comprise means for covertly and forensically searching and collecting volatile data from the system upon which the software Jun. 25, 2009 18. The system of claim 12, wherein the agents do not use any system application program interface calls to collect the data. 19. The system of claim 12, wherein all network commu nications among and between agents, servers, and consoles are encrypted. 20. The system of claim 12, wherein the servers each comprise a means of securely storing an audit log for archiving all user activity and system events for each agent and console in communication with said server. 21. The system of claim 12, wherein some or all of the agents are deployed to host computers using a software deployment or patch management solution. 22. The system of claim 12, wherein the servers comprise a module for deploying software agents. 23. The system of claim 12, comprising a software agent running from a live CD. 24. A method for collecting and managing data relating to agent resides and securely transmitting requested data the activity of a user of a networked in a network system to one of said servers, comprising: wherein said servers each comprise means for securely storing data received from one or more of said soft ware agents, means for securely receiving instruc tions from a console administrative tool subject to an administrative permission rule, means for securely transmitting instructions to one or more agents, and means of transmitting forensic data to said console administrative tools; and wherein said console administrative tools each comprise means of securely communicating with said servers, means of requesting forensic data from said servers and agents, and means of verifying, analyZing and presenting forensic data received from said software agents through said servers. 13. The system of claim 12, wherein said software agents comprise means for limiting the agents’ use of network and host computer resources so as to avoid negatively impacting network or ho st computer performance. 14. The system of claim 12, wherein said servers that are in deploying software agents for collecting computer forensic data from host computers on the network system on which the agents reside, the agents being in networked communication with a server, and one or more of said servers being in network communication with a console administrative tool; causing a console administrative tool to transmit instruc tions to one or more agents through the servers that are in communication with those agents instructing those one or more said software agents to covertly and forensically collect forensic data including at least one item of vola tile data from the computers upon which on those soft ware agents are active; and storing the data on a server for analysis. 25. The method of claim 24, wherein each software agent is con?gured to retrieve data of one or more user speci?ed types from the one or more computers according to speci?ed search network communication with said agents comprise a plurality criteria. 26. The method of claim 24, wherein the software agent is of local servers, the system further comprising one or more camou?aged as a routine process on the computer. supervisory servers in network communication with said plu rality of local servers, wherein one or more of said software agents is in a different network region from one or more other 27. The method of claim 24, wherein the data is collected by the software agent without using any system application of said software agents and wherein the software agents in different network regions are associated with different local program interface (API) calls. 28. The method of claim 24, further comprising securely archiving user activity and system events recorded by a soft servers. ware agent to a server. 15. The system of claim 12, wherein user access permis sions granted to each user of a console administrative tool comprising said archived activity without alerting the user of 29. The method of claim 28, comprising building a case de?ne limits for accessing agents within the network and their the host computer on which a software agent resides to the respective data. data collection. 16. The system of claim 12, wherein the consoles can command the agents to collect a complete image of the vola tile data their host criteria. 30. The method of claim 24, comprising compiling data responsive to a litigation discovery requirement by instruct ing the agents to collect and transmit data satisfying speci?c 17. The system of claim 12, wherein the agents covertly collect the data from the computer by camou?aging as a routine process on the computer. search criteria.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project