Computer forensics, e-discovery and incident response methods

Computer forensics, e-discovery and incident response methods
US 20090164522A1
(19) United States
(12) Patent Application Publication (10) Pub. No.: US 2009/0164522 A1
Fahey
(54)
(43) Pub. Date:
COMPUTER FORENSICS, E-DISCOVERY
Publication Classi?cation
AND INCIDENT RESPONSE METHODS AND
(51)
SYSTEMS
(75) Inventor:
Jun. 25, 2009
Andrew L. Fahey, Parker, CO (US)
(52)
Correspondence Address:
BUCHANAN, INGERSOLL & ROONEY PC
POST OFFICE BOX 1404
ALEXANDRIA, VA 22313-1404 (US)
Int. Cl.
G06F 17/30
G06F 9/44
G06F 15/16
(2006.01)
(2006.01)
(200601)
US. Cl. .................... .. 707/104.1; 717/106; 709/202;
707/E 1 7.044
(57)
ABSTRACT
Systems and methods for collection of volatile forensic data
from active systems are described. In an embodiment of the
-
.
-
(73) Asslgnee'
6461156’ Inc" Cemenmal’ CO (Us)
(21) Appl' NO‘:
12/318,083
(22)
Dec. 22, 2008
methods, a selected set of forensics data items canbe selected.
Runtime code capable of launching data collection modules
from a removable storage device With little or no user input is
Filed:
generated and stored on the device. The collection of forensic
data can then be accomplished covertly using the removable
storage device by a person With minimal training. In another
embodiment, pre-deployed agents in communication With
Related US Application Data
servers and controlled by console software can collect foren
sic data covertly according to schedule, immediately at the
(60)
Provisional application No. 61/008,295, ?led on Dec.
command of an analyst using a remote administrative con
20, 2007.
sole, or in response to a triggering event.
41
1 Log In To System l-d‘
42
Select Agents
—J
K- 43
45w
E-disoovery
Run Audit
Query Agents By
Search Criteria
Computer Forensics
Local De
duplication
48
Database
Storage on
Server
Database
Storage on
Server
Analyze And
Report
Global De
duplication and
Storage
47
Patent Application Publication
Jun. 25, 2009 Sheet 1 0f 4
FIG. 1
US 2009/0164522 A1
Patent Application Publication
Jun. 25, 2009 Sheet 2 0f 4
FIG. 2
US 2009/0164522 A1
Patent Application Publication
Jun. 25, 2009 Sheet 4 of4
US 2009/0164522 A1
41
( Log In To System l-J
42
Select Agents
E-disoovery
Incident Respons -
Run Audit
-—-J
Select Action
Query Agents By
Search Criteria
Computer Forensics
Local De
duplication
46
Run Data
Acquisition
48
Database
Storage on
Server
Database
Storage on
Server
Analyze And
Report
FIG. 4
Global De
duplication and
Storage
47
US 2009/0164522 A1
COMPUTER FORENSICS, E-DISCOVERY
AND INCIDENT RESPONSE METHODS AND
SYSTEMS
BACKGROUND
[0001]
[0002]
1. Field of the Invention
The invention relates to methods and systems for
computer forensics, e-discovery, and incident response.
[0003] 2. Description of the Related Art
[0004] The forensic acquisition of volatile data has been
knoWn for the last feW years. The bootable incident response
CD-ROM, Helix3TM, has enabled users to acquire volatile
data from systems since its release. LaW enforcement and
intelligence communities are aWare of the practice of acquir
ing volatile data but have been very sloW to accept it.
[0005] Volatile data analysis shoWs a Wealth of information
that has typically been ignored. With the advent of stronger
encryption and neWer operating systems such as Microsoft
Vista, it has become very dif?cult for traditional forensic
practices to yield useful data. This has led to a dichotomy in
the forensics World. There is noW a split betWeen traditional
Jun. 25, 2009
forms. Many public computer facilities such as internet cafes
around the World utiliZe non-WindoWs operating systems
such as Mac OS X or various Linux distributions. No single
tool does exists that Works across all platforms.
[0010]
There are very feW programs or options that are
available. Helix3TM Was the ?rst inclusive utility that alloWed
the simple acquisition of volatile data from running systems.
Helix3TM has continued to develop and mature and is updated
on a regular basis. Some of the solutions that Helix3TM uses
are: Incident Response Collection Report (IRCR) available at
tools.phantombyte.com; WindoWs Forensic Toolchest
(WFT) available at WWW.foolmoon.net/security/Wft; The
Forensic Server Project (FSP) available at WWW.WindoWs-ir.
com/fsp.html. Each of these tools has the capability to be
scripted to run on WindoWs systems and acquire volatile data.
None of them hoWever, run covertly or are cross platform
aWare, i.e. they only Work on WindoWs operating systems.
There are a feW other options that have some similar capa
forensics and What is referred to as live forensics. It is noW
bilities. These include EnCase FIM and Technology Path
Ways ProDiscover. HoWever, all these options are limited.
The biggest issue With these products is that in order to use
them to collect volatile data, an agent program must already
imperative to capture volatile data before powering off a
be installed on the system to be analyZed or must be installed
system and starting the traditional computer forensics imag
prior to running. Thus these options Will not Work in an
ing and analysis.
uncontrolled or covert environment.
[0006]
[0011] Incident Response/Forensics in the corporate or
governmental enterprise environment poses different chal
Unfortunately there is little training on the collec
tion and analysis of volatile data. The tool sets to conduct such
operations are limited and not Well packaged. The Helix3TM
CD alleviated this problem by pulling together the most effec
lenges. Today’s globally netWorked society is exposed to
frequent cyber attacks. The threat to government, corporate
tive incident response tools in use by various government
and private netWorks is very real. In an attempt to mitigate the
agencies and corporate forensic professionals. This CD made
external threat, netWorks are defended through layered
it very easy for a trained individual to acquire not only physi
cal images of hard drives but also the volatile data. Helix3TM
defenses consisting of Intrusion Detection Systems (IDS),
?reWalls, anti-virus/malicious logic applications and Intru
has noW become a standard in the forensics community
sion Prevention Systems (IPS). Layered netWork defenses are
effective against external threats. HoWever, layered defenses
around the World. Helix3TM continues to develop and
improve, but there is a void that still needs to be ?lled.
offer little in terms of mitigating the insider threat and in the
[0007] The laW enforcement and intelligence communities
around the World need to be able to forensically acquire
case of a breach, streamlined incident response.
volatile data in a very simple and robust manner. While it is
true that acquiring volatile data can be conducted using
Works typically takes place at a remote consolidated facility.
Helix3TM, the Helix3TM CD cannot be used covertly because
a trained user must launch the selected tools from the CD. It
also requires a fair amount of training and knowledge in order
to obtain the data in a forensically sound manner.
[0008]
There is a need to be able to acquire volatile data
from computer systems that a subject has used. Examples
[0012]
Management or operations of large enterprise net
This central NetWork Operations and Security Center
(NOSC) is the focal point for management of system outages
and incident response. Responding to system outages is usu
ally a Well established and predictable process. In global
netWorks, incident response is not predictable and at best,
challenging. Incident response is triggered for various rea
sons. Commonly, a netWork defense analyst Will respond to
include computer systems in an internet cafe or corporate
an alert raised by a netWork defense sensor, intrusion detec
environment. HoWever, the problem is hoW to easily and
tion system or anti-virus application. The analyst then directs
surreptitiously recover the volatile data from such systems.
This is especially true if the subject has not saved anything to
the hard drive, or if they have “erased” all their activity. Add
a ?eld technician at the affected site to take investigative
to this dilemma, a scenario in Which a government agent is
forced to use a covert source (also knoWn as con?dential
informants) to obtain the data and the problem becomes even
more dif?cult. The source’s level of computer knowledge
may be extremely limited. It may be impossible to send a lay
person to collected volatile and perishable data, eg evidence
of criminal activity, and minimiZe or eliminate the chances
action. These initial actions Will likely consist of running
special softWare to reveal knoWn hacker ?les or applications.
More often than not, hoWever, ?eld technicians are not skilled
in analyZing the results of the forensic application and must
then forWard the results to the netWork defense analyst. If the
netWork defense analyst concludes the initial ?ndings War
rant further data from the affected Workstation, the ?eld tech
nician is contacted again and retrieves the data requested by
the analyst. This cycle repeats until the issue is resolved.
the source (or agent for that matter) might inadvertently or
Resolving incidents in this manner can take days to complete.
intentionally type the Wrong command and actually destroy
Unlike other forensic investigations, computer crimes take
data?
[0009]
Another issue that needs to be addressed is that
fractions of a second to commit, and the volatile forensic
evidence is available for a ?nite period of time.
While WindoWs has the largest market share of deployed
desktop systems there are many other non-WindoWs plat
time to investigate and resolve suspect activity is excessive.
[0013] In today’s netWork operational environment, the
US 2009/0164522 A1
Time is the enemy during incident response. The entire enter
prise network and supported missions remain in a highly
vulnerable state until the incident is fully investigated and the
Jun. 25, 2009
puter, is capable of launching a de?ned sequence of data
collection modules for collecting the selected computer
forensic data items on an active target computer from a
method of exploitation (if any) is revealed.
removable storage device Without user input. The executable
[0014] Electronic discovery for litigation is another area of
need. The Federal Rules of Civil Procedure provide regula
tions regarding hoW organiZations should gather and prepare
runtime code is stored on an initialiZed removable storage
device. The removable storage device can then be connected
to an active target computer. The executable runtime code
electronic evidence. HoWever, there are very feW standards
may be automatically or manually activated Whereupon the
that organizations can turn to When collecting and preserving
evidence. Currently, organiZations use in house procedures to
collect and preserve electronic information. Once collected,
the information is then provided to a service provider for
processing. The service provider then uses specialiZed meth
thereby collecting the selected computer forensic data items
from the active target computer.
[0020] In preferred embodiments, the removable storage
de?ned sequence of data collection modules is launched
device is a USB ?ash drive. The drive can be a U3 ?ash drive
ods and tools to extract the desired information from the
comprising a read-only partition, in Which case the device can
media and prepare it for revieW by internal and external
counsel. The attorneys manually revieW the information and
be programmed by Writing to the Writable partition and/ or the
eliminate non-pertinent documents.
[0015] The greatest expense in electronic discovery results
from: (1) the amount of information organiZations collect and
provide to service providers for processing, and (2) the
amount of time attorneys spend revieWing and eliminating
documents of no value to the case. More often than not,
organiZations do not have the resources or technology avail
able to quickly eliminate redundant or non-pertinent infor
mation from a dataset. Organizations lacking an organic data
reduction capability are at the mercy of businesses Who pro
vide (expensive) data reduction processing services. Organi
Zations are typically faced With processing fees approaching
or exceeding as much as $2,500 per gigabyte. Another draW
back to outsourcing data reduction is the time involved With
locating a service provider and the in addition to the time to
process the data. This lessens the time in-house counsel has to
prepare case strategies.
[0016]
Today, there exist multiple softWare options for inci
dent response, security and e-discovery on an enterprise level.
In mo st cases, they are expensive, dif?cult to integrate into an
enterprise operation, problematic and fail to focus on insider
threats, anomaly detection or e-discovery.
SUMMARY
[0017] A preferred embodiment is an automated system
that can be used by government and corporate investigators
(or their assets) to acquire volatile evidence from an individu
al’s computer activity. The data may be acquired overtly or
covertly. In preferred embodiments, applications of the sys
read-only partition.
[0021] In preferred embodiments of the method, the data is
collected covertly. This can be accomplished by displaying a
camou?aged vieW to the user While the data is being col
lected, for example a vieW selected from among a Web
broWser, a card game, and an image broWser, or the execut
able runtime code may not display any WindoW to the user.
Alternatively the user may choose overt data collection, in
Which case a WindoW may be displayed reporting the status of
data collection.
[0022] In some embodiments of this method, the execut
able runtime code is activated automatically upon connection
of the removable storage device to the active target computer.
Preferably, the runtime code is generated so that at the time
that it is activated, a user can cause command the runtime
code to either store the data items to be collected on the
removable storage medium or securely transmit the data
items to an internet drop site. When the collected data is
stored on the removable device, the collected data items can
be stored on in an encrypted database that is recoverably
deleted prior to deactivation and removal of the removable
storage medium from the target computer.
[0023]
In an alternative embodiment, a system may com
prise softWare agents pre-deployed on netWorked host com
puters, each agent being in communication With a server. The
servers canbe deployed in a tiered netWork comprising super
visory servers. The agents can be accessed by console admin
istrative tools in communication With the servers. The system
permits the user of the console to command the agents,
through the servers, to collect forensic data from the softWare
tem Will attempt to avoid antivirus and intrusion detection
agents or access historical data stored on the servers. In this
systems, and Will safeguard the collected data using encryp
Way, the system provides the ability, among other things, to
covertly collect volatile computer forensic data from host
tion and/or masking techniques. In preferred embodiments,
the applications and/or acquired data can only be recovered
using computer forensic techniques.
[0018]
In preferred embodiments, the system includes an
application that permits persons that are not trained in com
computers, to build a case ?le recording activity over time, to
search an entire netWork for evidence of malicious usage or
malicious softWare, or to collect all data meeting speci?ed
criteria.
puter forensics to locate, decrypt, document and validate the
[0024] A system for collecting and managing data relating
collected data in a manner that ensures admissibility in court
to the activity of a user of a netWorked host computer can
if needed. The system can be designed to be used by laW
comprise a plurality of softWare agents active on host com
enforcement and intelligence o?icers and agents and adapted
to the respective roles and responsibilities of such persons.
[0019] Accordingly, a method for collecting volatile data
puter systems, one or more servers in netWork communica
tion With one or more of the softWare agents and one or more
from an active target computer can comprise selecting one or
more computer forensic data items for including at least one
volatile data item for collection from an active target com
console administrative tools residing on computer systems
capable of netWork communication With the servers. The
puter from among a plurality of computer forensic data items.
softWare agents each comprise means for covertly and foren
sically collecting volatile data from the computer upon Which
the softWare agent resides and securely transmitting the data
The method then comprises generating integrated executable
to one or more of the servers. The servers each comprise
runtime code that, once activated on an active target com
means for securely storing data received from one or more of
US 2009/0164522 Al
the software agents, means for securely receiving instructions
Jun. 25, 2009
plishing the steps are Written, and the practices and prefer
from a console administrative tool subject to an administra
ences of an individual computer programmer. The steps
tive permission rule, means for securely transmitting instruc
require physical manipulations of physical entities. Usually,
tions to one or more agents, and means of transmitting foren
though not necessarily, these entities take the form of electri
sic data to the console administrative tools. The console
administrative tools each comprise means of securely com
municating With the servers, means of requesting forensic
data from the servers and from the agents through the servers,
cal or magnetic signals capable of being stored, transferred,
combined, compared and otherWise manipulated. It has
proven convenient at times, principally for reasons of com
mon usage, to refer to these signals as data, signals, netWork
and means of verifying, analyZing and presenting forensic
communications, and the like. It should be borne in mind,
data received from the softWare agents through the servers.
hoWever, that these and similar terms can be associated With
BRIEF DESCRIPTION OF THE DRAWINGS
appropriate physical embodiments and are merely convenient
labels applied to these embodiments. Unless speci?cally
stated otherWise, it Will be appreciated that throughout the
[0025]
FIG. 1 illustrates an malicious insider detection
solution that implements a tiered architecture consisting of
Console Administrative Tools (CAT), servers and agents.
[0026] FIG. 2 illustrates a hierarchical arrangement of
supervisory servers and site level servers in Which supervi
sory servers can be located in a global netWork operations and
security center (NOSC) and regional NOSCs. These external
supervisory servers may communicate With and collect data
from one or more internal NOSC supervisory servers, each of
Which may communicate With and collect data from one or
more site level servers, Which communicate With individual
softWare agents on a local area netWork. The CAT (not
shoWn) can access the servers at any level of the hierarchy in
accordance With authorizations granted by an administrator.
One or more agents may be associated With each site level
server.
[0027] FIG. 3 illustrates an exemplary flow chart for foren
sic data acquisition using a removable storage device.
[0028] FIG. 4 illustrates an exemplary ?oW chart for using
agents.
description of the present invention, use of terms such as
“processing”, “computing”, “calculating”, “determining”,
“displaying”, “searching”, “collecting”, “storing”, “generat
ing” or the like, refer to the action and processes of a computer
system, or similar electronic computing device, that manipu
lates and transforms data represented as physical (electronic)
quantities Within the computer system’s registers, memories
and data storage devices into other data similarly represented
as physical quantities Within the computer system memories
or registers or other information storage device, transmission
or display devices.
[0031]
As indicated beloW, embodiments of the present
invention are instantiated in computer softWare, that is, com
puter readable instructions, Which, When executed by one or
more computer processors/ systems, instruct the processors/
systems to perform the designated functions. Such computer
softWare may be resident in one or more computer readable
media, such as hard drives, CD-ROMs, DVD-ROMs, read
only memory, read-Write memory and so on. Such softWare
may be distributed on one or more of these media, or may be
distributed across one or more computer netWorks (e.g., the
DETAILED DESCRIPTION OF THE PREFERRED
EMBODIMENTS
Internet). Regardless of the format, the computer program
ming, rendering and processing techniques discussed herein
[0029] Described herein are computer-based systems and
methods for collecting forensic data, including volatile com
puter forensic data, from target computer systems in con
trolled and uncontrolled environments. The systems provide
the ability to collect the desired forensic data covertly or
overtly as circumstances may require. Although the systems
are simply examples of the types of programming, rendering
and processing techniques that may be used to implement
and methods Will be discussed With reference to various illus
trated examples, these examples should not be read to limit
the broader spirit and scope of the present invention. The
general concepts and reach of the present invention are
broader than the examples provided beloW.
[0030] Some portions of the description that folloWs are
aspects of the present invention. These examples should in no
Way limit the present invention, Which is best understood With
reference to the claims that folloW this description.
[0032]
The methods and systems described beloW provide
for the forensic collection of volatile and static data from an
active target computer system. Of interest because of its tem
poral nature, volatile data is data that is subject to being
routinely deleted or altered as the system is used or in the
event that the system is poWered doWn. This includes the
contents of memory Whether physical, virtual, or sWap, tem
presented in terms of means, programs, and modules With a
stated function that represent operations on data stored on a
storage medium or in a computer memory. Such functional
porary ?les, lists of recently accessed ?les, internet addresses,
descriptions are used by those skilled in the computer science
Ways in Which the data can be collected can include the
arts to effectively convey the substance of their Work to others
skilled in the art. A means, module, tool, application, or
solution for accomplishing a function in a computer is here,
and generally, conceived to be a self-consistent sequence of
steps leading to a desired result that can be embodied in
computer readable and executable instructions. A person of
ordinary skill in the art Will recogniZe that there are many
different Ways to embody a means for accomplishing a func
tion in a computer that Will vary depending on the particulars
of the computer or computers on Which the mean are intended
to operate, the operating systems of those computers, the
computer readable language in Which the instructions accom
lists of open connections, lists of attached devices, and the
like. A non-limiting list of volatile data items and exemplary
folloWing:
[0033] Internet History
[0034] Internet ExploreriCreate a summary of
online activity including one or more of the folloWing:
[0035] BookmarksiAll pages that have been
marked as a favorite or shortcut.
[0036] HistoryiDetails on all pages visited.
[0037] CookiesiData items stored by Web servers
for future reference.
[0038] DoWnloadsiURL and ?le name of ?les that
have been doWnloaded.
US 2009/0164522 A1
[0039]
FirefoxiCreate a summary of online activity
including one or more of the following:
[0040]
BookmarksiAll pages that have been
marked as a favorite or shortcut.
[0041] HistoryiDetails on all pages visited.
[0042] CookiesiData items stored by web servers
for future reference.
[0043] DownloadsiURL and ?le name of ?les that
have been downloaded.
[0044] Auto ?lliData strings used to auto com
plete forms, this includes addresses and often pur
chasing information used for online purchases.
[0045] Apple Safari4Create a summary of online
activity including one or more of the following:
[0046] BookmarksiAll pages that have been
marked as a favorite or shortcut.
[0047] HistoryiDetails on all pages visited.
[0048] CookiesiData items stored by web servers
for future reference.
[0049] DownloadsiURL and ?le name of ?les that
have been downloaded.
[0050] Chat Logs
[0051]
SkypeiCreate a summary of online activity
including one or more of the following:
[0052] VoIP calls, including the name or phone
number.
[0053] Instant messages including the name of the
third party, content of the message, and the date and
time of the message.
[0054]
SMS messages, including the phone number
of the third party, and content of the message.
[0055]
[0056]
File Transfers.
Buddy list and details including addresses
imported from other systems by Skype.
[0057] System Passwords
[0058] NTLM and Lan Man Pas sword GrabberiOut
put the LM and NTLM password hashes of local user
accounts from the Security Account Manager (SAM).
[0059] Apple Key chain ExtractoriAll passwords
stored in the key chain can be extracted.
[0060] Network Information
[0061] Analysis of the network activity on the agent
computer. This information includes Address Resolu
tion Protocol (ARP) tables, network interfaces, rout
ing tables, and network connections/ statistical activ
ity.
[0062]
work will be directed. All IP-enabled devices, includ
ing routers and switches, use routing tables.
[0065] Network statistics and connection is similar to
NetStat which displays network connections (both
incoming and outgoing), and a number of network
interface statistics. The processes and executable
paths associated to each connection are also shown.
[0066] Memory
[0067]
Clipboard4Capture any text contents, graph
ics, or binary data such as ?les found in the clipboard.
[0068] RAM searching & collectioniforensically
acquire RAM from all platforms as well as the ability
to search and preview the contents of what is in RAM
prior to acquisition.
[0069] Disk Image
[0070] Forensically acquire physical and logical disks
which are court acceptable world wide. The images
allow for compression as well as siZe segmentation.
[0071] Environment Variables
[0072] System InformationiCreate a pro?le of the
hardware in use including (but is not limited to) the
following;
[0073]
User Name
[0074] Computer Name
[0075] Operating System
[0076] System Serial number
[0077] Processor
[0078] Model
[0079] UUID
[0080]
Time Zone
[0081] Country Code
[0082] OS Registration Information
[0083]
Installed Drivers
[0084] Volume (Drive) Information
[0085]
Process Information
[0086] ProcessesiAnalysis of all running processes
on the system to include the full executable path infor
mation, memory usage and associated dynamic
library ?les.
[0087]
ServicesiAnalysis of all system services to
include ones that are running or stopped.
[0088] Registry Information
[0089]
Extract all settings from the Windows registry
which is a directory that stores settings and options for
the operating system for Microsoft Windows 32-bit
versions, 64-bit versions, and Windows Mobile.
[0090] System Logs
ARP converts an Internet Protocol (IP) address
to its corresponding physical network address. ARP is
a low-level network protocol, operating at Layer 2 of
the OSI model. The ARP table shows what computers
were connected to a machine on the local network.
[0063]
Jun. 25, 2009
Interface tables describe what interfaces are in
use on the system and what the individual MAC
[0091] Extract the system, application, and security logs
from Microsoft Windows systems.
[0092] Active Data
[0093] Screen shot4Capture and save a screen shot of
the main screen on the system.
[0094] KeyLogger4Capture all keystrokes and show
both the raw and converted versions.
address is for each of them. The Media Access Con
trol (MAC) address is a quasi-unique identi?er
assigned to most network adapters or network inter
[0095] It is the responsibility of the investigator to ensure
the completeness, integrity and accuracy of the data in the
face cards (NICs) by the manufacturer for identi?ca
tion. If assigned by the manufacturer, a MAC address
usually encodes the manufacturer’s registered identi
forensics that are advantageously taken into consideration in
a system for acquiring data as follows: Reconnaissance, Reli
?cation number.
[0064] The routing table is a set of rules, often viewed
in table format, that is used to determine where data
packets traveling over an Internet Protocol (IP) net
investigator collects as much evidence as possible. This is
evidence acquisition process. Three principles of computer
ability and Relevancy. Reconnaissance is the principle that an
applied in the acquisition phase. The principle of reliability
applies to the storage phase is where the data needs to be
preserved in an optimum format to preserve evidentiary value
US 2009/0164522 A1
and veri?ability. The ?nal principle is to accurately identify
all of the relevant evidence. This principle is applied primarily
in the analysis phase. The systems and methods described
below are capable of acquiring volatile computer forensics
data in a forensically sound manner.
[0096] Acquiring Computer Forensic Data in an Uncon
trolled Environment.
[0097] Acquisition of volatile computer forensic data in an
uncontrolled or public environment presents different chal
lenges than acquisition of data in a corporate or enterprise
environment. The trained forensic investigator may not have
access to the target system, rather it may be necessary to rely
upon an untrained agent such as an informant, cooperating
Witness, or intelligence asset. Therefore, it is advantageous to
Jun. 25, 2009
may be stored such that it can only be recovered by the
management console softWare that generated the runtime
code for the device.
[0100] In preferred embodiments of the method, the data is
collected covertly. This can be accomplished by displaying a
camou?aged vieW to the user While the data is being col
lected, for example a vieW selected from among a Web
broWser, a card game, and an image broWser, or the execut
able runtime code may not display any WindoW to the user.
Alternatively the user may choose overt data collection, in
Which case a WindoW may be displayed reporting the status of
data collection.
[0101]
The active target computer in the above method can
be a public computer in a library, hotel, intemet cafe, school,
and the like, or may be a personal computer left running
divide the procedure into phases, Wherein the data acquisition
unattended in a home or business and the like. The target
phase can be carried out overtly or covertly by a person Who
has little or no training, but Who does have physical access to
an active target system.
[0098] In an embodiment of the system and methods
described herein, a computer forensics data acquisition sys
tem and method is provided in Which a customiZed selection
of computer forensics data items can be chosen from a list
presented by console softWare running on a computer. Runt
computer can be any computer that has recently been used by
a subject under investigation, preferably a computer in Which
ime code comprising modules for collecting the selected data
items is then generated by the console softWare and packaged
the subject has not shutdoWn or restarted the system after use.
[0102] Volatile data refers to data created during the use of
a computer that is subject to being erased, overWritten, or lost
With further use or upon poWering doWn or restarting the
system. Volatile data includes the contents of RAM, memory
caches, CPU state data, CPU cache, temporary ?les created
by active applications such as Web caches, cookies, book
marks, sWap ?les, WindoWs registry contents, lists of recently
in one or more integrated applications that can be executed
accessed ?les and intemet pages, contents of the “recycle bin”
from a removable storage device, preferably Without causing
any persistent change to the target computer. The executable
or “trash can,” data on active applications and netWork con
system, and the executable runtime code is activated. The
nections. Thus, in accordance With the requirements of a
particular job, volatile data that can be collected by the vari
ous modules include: date; time, volatile memory from physi
cal memory; volatile memory from page?le and sWap drive;
executable runtime code can launch the modules for collect
volatile memory from virtual memory; netWork connection
ing the selected computer forensics items in a de?ned
sequence Without further user input. Collection may be per
data, lists of open TCP or UDP ports, NetBIOS, neighboring
netWork connection information; currently logged on user,
user accounts; current executing processes, services; sched
uled jobs; open ?les and registry database; broWser auto
runtime code is then loaded onto a removable storage device.
The programmed device is then connected to an active target
formed covertly or overtly. Following completion of the data
collection, the programmed device can be inactivated and
removed from the target system. In a preferred embodiment,
the device is returned to the computer running the console
softWare for recovery and analysis of the collected data items.
[0099] The system comprises system management console
softWare running on a computer programmed With system
management console softWare and a removable storage
device. The management console softWare comprises code
for a collection of computer forensics modules, each module
being capable of collecting a forensic data item from a target
completion data, passWords; screen capture; chat logs from
program like Skype, AOL, Yahoo; SAM passWord ?les, and
the like. A trained user selects a set of forensics data to be
collected as required for a particular job.
[0103] The plurality of computer forensics modules com
prised in the management console softWare may include the
tools found on the Helix3TM CD. The Helix3TM CD contains
a comprehensive set of tools and a GUI interface for launch
ing the tools. HoWever, the Helix3TM CD, or the like, is not
computer. The management console softWare permits the
suitable for use as the removable storage device in the above
user to select a customized set of data items, preferably
including at least one item of volatile forensic data from a list
method, because the Helix3TM CD does not contain runtime
code capable of launching a selected set of tools in a de?ned
of the available modules. The management console softWare
sequence on an active target computer from a removable
also comprises a module to generate runtime code that can
launch modules for collecting the selected items on an active
target computer from a removable storage device. The man
agement console softWare comprises a module to program the
storage device Without user input. Use of the Helix3TM CD
requires substantial expertise, and cannot be used in a covert
removable storage device With the package of runtime code.
Thus, after the device is programmed, the system also com
manner. In a preferred embodiment, unlike the tools on the
Helix3TM CD, the plurality of computer forensics modules
comprised in the management console softWare includes
modules that have been Written so as not to rely upon any
prises a removable storage device comprising a custom gen
native operating system API calls. The data collection mod
erated package of runtime code for collecting the selected set
of data items. The management console softWare can also
ules can utiliZe loW level code alloWing the modules to avoid
detection by anti-virus or computer intrusion detection sys
comprise modules for recovery and analysis of data collected
by the computer forensics modules. HoWever, in some
embodiments, for example Where the data collection modules
tems and may also avoid causing any persistent change in the
host computer. In addition, it must be recogniZed that Win
doWs Vrsta and XP service Pack 3 changed the Way in Which
used are standard tools, the data may be recovered and ana
an individual can acquire the physical memory. In order to
lyZed on a separate system. In other embodiments, the data
acquire the physical memory from a Vista computer running
US 2009/0164522 Al
on Vista, a special device driver is preferably used to access
the kernel space Where the memory resides.
[0104] The system and methods described above can be
Jun. 25, 2009
USB, ?reWire, or e-SATA connectors and behave in a manner
computer may require simply connecting the removable stor
analogous to a USB key When connected to an active system.
LikeWise, removable memory cards for such devices can
contain USB connectors or be inserted into card readers that
may be built-in or removably connected to a target system.
age device to an active target computer. Alternatively, the
system and method may be con?gured to utiliZe a launcher
ing the data collection modules in a de?ned sequence on an
such as found on U3 enabled USB ?ash devices to alloW the
user to activate the runtime code With a single action. The
active target computer from a removable storage device With
out user input. The proper execution order for the de?ned
executable runtime code may then proceed to collect the data
Without further user input. The selected data forensic data
errors as the program modules are executed on a target com
designed so that collecting volatile data from the active target
collection modules are launched in a de?ned sequence upon
activation of the runtime code so that data collection can be
carried out in a covert manner.
[0105]
The executable runtime code prepared by the man
agement console software can comprise one or more execut
able ?les prepared in the form of one or more portable appli
[0109]
The executable runtime code is capable of launch
sequence is preferably arranged to minimiZe possible fault or
puter. For example, the launching of tools executed from the
removable storage medium can be arranged to be completed
in order of volatility. The agent Who connects the removable
storage device to the target computer may be required to
activate the executable runtime code if the target computer is
con?gured to prevent the automatic launching of programs
cations and optionally script ?les for launching the tools. A
collection utility can be created to acquire volatile data, using
knoWn binary code comprising a plurality of computer foren
upon connection of a storage device. Alternatively, upon con
sic tools, With no or minimal alteration of the original data. In
a preferred embodiment, one or more integrated applications
device. HoWever, advantageously, the activated executable
is created for launching the data collection modules. Each
integrated application can contain a set of collection modules
for collecting a selected set of data items and optionally code
permitting the application to masquerade as a commonly used
application. Preferably, the entire procedure is a non-intrusive
evidence extraction process. No softWare Will be installed on
the target (suspect) machine. Preferably, there Will be very
little or no forensic footprint left behind.
[0106]
A portable application is a computer softWare pro
gram that does not need to be installed or copied onto a
computer’s hard drive to be executed, running instead from a
nection of the device, the agent may be presented With a
standard launch menu such as provided on a U3 enabled
runtime code Will not require further action on the part of the
agent to launch the data collection modules in a sequence that
has been de?ned by the management console softWare When
the executable runtime code Was generated. In preferred
embodiments, the executable runtime code is activated auto
matically upon connection of the removable storage device to
the active target system.
[0110] Storing the executable runtime code on an initial
iZed removable storage device is carried out by the manage
ment console softWare. Initialization may be carried out by
the management console softWare or the removable storage
may be initialiZed prior to use. InitialiZation can comprise
removable storage device such as a CD-ROM drive, USB
forensically cleaning and preparing the removable storage
?ash drive, ?ash card, or ?oppy disk. Portable applications
media device for use. The executable runtime code may com
can be run on any computer system With Which they are
to store its con?guration information and data on the storage
prise a single integrated application or may comprise a
launcher and separate modules. This code, together With any
?les required for automatic launching, for example a “auto
media containing its program ?les. Thus, portable applica
run.inf” ?le for use in a WindoWs environment, are stored on
compatible. Portable softWare is usually designed to be able
tions preferably leave the computer they run on exactly as
they found it When ?nished. This means that the application
preferably does not use the registry, nor store its ?les any
Where on the machine other than in the application’s instal
lation directory. Preferably, the integrated runtime code
applications do not require any separate con?guration ?les.
[0107]
A removable storage device is generally a computer
device that can be irremovably connected to or inserted into
an active target system. The removable storage device is
capable of storing runtime code for execution on the target
system. The removable storage device is preferably a com
an initialiZed removable storage device according to the
requirements of the code and the device. For example, U3
USB keys have particularpartitioning and ?le system require
ments.
[0111] Connecting the removable storage device to an
active target computer can comprise inserting a storage
device into the appropriate receptacle on the target system.
For example, the connector of a USB key is inserted into an
unoccupied USB port. Flash memory cards can be inserted
into onboard card reader slots or into a card reader connected
to a USB port. Other ?ash memory devices, such as music
monly available USB ?ash memory device (U SB key), most
preferably a U3 enabled USB ?ash drive (U3 key). U3 keys
players, cameras, telephones, may require a connection cable.
are USB ?ash drives With a speci?c hardWare and softWare
or may require an appropriate cable. Optical storage devices
may be inserted into internal optical drives or into external
setup. The hardWare con?guration causes WindoWs disk
management to shoW tWo drives, a read-only ISO 9660 vol
Removable hard disk drives can comprise built-in connectors
readers connected by cable.
ume on an emulated CD-ROM drive With an autorun con?gu
[0112]
ration to execute a U3 LaunchPad, and a standard ?ash drive
vated, collecting volatile data from the active target computer
that includes a hidden “SYSTEM” folder With installed appli
cations. The preinstalled U3 LaunchPad can be replaced so
ules and Will not require further action on the part of the agent.
that tools installed on the device can be launched upon con
nection of the U3 drive Without user intervention.
[0108] Other types of removable storage devices may be
used in the system. For example, many cellular telephones,
digital music players, digital cameras, and the like contain
Once the executable runtime code has been acti
in a covert manner is carried out by the data collection mod
In a covert manner means that the launching of the data
collection modules Will not be apparent to an observer. The
executable runtime code may be programmed to cause no
change in the display of the target system. This may be
accomplished in a launcher by activating a hidden menu and
US 2009/0164522 A1
causing the application WindoW to open off-screen. Alterna
tively, the executable runtime code may be programmed to
present a camou?aged display giving the appearance that the
agent is engaged in an innocuous activity such as Web broWs
Jun. 25, 2009
performed. An advantageous aspect of the system is in the
generation of the runtime executable that Will run from the
removable storage media. Preferably the system is Written in
a cross platform capable language so as to be portable across
ing, playing a card game, broWsing image thumbnails, and the
WindoWs, UNIX, and Macintosh systems. Runtime execut
like. The executable runtime code may be programmed to
covertly signal the agent that the collection has been com
able code for programming a removable storage medium can
be Written so as to run on a computer under each operating
pleted through a change in the camou?aged display or by
system.
some other visual or audio cue.
[0118] The third element provides an analysis and report
ing capability. The management tool can generate runtime
[0113]
The method can comprise storing the collected data
on the removable storage device for analysis. In this case, the
code to collect data in a forensically sound manner so as to
storage device cannot be an entirely read-only device. Upon
completion of data collection the removable storage device is
verify the integrity of the evidence after analysis.
[0119] Generally, methods of using the system may be
separated into three primary phases. The ?rst is in the device
preparation. The second is in the forensics acquisition and the
third is the forensics analysis.
deactivated and removed. Prior to deactivation, the ?le con
taining the stored results may be marked as deleted in the ?le
system of the removable media so that its presence Will not be
apparent if the device is examined. When the removable
device is a USB ?ash memory device such as a thumb drive,
it may comprises a Writeable partition and a read-only parti
tion, the runtime code can be stored on the read-only portion
to prevent tampering or accidental destruction and the results
of data collection can be stored back to the Writable portion.
Thus, in a preferred embodiment, storing the executable runt
ime code and tools on an initialiZed removable storage device
comprises programming the read-only portion of the thumb
drive. Such an embodiment can be carried out With a USB
thumb drive programmed using U3 technology.
[0114] More generally, the system can be considered to
have three elements. The ?rst element is a management inter
face Which manages and controls the modules/programs that
can be utiliZed in a live environment. The modules/programs
may comprise tools that have been proven and tested by use in
the forensics community or the modules/programs may com
prise custom tools that utiliZe unique methodologies, such as
not relying on any native operating system calls. The second
element is the runtime executable code that is generated by
the management interface and is stored onto a removable
storage medium such as an industry standard USB key. The
third element is an analysis and reporting capability.
[0115] Thus, as a ?rst element, the system includes a man
agement console that any trained user can easily use to create
[0120] Device Preparation Phase: A user such as an agent’s
handler Will preferably ?rst be trained in the use of the system
to fully understand its poWer and use. That individual Would
be able to initialiZe a removable storage media device such as
a USB key. The user can select the appropriate data items for
each speci?c case requirement. Upon selecting the appropri
ate data items, the management console softWare can auto
matically generate executable instructions, Which may be in
the form of one or more runtime executable ?les and option
ally additional script ?les that Would then be placed onto an
initialiZed USB key. The system comprises all of the modules/
scripts and the like that the system needs in order to generate
the executable instructions. Once the runtime code has been
placed onto the removable storage media device by the man
agement console, the device can be turned over to an agent.
The agent Would require very little instruction in the use of the
system, the device, or the runtime executable instructions.
[0121] Thus, referring to the ?rst column of FIG. 3, a How
chart illustrates a method of using the system. A trained user
starting the management console 31 is provided With the
opportunity to select key information, for example a label for
the removable storage device to be used, case name, user
information, and the like. The user can select 33 Whether the
system should generate code for covert or overt data collec
tion. The user can select 34 the data items to be collected. The
runtime code for a speci?c job. The console can be designed
system Will then generate 35 the runtime code for that job. If
to be used in the ?eld by agents or assets With little to no
training. The management console can be setup on a system
an initialiZed removable storage device is not already pre
pared, the system can initialiZe a device. The runtime code is
then stored to an initialiZed removable storage device.
such that a trained user can select from a series of data items
to collect on a particular operation and the manner in Which
the data is to be collected.
[0122] Data Acquisition Phase: This phase, While simplis
[0116] As a second element, the system Will setup and
generate executable runtime code to launch the tools in proper
tic in use, can be the mo st complicated to perform. Executable
instructions Will have been stored onto a USB thumb drive
that Was prepared in phase one. In addition to the secure
forensics execution order once the user chooses the tools for
modules and the executable launch instructions, a portable
that particular operation. The system may automatically place
application program can also be stored on the removable
the code on an initialiZed USB drive or other removable
storage media. The code canbe con?gured to perform various
storage medium. That programmed device can be given to any
agent to connect to the target system, eg by inserting a pro
grammed USB key into a port on the target system. Once the
drive is inserted, the runtime code may be automatically
activities While collecting the data. The time it takes to run the
executable instruction set depends on Which data items Were
activated or the agent may activate the runtime code to collect
the volatile data With no further user interaction required.
selected during the generation phase in the management con
sole. Preferably, each data collection module has been tested
and an average execution time has been calculated so that a
grammed removable storage media or transmitted to a secure
rough estimate of the total runtime Will be displayed in the
management console, i.e. during selection and before the
runtime code is generated. The most signi?cant variable in
drop site on the internet. Once all the forensic tools have
calculating the runtime is the amount of memory on the
?nished collecting data, the executable code may surrepti
tiously signal the agent, Who can simply remove the storage
system being acquired.
[0117]
The data may be securely stored back to the pro
medium and returns it to the handler Where analysis can be
[0123] In a preferred embodiment, the runtime code stores
the collected data by Writing each item collected into an
US 2009/0164522 A1
Jun. 25, 2009
encrypted database, which segregates the collected data by
their activities. These adversaries have long used public com
machine and collected item as well as by date and time. Once
all the data has been collected the database is removed from
puters to communicate with each other with little to no fear of
the ?le system by deleting it. The database can be recovered
using forensics techniques or by the console software. How
ever, in a preferred embodiment, only the console software
can reconstitute the deleted database and recover the data
their activities being discovered. This system, in the hands of
a skilled user, can level the high tech playing ?eld. No longer
will internet cafe’s be considered a communication “safe
haven.” With this system, those little scraps of perishable
evidence that are typically ignored or not known about might
within it. For example, the database may be encrypted using
a secure encryption key (e.g. anAES 256 bit key) which only
make the difference in the war on terror and general crime.
the console software has. When the data is stored in this way,
the key will appear to have the same ?les and siZe before and
after an acquisition. This makes the key seem to be the same
before and after a collection has occurred.
[0124] Thus, referring to the second column of FIG. 3, a
?ow chart illustrates an exemplary method of performing data
Controlled Environment.
[0128] When the environment in which forensics data is to
[0127]
Acquiring Volatile Computer Forensic Data in a
be collected can be controlled, such as in a corporate enter
prise environment, data may be collected by software agents
deployed on target machines. Such a system may be capable
of assisting ?rst responders and network defense analysts in
acquisition using the system. The device that was prepared in
the ?rst phase is connected 61 to the target computer. If the
runtime code has been generated to be autorun 62, and the
computer does not have autorun disabled, then the data col
lection will begin immediately. Alternatively, the user may be
istrators and security personnel with mechanisms to effec
tively counter threats posed by insiders to the security and
integrity of the corporate networks and the data contained
presented with a launch menu. The user may be required to
therein. In addition to the incident response capability this
navigate the directory structure of the removable storage
system can use the power of the network to assist in e-discov
ery. When set up to have access to the entire network strata the
device and activate the runtime code directly or activate the
launch menu if autorun is disabled on the target computer. At
the launch menu, the user may have the ability to select
whether the collected data should be stored on the removable
rapid and accurate assessment of suspicious workstation or
network activity. This solution can provide network admin
system can quickly and e?iciently locate responsive data to a
litigation hold request.
[0129]
Insider Detection/ Surveillance: Identi?cation of
site. This may be accomplished covertly by using either a
insider activity requires forensically sound and robust data
harvesting techniques. System events and activity offer vital
standard launch method 64 (eg left click on a runtime
executable) or an alternative launch method 67 (eg shift
clues to detect insider activities such as permission elevation,
covert data tunnels, and data ex?ltration. An enterprise sys
click, right click, or the like). Following runtime activation,
tem for surveillance and detection of insider activity can be
then the collection begins and proceeds without further inter
comprised of software agents, servers, and console adminis
tration tools (CATs). A schematic of an exemplary network
design is illustrated in FIG. 1. Software agents are deployed
storage device or transmitted over a network to a secure drop
vention. If storage on the device was selected, then the results
may be stored 65 in an encrypted database on the device. To
hide the collected data, the database can recoverably
“deleted” from the ?les system of the removable storage
device. If transmission to a drop site was selected, then the
data is collected and securely transmitted 68. Upon comple
tion, the user is alerted 69 so that the device can be removed
70.
[0125]
Report Generation Phase: Referring to the third col
umn of FIG. 3, a ?owchart illustrates an exemplary sequence
of steps for a report generation phase. After collection of the
volatile information from the target machine, investigators
can take the removable storage device and re-insert the device
into the machine running the system management console for
report generation 91. The “deleted” database is recovered and
decrypted. Data transmitted to a secure internet location can
be accessed and downloaded into the machine running the
management console 95. Thus, however the data has been
collected, the data can easily be recovered at a later time by
the handler using the system management console. The con
sole software comprises modules for analyZing and present
ing the collected data 96.
[0126] The system is designed for the law enforcement and
intelligence community to acquire volatile data on machines
they would not normally have easy accesses to without draw
ing attention. It is suitable for covert operations, especially
undercover operations. However, there may just as well be
on individual workstations 1. These agents are connected by
network to servers 2. CATs 3, 4 communicate with the agents
via the servers. The servers may be arranged in a hierarchy
with regional servers 5 communicating with local servers 2
that are networked directly to the agents 1. The CATs 3,4 may
be connected directly to the local network 3 or may access the
agents remotely 4. CAl‘s can access the agents through the
servers. Preferably, each component is a 32-bit application
compiled for Windows Servers, Win 2000, Win XP and
Microsoft Vista platforms. The CAT also preferably supports
Linux and Mac OS X platforms.
[0130] Software Agents: A remote software agent can
monitor, collect and search the volatile and non-volatile data
present on a host computer. This comprehensive data collec
tion capability allows administrators or analysts to rapidly
determine the nature of suspect activity. These remote foren
sic capabilities include, but are not limited to the collection
and retrieval of any volatile data,.user information, network
information and associated processes, screen captures and
remote forensic disk and RAM imaging.
[0131] Agents may be pre-deployed using any existing
software deployment or patch management solution. System
servers may comprise modules that are capable of deploying
agents to host computers. Preferably, the server deployment
every type of serious crime. Typically, the technology the law
enforcement and intelligence committees need to keep up
with the threat has lagged behind the capabilities that crimi
module is capable of interfacing with existing software
deployment solutions. Agents and con?guration ?les can
masquerade as routine system patches for deployment. The
agents stand ready to provide information network defense
analysts need to rapidly assess suspicious network activity. In
nals and terrorists have at their disposal to plan and execute
some circumstances, it may be desirable to run an agent on a
corporate uses as well. Computers are now involved in almost
US 2009/0164522 A1
machine which does not have an active agent. In this case, an
agent may be run from a live CD. Such a CD may also be used
to deploy an agent. The information provided by the agent can
include often overlooked volatile data. The active agent pref
erably masquerades as a routine process on the workstation
and does not interact with the user. The agent produces no
visual evidence of its existence. That is, no icons are dis
played in the system tray or tool areas of the workstation.
Preferably, the agent only accepts commands from a desig
nated CAT (through a server) via encrypted TCP communi
cation. The agent can be con?gured to beacon at workstation
start so that servers may maintain a list of active agents. The
beacon can also updates the CAT display to re?ect the node’s
status on the network. Through the con?guration utility
located on the CAT, the analyst can con?gure the agent to
beacon at any desired interval. In addition, the CAT operator
can direct each agent to “beacon” on demand.
[0132] The agent may be designed to operate on Windows
2K, XP, Vista, and Windows Servers as well as OS X and
Linux platforms. Preferably, the agent does not interfere with
the operation of anti-virus engines or other malicious logic
detection applications. An agent monitor may reside on work
stations and servers together with an agent to restart non
responsive agents. However, this arrangement is not required.
[0133] Server Hierarchy: The server component can serve
two major purposes. The server can pass requests from the
CAT to the agent. The server can store data created by the
agents for later access by a CAT. As illustrated in FIG. 2, the
system can be deployed with a hierarchical server arrange
ment on a global network. Site level servers 2 at each location
communicate with and collect data from agents deployed on
local workstations 1. Network operations and security centers
(NSOCs) at each site comprise supervisory servers 5 that
communicate with and collect data from site level servers 2.
Jun. 25, 2009
[0137] The CAT can be a stand-alone device that does not
interfere with the management, distribution or installation of
software patch management solutions. A ?rst component of
the CAT interface is a hierarchical list view of all network
nodes. An analyst or administrator can have the capability to
assign IP ranges or nodes into logical groups. This capability
provides analysts or administrators the ?exibility to group
nodes into entities that re?ect the structure of the organiZa
tion.
[0138] The analyst can interact with each node in the hier
archical list simply by activating a node or group icon to
present a menu of data items the agent can return to the CAT
via the server. These items include but are not limited to:
Operating System Information; User Account Information;
Volume (hard disk) Con?guration; Host Name; Clipboard
Contents; System Uptime; Screen Capture; Key Stroke Log;
Network Packet Capture; Network Con?guration; Running
Service/Processes Information, Registry Information; Event
Logs, Internet Browser History queries and alerts upon inser
tion of removable storage media. System and RAM imaging
may also be available. On demand through the CAT or in
accordance with pre-con?gured options, each agent provides
real-time remote access to volatile and other pertinent data.
All of this information is date/time stamped using GMT/UTC
and is obtainable either at workstation startup, on an analyst
de?ned schedule, or in real time via the CAT. Logged agent
activity is also con?gurable by the analyst or administrator.
The system may be con?gured to provide an analyst with an
alert upon detection of suspicious activity. The system can be
con?gured to reduce data by eliminating duplicate data.
[0139] Each requested data item can be acquired by a rou
tine that is a custom part of the agent without relying on any
system code native to the target system. Data retrieval can be
accomplished via custom Application Program Interface
(API) calls. This means that preferably, no native operating
system commands on the system are executed. This approach
Above these, regional NSOCs 7 can be deployed to monitor
and collect data from supervisory servers. A global NSOC 9
may comprise a supervisory server for monitoring all activity
throughout the enterprise. The system may comprise one or
mitigates the threat posed from native commands contami
nated by malicious logic (rootkits). Data integrity can be
more failover sites 8 in different cities.
vented from changing the contents of any log ?le. System
[0134] The Console Administration Tool: The CAT is the
focal point for agent command and control. The CAT may be
deployed within a local area network or may access the sys
tem servers from anywhere on the internet. Communication
between CAT and server can be encryptions with DOD and
NSA approved encryption methods such as the 256-bit AES
standard.
[0135] Through the server, the CAT manages agents within
an internal network or distributed across a global enterprise.
An authorized user can log in to any server on a network using
the CAT. The CAT provides a comprehensive view and opera
tion of network workstations hosting agents while limiting
access to only those groups of agents approved by the server
administrator. This ensures that CAT operators (analysts)
access only those agents within their respective areas of
responsibilities. The CAT GUI can be divided into many
areas, with each presenting different granular data views.
maintained by a variety of means. The analyst may be pre
administrators can limit each user’s access to speci?c catego
ries of data. Workstation agents may be assigned security
levels to which an analyst permissions may be limited. Access
may be restricted to agents in speci?c locations or according
to areas of responsibility, e.g. accounting, personnel, R&D,
and the like.
[0140] All user activity on the agents and CATs is prefer
ably archived to an audit log. The CATs and agents preferably
implement a mechanism to uniquely identify the agent and
CATs to facilitate auditing. Another major area in the CAT
interface is the audit history window. This window displays a
current view of each node’s audit history. The data displayed
in the history window is contained in the server database. The
window refreshes each time a new node is selected on the
hierarchical list. This provides the analyst a quick view of the
node’s audit history and includes the nodes IP address at the
time, Start and Stop Time, the User responsible for executing
[0136] Preferably, the CAT implements an intuitive “point
and click” interface for system operation and con?guration.
the Audit, and the returned audit items. Audit notes can be
added to any audit for either case activity or future reference.
The CAT can be designed to require minimal training for
Only audits with notes will display the note icon. In addition
it is very simple to rename an audit to something descriptive
for the analyst. Another major area of the CAT’s interface is
the Recovered Results Window. This area presents the audit
information associated to the linked audit list box.
effective con?guration and operation. The simple interface
relieves the owner of costly training, allows users to get
up-to-speed in minimal time, and eliminates prolonged inte
gration into an operational environment.
US 2009/0164522 A1
[0141]
The CAT contains an Options WindoW to adjust the
Jun. 25, 2009
ever, the transfer of full hard disk or RAM images is an
agents’ con?guration. The purpose of the con?guration ?le is
exception. BandWidth throttling can be used When moving
to establish critical communication settings.Additionally, the
large ?les across a netWork.
con?guration utility provides the analyst the ?exibility to
[0147] Most enterprises focus simply on the external threat
and do very little or nothing to mitigate the threat from Within.
con?gure each Agent to return speci?ed data to the CAT at
Workstation boot. For example; if the analyst is monitoring a
speci?c user, the utility can generate an Agent con?guration
Studies consistently report the greatest threat to any operation
comes from Within. The insider already has access to the
?le to start key logging and packet capture at the suspect’s
operation (netWork account) and only requires a motive to
terminal at system boot.
[0142] All netWork communication betWeen CATs, serv
ers, and agents is preferably encrypted. One suitable encryp
tion method is the 256-bit Advanced Encryption Standard
(AES). Information stored Within the system database is pro
exploit his access to information and operations. Given tra
ditional netWork defenses, skilled inside attackers or systems
compromised by professional hackers are dif?cult to isolate
and identify. The skilled attacker Will have the tools and take
measures to circumvent layered defenses. Securing the net
tected using 256-bit AES encryption. The Advanced Encryp
Work from careless users, external attackers or malicious
tion Standard (AES) is a Federal Information Processing
insiders is arduous. Rapidly assessing the magnitude of a
compromise is nearly impossible Without a large team of
incident response experts. In this day of expanding global
operations and reliance on the internet, companies need to
leverage technology to e?iciently use the skills of their feW
Standards (FIPS) approved cryptographic algorithm for use
in protecting electronic data.
[0143]
Agent Incident Response: When an incident occurs
or anomalous activity is suspected, the analyst operating the
CAT can query one, some, or all terminals for desired infor
mation. During an investigation, the investigator uses the
CAT to send the agent a request for information. The agent
uses this message as input to generate and return the infor
mation requested. The commands collect and return the infor
mation needed for timely incident response. For example,
should a node on the internal netWork be suspected of com
municating to a knoWn hostile site, the CAT can establish an
encrypted link With the agent and command the agent to
resident experts, or contracted consultants. In other Words,
companies need to make the netWork Work for them, not
against them. Reliance on traditional netWork defense tools is
a recipe for failure. Skilled criminals Will bypass Well knoWn
layered defenses. In the case of sensitive or proprietary data
theft, skilled criminals Will not ex?ltrate data in an obvious
manner. The data Will likely be encrypted and transferred
across the netWork, transferred via modem or a covert Wire
less netWork, or doWnloaded to removable media and carried
return the suspect node’s intemet history, listening ports,
out the front door. All of these scenarios easily circumvent
screen captures and running processes and login of current
“defense-in-depth”.
user. In the case of suspected malicious activity on the Work
station, the agent can be con?gured to collect and return the
[0148]
In preferred embodiments, the agents of the system
can monitor activity on every Workstation in the enterprise.
The agents may be programmed to send an alert to the servers
user’s keystrokes and screen captures.
[0144] Data Format and Storage: Upon receiving a com
mand from the CAT, the agent executes the command(s) and
prepares the data for transmission. Preferably, the agent con
verts the data to XML format. Once in XML format, the data
is then encrypted With 256-bit AES encryption and stored in
limited to attempted access to restricted ?les, changes in
permission levels, anomalous user log in (a user logs in to a
the H3E server.
connection of removable storage devices; and the like.
upon detection of any suspicious activity, including but not
Workstation other than her assigned Workstation), opening
anomalous netWork connections, transfers of large data sets;
[0145] Agent Data Integrity: The agent preferably does not
[0149]
rely on native operating system commands to retrieve infor
mation. The agent implements custom Written API calls to
retrieve accurate information. This mitigates the threat from
using native commands replaced or altered by malicious
logic. All Agent command activity is archived to an internal
agent Will not be apparent to a user of the system on Which it
resides or to a user of the netWork generally. Impact upon the
Advantageously, the presence and activity of the
audit log. This log is protected via 256-bit AES encryption. In
addition, all data is encrypted and time stamped using GMT/
netWork can minimized by bandWidth throttling and all com
munications among CAT, server, and agent can be encrypted.
Preferably, the agent operates covertly on the Workstation or
server on Which it is installed. The agents preferably do not
present any icons to the user, for example in a start menu,
UTC.
[0146]
application toolbar, or the like. To be suf?ciently covert, it is
not necessary to hide the agent from the operating system.
NetWork Tra?ic: The amount of netWork tra?ic gen
erated by the agent is preferably minimal and highly con?g
Rather, the agent may be hidden in plain sight. For example,
urable. The data can be returned on a scheduled basis or on
the agent may masquerade as a common process in tools
available to the user that list active processes and/ or processes
demand. The returned data preferably consists of text ?les
containing XML formatted data. These ?les preferably aver
age approximately 3 KB in siZe. Screen captures are slightly
With open netWork connections. The agent may be designed
larger (on average these can be approximately 100 KB).
restart automatically. The restarted agent may appear to have
so that if a user attempts to stop the agent process, it Will
Screen captures can be executed on demand or according to a
a different process name. To minimiZe the apparent effect on
schedule. The CATs can control netWork tra?ic saturation.
That is, the analyst or administrator can control of the amount
of data introduced to the netWork. The system may be con
the resident system, the system resources used by an agent
may be limited. For example, the agent may be limited to a
designated percentage of CPU, memory, or disk resources. In
one example, the agent may be set to reduce its activity if the
?gured to return analyst-de?ned data at de?ned intervals, for
example either every minute, every hour, at Workstation boot
system approaches maximum capacity, for example if CPU
or only on demand. In this manner, it is possible to minimiZe
the impact of the system on netWork traf?c. In most cases, the
resource demand peaks above 90%. Preferably these limits
can be con?gured in real time by the CAT communicating
need to adjust agent bandWidth utiliZation is minimal. HoW
With an agent through a server. For example, in routine moni
US 2009/0164522 A1
Jun. 25, 2009
toring the frequency and amount of data retrieved by an agent
servers store logged data transmitted by the agents and main
may be limited so as to be unnoticeable by a user of the system
tain communication With agents on active systems. The ana
on Which the agent resides. However, these limits may be
overridden by an analyst seeking real time data in response to
lyst using the CAT can obtain and analyze live data or logged
an incident alert.
keyWord or unique ?le identi?ers such as ?le hash codes.
Thus, for example, an analyst can locate all copies of a ?le of
[0150] The system permits an analyst using a CAT to per
form real-time monitoring of the complete activity of a host
data. The system preferably provides search capabilities by
interest by searching the netWork for ?les containing key
on Which an agent resides including complete screen shots,
Words or identi?ers such as a MD5 hash. Servers may respond
key stroke monitoring, active process monitoring, memory
imaging, ?le system monitoring, netWork connections,
to search queries by referencing logged data and/or by que
rying agents. Proactive monitoring permits alerts to be trig
gered by changes to or copies made of sensitive ?les. Agents
broWser activity, and the like. The analyst can increase or
eliminate resource and bandWidth limitations on an agent as
can be programmed to recognize events that indicate suspi
required.
cious activity.
[0151]
To reduce the use of netWork resources, the CAT in
[0156]
The system employs information assessment meth
data to collect. The set of data parameters to be collected may
odology Which may be implemented at the server and agent
level. At the agent level, events may trigger a graded level
be conveniently set by selection of a pre-set recording level.
response. For example, an event may be characterized as level
For example, at a loW level collected data might be limited to
user log in/out, ?le access, and internet connection logs. At a
1, 2, or 3 from most critical to least critical and the agent may
respond by transmitting an alert to its associated server and
higher level, key logging may be added, and at a higher level,
taking other actions to increase monitoring for preservation of
communication With servers can designate a limited set of
screen capture images at set intervals may be added, and so on
evidence. LikeWise, at the server level, events reported from
up to the highest level Where a complete forensic image of the
host might be collected.
[0152] To reduce the impact of agent activity on the host
system and netWork, the agents and servers may employ
de-duplicating logic. De-duplication at the agent and server
levels can reduce the amount of data stored and transmitted by
eliminating redundant copies of common data. De-duplica
one or more agents may trigger a graded response that may
involve increased monitoring at one or more agents. Super
tion is advantageously employed during routine activity log
ging, but may also be advantageous in real-time monitoring to
reduce the load on the host system and netWork.
[0153] Data reduction logic can be included in agents. For
example, agents can be programmed to track memory and ?le
access so that the CAT can instruct agents to transmit to the
server only recently accessed or changed volatile data, for
example RAM imaging may be limited to recently active
memory addresses, registry data may be limited to recently
accessed or changed keys, and so on. When routinely logging
RAM or disk contents, after transmitting a complete image,
visory, regional, and global servers may be con?gured to
respond to events on a regional or global netWork basis. Any
server may be con?gured to alert one or more analysts
through active CATs or by transmitting a message via e-mail
or directly to a mobile device to responsible analysts.
[0157] The increasing complexities of enterprise netWorks
have previously presented increasing challenges, this system
leverages the poWer of the netWork by connecting agents to
servers, and servers to a central console. A hierarchical sys
tem of ubiquitous agents managed on local netWork segments
by local servers, Which can be managed at a higher level by
supervisory servers, Which can be managed by regional serv
ers, all of Which can be tied to a global netWork operations
server permits an analyst to see netWork operations at any
level of speci?city. At each level, server logic may be trained
an agent may transmit only subsequent changes. Alterna
to distinguish normal from abnormal activity. De-duplication
logic applied at each level permits a reduction of inspected
tively, in a time sensitive incident response situation an agent
can image the most recently accessed memory and ?les ?rst
and then proceed to retrieve the remainder of a ho st RAM and
the same time, this structure permits an analyst to drill-doWn
to a speci?c region, local segment, or individual host to exam
data to those events that are mo st likely to reveal a problem. At
disk image.
ine logs of past activity or collect data in real time. Complete
[0154] Deduplication logic incorporated at the server level
is also advantageously used in e-discovery. In this case,
forensics data collection can be initiated immediately and
hashes of documents identi?ed by agents can be compared at
covertly in response to suspicious activity. Information
assessment methodology permits the system to begin to
the server level so that only one copy of any document is
respond to events and preserve evidence at all levels imme
returned in a search. Most hashing techniques are designed to
diately upon a triggering event. The ability to collect and log
live volatile data remotely and Without detection provides the
identify perfect matches. Fuzzy hashing techniques can be
used to identify documents that may differ in only insigni?
ability to collect evidence before a subject is aWare that data
cant Ways. These documents may require the judgment of a
is being collected and Without disrupting business operations.
revieWer to determine Whether the documents are redundant.
[0158]
The system preferably can identify and groups such docu
ments in order to expedite the revieW process. In preferred
potential sources of relevant documents as employees may
embodiments, the system is programmed to recognize the
company ?le server. These document storage locations along
structure of formatted documents to distinguish the nature of
differences. For example, the system can be programmed to
With IT systems including messaging application servers,
primary storage systems and tape archives, may have to be
determine if tWo e-mail records are identical except for
header information, or if tWo Word processing documents are
identical except for differences in some metadata component
of the ?le.
[0155] The CAT can access any agent on the netWork (sub
processed as part of a discovery request. Depending on the
scope of the request, an organization may need to capture,
Words, a data range or a set of keyWords, as de?ned in the
ject to permission levels) through its associated server. The
discovery request. Ensuring that the results of the gathered
E-Discovery: Organizations may be unaWare of the
store messages on PDAs, in personal folders on a PC or on a
collect and process information from all of these sources.
Organizations must collect data based on custodians, key
US 2009/0164522 A1
results are consistent is extremely di?icult and can often take
multiple days. Once the appropriate data are identi?ed, an
Jun. 25, 2009
tion can provide proven and forensically sound real-time
monitoring capabilities to alloW netWork defense analysts to
defend the organization’s data and technology. This enter
organization must centralize the information to alloW attor
neys to begin the revieW and data reduction process. As With
prise solution can reduce incident response from days to
other discovery processes, the information gathering and pro
ces sing must adhere to chain-of-custody mandates preserving
minutes and provides vital digital evidence needed to identify
the malicious insider or compromised system. In litigation,
the evidence for admission into court. It is di?icult for orga
nizations to store data in a manner that alloWs for simple
the enterprise solution can reduce expenses related to e-dis
covery.
collection of responsive data. As a result, responsive data is
distributed across the entire enterprise. The distributed data
requires the collection of massive amounts of data, of Which
only a small portion is pertinent to the case. This complicates,
prolongs and adds great expense to the collection process.
[0163] While the invention has been described in detail
With reference to preferred embodiments thereof, it Will be
apparent to one skilled in the art that various changes can be
made, and equivalents employed, Without departing from the
[0159] Unfortunately there exist very feW options to easily
?lter large datasets and collect only the pertinent information.
scope of the invention.
What is claimed is:
1. A method for collecting volatile data from an active
There are a feW softWare applications to reduce the amount of
target computer, comprising:
email data Which admittedly does make up a majority of most
legal proceedings. HoWever, there is currently nothing avail
able that Will quickly, easily and inexpensively reduce the
total amount of data to a manageable size.
[0160] The system can comprise an optional plugin that can
be used to quickly and easily reduce the data in a case. The
e-discovery plugin can expedite the e-discovery process and
save clients money. The plugin implements search algorithms
selecting one or more computer forensic data items, includ
ing at least one volatile data item, to be collected from an
active target computer from among a plurality of com
puter forensic data items;
generating executable runtime code comprising one or
more data collection modules for collecting the selected
computer forensic data items from an active target com
puter Wherein the executable runtime code is con?gured
to reduce and remove the nonresponsive data. The plugin is
such that once activated on an active target computer the
capable of isolating ?les by date/time stamps, keyWords, con
executable runtime code is capable of launching said
tainer ?les (email, zip ?les, etc), and de-duplicate ?les by
modules in a de?ned sequence from a removable storage
hash value. Preferably the plugin operates With tWo things in
mind: accuracy and speed. The plugin may eliminate approxi
device Without further user input;
storing the executable runtime code on an initialized
mately 90% of non-responsive data. This translates to cost
savings for the customer. As an example, instead of process
connecting the removable storage device to an active target
ing 2 terabytes of data, using the plugin the data requiring
expensive processing can be reduced to 200 gigabytes, pro
ducing a considerable cost savings to the client. Preferably,
the plugin can process betWeen 500 MB and 1 GB per minute.
[0161] Referring to FIG. 4, a ?owchart illustrates some of
the exemplary steps that may be carried out With this system.
A user Will generally log into 41 the system using credentials
that Will have been assigned appropriate permission levels.
removable storage device;
computer; and, activating the executable runtime code to
collect the selected computer forensic data items from
the active target computer.
2. The method of claim 1, Wherein the removable storage
device is con?gured such that connecting the removable stor
age device to an active target computer causes the executable
runtime code to be activated automatically.
3. The method of claim 1, Wherein, at the time that the
may access. Active agents Will be indicated. The user can
executable runtime code is activated, a user can command the
runtime code to either store the data items to be collected on
select from several actions including incident response audit,
collection of forensic data, and compiling an e-discovery
the removable storage medium or securely transmit the data
items to an intemet drop site.
response. For incident response, the user may run an audit 44
The user Will be presented With a list of agents that the user
server database 48. The user may conduct a forensic investi
4. The method of claim 1, further comprising deactivating
and removing the removable storage medium folloWing
completion of the step of collecting the selected data items,
gation 46 on one or more agents by selecting data items to be
Wherein the collected data items are stored on the removable
collected by the agents and transmitting commands to the
agents and receiving data from the agents through their asso
storage medium in an encrypted database that is recoverably
deleted prior to deactivation and removal of the removable
ciated servers 49. The user may also conduct an e-discovery
storage medium.
5. The method of claim 1, Wherein the removable storage
of system events and data reported by agents and stored in a
45 by commanding the agents to search for and collect data
matching speci?ed criteria. The agents and each level of the
server hierarchy may conduct de-duplication 47 of the col
device is a USB ?ash drive.
6. The method of claim 5, Wherein the USB ?ash drive
lected data so that the server storage only contains a single
instance of a particular data item.
comprises a Writeable partition and a read-only partition.
[0162] Corporations across the globe rely on data netWorks
to operate and achieve their business objectives. Malicious
insiders and hackers pose a signi?cant threat to data, technol
ogy and the survivability of the corporation. Focus on the
external threat and layered defenses are effective against
external threats, but do very little to mitigate threat of rogue
insiders or the unsafe netWork practices of employees. This
enterprise solution can offer a strong defense against the
rogue insider or compromised system. This enterprise solu
comprises U3 technology and storing the executable runtime
7. The method of claim 6, Wherein the USB ?ash drive
code and tools on an initialized removable storage device
comprises programming the read-only portion of the thumb
drive With a custom launch program.
8. The method of claim 1, Wherein the data is collected
covertly.
9. The method of claim 8, further comprising displaying a
camou?aged vieW to the user While the data is being col
lected.
US 2009/0164522 A1
10. The method of claim 9, wherein the camou?aged view
appears to be a view selected from among a web browser, a
card game, and an image browser.
11. The method of claim 8, wherein the data is collected
without any change to the target computer display.
12. A system for collecting and managing data relating to
the activity of a user of a networked host computer, compris
ing:
a plurality of software agents, each agent active on a host
computer system;
one or more servers, each server in network communica
tion with one or more of said software agents; and,
one or more console administrative tools residing on com
puter systems capable of network communication with
said servers;
wherein said software agents each comprise means for
covertly and forensically searching and collecting
volatile data from the system upon which the software
Jun. 25, 2009
18. The system of claim 12, wherein the agents do not use
any system application program interface calls to collect the
data.
19. The system of claim 12, wherein all network commu
nications among and between agents, servers, and consoles
are encrypted.
20. The system of claim 12, wherein the servers each
comprise a means of securely storing an audit log for
archiving all user activity and system events for each agent
and console in communication with said server.
21. The system of claim 12, wherein some or all of the
agents are deployed to host computers using a software
deployment or patch management solution.
22. The system of claim 12, wherein the servers comprise
a module for deploying software agents.
23. The system of claim 12, comprising a software agent
running from a live CD.
24. A method for collecting and managing data relating to
agent resides and securely transmitting requested data
the activity of a user of a networked in a network system
to one of said servers,
comprising:
wherein said servers each comprise means for securely
storing data received from one or more of said soft
ware agents, means for securely receiving instruc
tions from a console administrative tool subject to an
administrative permission rule, means for securely
transmitting instructions to one or more agents, and
means of transmitting forensic data to said console
administrative tools; and
wherein said console administrative tools each comprise
means of securely communicating with said servers,
means of requesting forensic data from said servers
and agents, and means of verifying, analyZing and
presenting forensic data received from said software
agents through said servers.
13. The system of claim 12, wherein said software agents
comprise means for limiting the agents’ use of network and
host computer resources so as to avoid negatively impacting
network or ho st computer performance.
14. The system of claim 12, wherein said servers that are in
deploying software agents for collecting computer forensic
data from host computers on the network system on
which the agents reside, the agents being in networked
communication with a server, and one or more of said
servers being in network communication with a console
administrative tool;
causing a console administrative tool to transmit instruc
tions to one or more agents through the servers that are in
communication with those agents instructing those one
or more said software agents to covertly and forensically
collect forensic data including at least one item of vola
tile data from the computers upon which on those soft
ware agents are active; and
storing the data on a server for analysis.
25. The method of claim 24, wherein each software agent is
con?gured to retrieve data of one or more user speci?ed types
from the one or more computers according to speci?ed search
network communication with said agents comprise a plurality
criteria.
26. The method of claim 24, wherein the software agent is
of local servers, the system further comprising one or more
camou?aged as a routine process on the computer.
supervisory servers in network communication with said plu
rality of local servers, wherein one or more of said software
agents is in a different network region from one or more other
27. The method of claim 24, wherein the data is collected
by the software agent without using any system application
of said software agents and wherein the software agents in
different network regions are associated with different local
program interface (API) calls.
28. The method of claim 24, further comprising securely
archiving user activity and system events recorded by a soft
servers.
ware agent to a server.
15. The system of claim 12, wherein user access permis
sions granted to each user of a console administrative tool
comprising said archived activity without alerting the user of
29. The method of claim 28, comprising building a case
de?ne limits for accessing agents within the network and their
the host computer on which a software agent resides to the
respective data.
data collection.
16. The system of claim 12, wherein the consoles can
command the agents to collect a complete image of the vola
tile data their host criteria.
30. The method of claim 24, comprising compiling data
responsive to a litigation discovery requirement by instruct
ing the agents to collect and transmit data satisfying speci?c
17. The system of claim 12, wherein the agents covertly
collect the data from the computer by camou?aging as a
routine process on the computer.
search criteria.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement