Computer forensics is the application of computer investigation and analysis techniques to identify and capture potential legal evidence stored or otherwise maintained within a computing device. The evidence might be sought during an investigation for a wide range of potential computer crimes or misuse, including theft of trade secrets, theft of service, theft of or destruction of intellectual property, fraud, hacking, and other criminal or misuse activities. In addition, the evidence may be useful for non-criminal investigational activities including divorce or separation proceedings. Unlike paper evidence, computer evidence can exist in many forms, with earlier versions and even some deleted versions of the evidence still accessible on a storage medium. Forms of computer evidence may include, for example, system log files, executing processes, stored files and the like.
An investigator may draw on an array of methods to discover and capture evidence from a computer device. One common method for obtaining computer evidence is on-site inspections or seizure of the computer. For example, the investigator may physically connect an analysis device to the target computer or load analysis software on the target device to acquire and analyze the computer evidence. However, when these discovery techniques are used on computers critical to a network, e.g., servers, the investigation may become burdensome on the network users. Moreover, it is often desired to collect evidence from a computer over time without being detected by a perpetrator of the crime, which can be difficult with many of these invasive techniques.
Computer forensic analysis software may enable the efficient management, analysis and searching of large volumes of computer data by being able to view and analyze, for example, such storage devices such as disk drives at the disk level without having to go through, for example, intermediate operating system software. Forensic analysis scripting tools may be used to target and automate analysis of large volumes of computer data. Accordingly, computer forensics analysis software may be an advantageous tool for related but non-forensic investigation purposes, such as computer auditing and information assurance.
Current computer forensics analysis tools commonly work either from an image copy of a storage device or over a link coupled between the parallel ports of the analyzing computer and the target computer. Commonly used, non-forensic, methods of searching, reviewing, and copying logical tiles over a network may have a shortcoming in that time stamps and existing data may be altered or destroyed in the process. There is no economical, straight-forward computer forensic solution for identifying evidence or activity conducted on a computer currently available today.
The inventors have developed a product and process that can be used by an untrained consumer to receive a highly detailed report to be generated from the collected forensic image or raw data contained on a computer system to reveal computer activity and evidence on a computer. This report will be issued under the supervision of trained forensic examiners meaning it can suffice as evidence in a court of law for various legal situations. Additionally, users can have the option to view the data in a manner that emulates the Windows Operating System, by using the evidence as a compiled Virtual Machine.