Locard's exchange principle holds that the perpetrator of a crime will bring something to a crime scene and will leave with something from the crime scene and that each act can yield forensic evidence. Forensic investigation therefore involves collecting, preserving and analysing evidence of a crime. Although Digital Computing Systems (DCSs) process and store virtual material, or rather data in electronic form, and not physical material, Locard's exchange principle still holds. Forensic investigation may be carried out on a DCS to detect suspect or anomalous behaviour in the DCS with such suspect or anomalous behaviour being, for example, caused by malware, a disgruntled employee or human error. Such forensic investigation may relate to an act of a criminal nature or may relate to a less extreme act which nevertheless infringes against regulations, such as an IT usage policy, imposed by an organisation Forensic investigation in the context of a DCS, or alternatively digital forensics, is thus of wider applicability than conventional forensic investigation involving physical material.
The terms digital forensics, forensic investigation and forensic analysis as used herein are to be understood to refer to investigative or analytical activity relating to any DCS where a DCS is any apparatus that manipulates, stores or otherwise processes digital information. By way of example, computers and networks of computers of all types, mobile telephones, personal digital assistants, media players, set-top boxes, games consoles, televisions and associated network components, such as routers, switches, hubs, servers and broadcast equipment, are covered by the term DCS.
Every DCS creates, stores or manipulates digital information with such digital information forming the basis of digital evidence. A DCS typically creates a diverse range of data further to the data familiar to the everyday user of the DCS. For example, for every text document created and saved to a hard disk or for every data packet routed from one part of a network to another, a voluminous amount of data relating to such an activity is created. Such data may be useful and can be used in one or more of a variety of ways from debugging to operation monitoring. Often all data created by a DCS is regarded as of possible relevance to a digital forensics investigation.
It is known in DCSs comprising a server and plural client machines to collect data of forensic value at each client machine and to transmit the collected data to the server where forensic analysis is carried out. Analysis may, for example, involve matching strings of collected data with a library of reference data strings which represent normal behaviour. If a subject collected data string fails to match any of the reference data strings, then the conclusion is drawn that there has been suspect or anomalous computer behaviour such is caused by the like of malware, a disgruntled employee or human error. Normally the forensic analysis is carried out on the server as a non-real time operation.
The inventors have become appreciative of the value of performing real time or near real time forensic analysis on the server of data collected from client machines. Prompt detection of suspect or anomalous computer behaviour provides for correspondingly prompt action to thereby increase the likelihood of containing the threat, be it a person or malware, before further or undue damage is done. The inventors have recognised that limited resources of a DCS may present an obstacle to real time or near real time forensic analysis on the server. For example the communication channel between a client machine and the server may militate against real time or near real time forensic analysis on the server by presenting a bottleneck to prompt transfer of collected data from the client machine to the server. By way of further example and in certain circumstances, limited processing capability of the server, such as a file server of modest processing power, may hinder real time or near real time processing of collected data in the server.
The present invention has been devised in the light of the inventors' recognition. It is therefore an object for the present invention to provide an improved forensic analysis method performed in a Digital Computing System (DCS) comprising a server and at least one client machine in which the server processes data in dependence on data collected at a client machine to provide for detection of suspect or anomalous behaviour at the client machine.
It is a further object for the present invention to provide a computer program and a computer system each comprising instructions for causing a computer comprising a server and at least one client machine to perform a forensic analysis method in which the server processes data in dependence on data collected at a client machine to provide for detection of suspect or anomalous behaviour at the client machine.
It is a yet further object for the present invention to provide a Distributed Computing System (DCS) comprising a server and at least one client machine which is configured to perform forensic analysis in which the server processes data in dependence on data collected at a client machine to provide for detection of suspect or anomalous behaviour at the client machine.