One goal of computer crime incident response is to preserve the entire crime scene (e.g., computer system) with minimal or no modification to the data on the system in order to provide accurate data for a digital forensic analysis. In addition, many times an incident occurs in a corporate environment where system down time is expensive and the system administrator may not be trained to handle computer incidents.
Digital forensic analysis analyzes digital data to find evidence of an incident. Digital data is typically stored on either non-volatile media, such as hard disk drives, or on volatile media, such as memory. When responding to a computer incident, one wants to copy every bit of data from the suspect system to a trusted system. The data can be analyzed on the trusted system, while the suspect system can be put back into operation.
Prior digital forensic analysis techniques rely dominantly on the contents of a computer system hard drive (system logs, time stamps, file modification, temporary files) for crime investigation. Previously known products exist to duplicate a non-volatile computer system hard drive to another non-volatile storage medium, primarily for data back-up purposes and digital forensic analysis for computer crime investigations. This limits the amount of useful information that can be analyzed, as the volatile memory in an active computer system contains information about current processes executing on the system, the state of user activity, temporary data items, and other components that aid in forensic analysis.
Prior techniques to acquire volatile memory require software-based tools. This has problems because the acquisition software will need to be loaded into memory, which will overwrite possible evidence. An additional problem is that the process can cause stability issues in some systems and cause them to fail. Attackers can also modify the operating system to hide evidence from an investigator. A hardware solution can solve these problems.
Prior incident response techniques require extensive training. One must have trusted copies of software tools, as an attacker could have modified the tools on the system. The responder must also have training for running the tools to acquire the appropriate data. If an organization does not have trained staff and relies on third-party for assistance, there is no way for the organization to freeze the live system until the response team arrives.
The following U.S. patents are known and incorporated by reference:
U.S. Pat. No.DateInventor5,497,4943/1996Combs, et at.4,907,1503/1990Arroyo, et al.5,960,4609/1999Marasco, et al.6,079,0306/2000Masubuchi6,145,06811/2000 Lewis6,202,0903/2001Simone6,240,5275/2001Schneider, et at.6,243,8316/2001Mustafa, et al.