1. Field of the Invention
This invention relates to computer technologies, in particular, to one for forensic analysis of computer stored information.
2. Description of the Prior Art
Legal and other investigative operations today often involve forensic analysis of computer stored data. In a typical forensic search operation, after obtaining a necessary court order or other authorizations for searching and seizing a suspect's computer evidence, the suspect computer may be seized and transported to a forensic laboratory, and data from the computer is acquired for analysis. Alternatively, an investigator may visit the suspect's place of illegal operation, acquire data from the suspect computer in the field through verifying an evidence drive or copying data from the suspect computer. And subsequently send the evidence drive or images containing copied data to a forensic laboratory for analysis.
A conventional data acquisition process is schematically illustrated in FIG. 1. Data acquisition equipment (computer or drive duplicator) 10 is used to copy data from the suspect drive or computer 12, which results in creation of an identical evidence image on a storage device (evidence drive 14). The image can be in several different formats. The simplest one is a sector by sector replica of the suspect media. The next one is of multiple files that contain all the sectors of the suspect media. The most advanced format breaks the subject image into blocks. Each block is then stored on the evidence drive and is compressed with its own hash value. All of the above mentioned formats particularly the most advanced one require significant data processing during the acquisition of the suspect media.
Some storage devices in a suspect computer may be accessed directly without powering up the suspect computer. Other storage devices (e.g. hard drives on some notebook computers) may not be accessed without powering up the suspect computer. In this situation, the investigator may use a special software to power up the suspect computer. The software typically boots the suspect computer without using the local operation system on the suspect computer to avoid any writes to the local suspect drive. When a storage device can be accessed directly, a write protect device 16 may be used in conjunction with the suspect's storage device to avoid any accidental write to the suspect drive due to human error or equipment malfunction.
Hashing the data for the purpose of authentication is currently done either by the hard drive duplicators or by the acquisition software if a computer is used for obtaining the image. The hard drive duplicators today, which are not controlled by analysis software, can only perform the hash on the entire drive.
The subsequent analysis of the evidence drive 14 acquired from the suspect computer is schematically illustrated in FIG. 2. Typically, a computer forensic expert examines the data on the evidence drive or image 14 using an analysis unit 18, traditionally a computer with analysis software, looking for any evidence of interest. Typically the forensic expert has some idea of what he is looking for and may use a variety of software analysis tools to look for a specific piece of information.
The analysis can be very tedious and time-consuming, and often requires highly skilled and experienced professionals. With the dramatic increase in the size of computer hard disc drives, often the amount of information to be analyzed is large while analysis resources are always limited. This results in a backlog of workload at computer forensic analysis agencies such as law enforcement agencies.
As an example to show the level of sophistication and how time consuming the analysis is, it is estimated that using the best analysis software on a fast computer, to confirm a suspicion that the suspect uses a computer to connect into child pornography sites, while the suspect only visits a few of the hundreds of known sites with a 40 GB hard disc drive computer, it will take an investigator about six (6) hours to perform the analysis.
For a comparison, it only takes about 30 minutes for presently invented computer forensic tool or computer forensic accelerator engine to complete the same assignment.
From above introduction, it is apparent that there is an urgent need for a computer forensic tool which can speed up forensic data analysis in order to accommodate the significant increase of data storage capability in recent computer technology.
The following eleven (11) prior art patents are relevant to the field of the present invention:    1. United States Patent Application Publication No. US2002/0174190 published on Nov. 21, 2002 (hereafter “the Toyoshima Publication”);    2. United States Patent Application Publication No. US2003/0005246 published on Jan. 2, 2003 (hereafter “the Peinado Publication”);    3. United States Patent Application Publication No. US2003/0115415 published on Jun. 19, 2003 (hereafter “the Want Publication”);    4. United States Patent Application Publication No. US2003/0212862 published on Nov. 13, 2003 (hereafter “the James Publication”);    5. United States Patent Application Publication No. US2004/0010671 published on Jan. 15, 2004 (hereafter “the Sampsa Publication”);    6. United States Patent Application Publication No. US2004/0039876 published on Feb. 26, 2004 (hereafter “the Nelson Publication”);    7. U.S. Pat. No. 6,757,783 issued on Jun. 29, 2004 (hereafter “the Koh Patent”);    8. U.S. Pat. No. 6,785,091 issued on Jun. 29, 2004 (hereafter “the Edwards Patent”);    9. United States Patent Application Publication No. US2004/0236899 published on Nov. 25, 2004 (hereafter “the Teicher Publication”);    10. U.S. Pat. No. 6,829,672 issued on Dec. 7, 2004 (hereafter “the Deng Patent”); and    11. United States Patent Application Publication No. US2004/0250009 published on Dec. 9, 2004 (hereafter “the Chen Publication”). The Toyoshima Publication disclosed an apparatus and method for providing data to a mobile device, including inserting a wireless module into a host mobile device, transferring data about device type from the host mobile device to the wireless module, retrieving from a memory device by the wireless module, website addresses associated with the device type data, and accessing the website addresses retrieved using the host mobile device with the wireless module coupled therein.
The Peinado Publication disclosed a device for securely recording protected content to a portable memory, and for reading the protected content therefrom. The device includes a feature that makes it adapted to read or write specially-configured portable memories that are incompatible with standard rear/write devices.
The Want Application disclosed a method and device for communicating with an access device. The device includes a wireless communication module to communicate with the access device in a wireless fashion, a data storage module to store bulk data, and a controller connected to the communication module and to the data storage module. The device may function as a personal server which communicates with an access device using Bluetooth technology.
The James Publication disclosed a memory module that is releasably connected to a computer, which contains an application software package and associated data. When connected to the computer, the application software package runs directly from the device without being uploaded or installed on the computer.
The Sampsa Publication disclosed a method, a memory adaptor and a system for handling data in a fixed memory of a mobile device. It provides a non-volatile memory as a kind of cache memory for accessing mass storage, where the fixed memory includes a non-volatile memory and a mass storage.
The Nelson Publication disclosed a portable mass memory device with a self-contained housing. The device has a memory card receptacle for receiving a compact moveable memory card. The device also has a processor to enable transfer of data from a compact moveable memory card to the mass memory of the device.
The Koh Patent disclosed a portable storage medium based on Universal Serial Bus (USB) standard. It has a USB connector for connection to the USB port of a host computer, a non volatile memory for storing data transferred from the host computer, an operation program stored on the device, and a controller for controlling the entire operation of the device.
The Edwards Patent disclosed an interchangeable cartridge data storage system for exchanging digital data among a plurality of handheld devices. Digital signals are written by a first handheld device to a mini-cartridge which is inter-operable among the plurality of handheld devices, each of which is equipped with a mini-disk drive.
The Teicher Publication disclosed an integrated storage device for storing data received wirelessly from a remote base station. The device includes a non-volatile storage medium and a processor.
The Deng Patent disclosed an electronic flash memory external device for data processing systems. The device includes firmware for controlling the access of electronic storage media and implementing interfacing functions.
The Chen Publication disclosed a storage device with optimal compression management mechanism. It has a controller, a solid state storage medium, and memory interfaces. The device also has a data compression/decompression module for compression raw data before they are written to the storage medium in order to increase the data storage capacity of the storage medium.