Computer examination services include, but are not limited to, electronic discovery (eDiscovery), digital forensics, incident response, digital investigations, file recovery, system identification, data preservation, data collection and data analysis. In order that computer examination services produce information that is suitable for use in a court of law, these services should be provided in a manner consistent with accepted practices from the fields of Computer forensics and eDiscovery. Computer forensics and eDiscovery are scientific fields that address the identification, preservation, collection and analysis of data stored on computer systems such that the data is suitable for use in a court of law. Electronic discovery (eDiscovery) refers to the discovery of Electronically Stored Information (ESI) in civil litigation proceedings. Those involved in eDiscovery may include computer forensic practitioners, lawyers, IT personnel, and others, yet sound computer forensics practices are employed to the extent that they are reasonable and practical because the data is subject to being used in a court of law.
Computers, in a myriad form of computing devices (e.g. desktops, laptops, tablets, gaming devices, phones, mobile devices, etc) are increasingly relied upon for personal and business communications, data creation, data management, and in general, as short and long term data repositories. The information that can be found in these data repositories are often sought after to establish innocence or guilt in a court of law, thus the process of identification, preservation, collection and analysis of data stored on subject computer systems must often be accomplished in accordance with procedures that do not preclude the use of the data as evidence in a court of law. The computer forensics and eDiscovery fields offer acceptable processes and procedures for the identification, preservation, collection and analysis of computer data, but historical application of these processes and procedures have required the dedication of considerable amounts of time from experienced forensics and eDiscovery practitioners. Thorough analysis of computer media, such as a hard drive, is a time consuming endeavor, and traditionally required physical access to the subject computer during some phase of the identification, preservation, collection and analysis process.
Accordingly, there is a need for faster, more cost effective methods of performing a forensics investigation.
Another challenge to providing forensic services is gaining access to the computing device. The computing device may be used in an ongoing business enterprise and include sensitive data, which if made public could compromise legitimate business or personal interests. Another challenge is that of identifying computing devices which may have desired evidence. A large corporation may have hundreds, perhaps thousands of computers connected by various networks. Culpable data might be present only on relatively few computers, if any. Obtaining physical custody of all these computers could shut down a large enterprise, or otherwise damage legitimate ongoing business operations. Consequently, it is desirable to gain access to computing devices remotely.
Further, a computer forensic analysis may be a very time consuming and expensive process. Typically, the forensic practitioner takes custody of the subject computer, documents it, images it, analyzes it, issues a report, and returns the computer to the customer. In many instances, this substantial effort may reveal that the computer has no desired evidence stored on it. Consequently, spending such a large effort (time and money) to determine whether or not evidentiary data is present (and is in need of preservation) on one computer often is not practical or economically feasible. Accordingly, there is a need for more cost effective forensic analyses.
Embodiments of the present invention address these and other challenges to provide an effective forensics service allowing secure, remote access to a subject computer, which may remain situated in its working environment.
A prior method of remotely conducting an examination is disclosed in my published U.S. Patent application serial No. 2011/0113139, filed 17 Jan. 2011 as U.S. patent application Ser. No. 13/007,874, the complete disclosure of which is incorporated herein by reference.