1. Field
The present invention relates to computer investigation systems, and more specifically, to secure computer forensic investigations in a network.
2. Background
Computer investigation has become increasingly important as the use of computers has extended to virtually all areas of everyday life. Computer investigation, as used herein, includes computer forensics, which is the collection, preservation and analysis of computer-related evidence. Computer-related evidence is increasingly being used for court trials and police investigations. Computer evidence may be relevant in criminal or civil matters.
One tool for computer forensic investigation is software used to perform the computer forensic investigation. Electronic evidence may be altered or erased without proper handing. For example, merely booting a target computer into its native Windows environment will alter critical date stamps, erase temporary data, and cause data to be written to a hard disk drive or other storage device, thereby possibly destroying or altering data on the storage device. It is desirable in forensic systems to be minimally invasive and prevent unintended changes of the dataxe2x80x94on the storage device. Accordingly, it is desirable that computer forensic software minimize the alteration of data during the acquisition process and that it further minimize any such alteration by other programs.
As an example of forensic investigation, a target storage device may be non-invasively examined by creating a bit-stream image, or xe2x80x9cexact snapshot,xe2x80x9d of the target storage device on another external media, such as floppy or zip disk, thereby creating an image or working copy of the target storage device.
Once the image copy is created, computer forensic software may mount the image of the target storage device as a read-only drive, thus allowing the investigator to conduct the examination on the image of the target drive without altering the contents of the original. This process of making a copy image of the storage device, before examining the storage device, may preserve computer files without altering date stamps or other information. The process of non-invasively examining the storage device may also be accomplished through a preview process where the computer is booted to DOS and then connected to the investigator""s computer, for example, through a parallel port cable.
Computer forensic analysis software may enable the efficient management, analysis and searching of large volumes of computer data by being able to view and analyze, for example, such storage devices such as disk drives at the disk level without having to go through, for example, intermediate operating system software. Forensic analysis scripting tools may be used to target and automate analysis of large volumes of computer data. Accordingly, computer forensics analysis software may be an advantageous tool for related but non-forensic investigation purposes, such as computer auditing and information assurance.
Current computer forensics analysis tools commonly work either from an image copy of a storage device, or over a link coupled between the parallel ports of the analyzing computer and the target computer. Commonly used, non-forensic, methods of searching, reviewing, and copying logical files over a network may have a shortcoming in that time stamps and existing data may be altered or destroyed in the process.
Viewing computer files presents additional problems when used in a network setting. A remote administrator may access a node on a network and access all of the files on the node""s hard drive. However, when the remote administrator opens and accesses a file, the time stamp of the file may change, and a temporary copy of the file may be created on the node""s hard drive as well as link files and other data. It is desirable for forensic investigations to maintain the time stamps, and to avoid creating various temporary files, which may overwrite other data. Even though a remote administrator can commonly access files, a remote administrator may be unable to access such items as swap files, deleted files, file slack, or printer spooler files. File slack is the data located from the end of the logical file to the end of the physical storage allocation on a storage device and may contain information previously written to the storage device. Additionally, a storage device, such as a hard drive, may have dissimilar partitions, for example, fat and ext 2, to operate with two different operating systems. In such a case a remote administrator may only be able to see and access the partition which corresponds to the remote administrator""s operating system. Additionally, a search done by the remote administrator may be slower than a search carried out by software resident on that node. Remote access over a computer network also provides additional opportunities for abuse, such as unauthorized inspection.
Accordingly, there is a need for methods and systems for performing secure computer forensics investigations over a computer network.
An embodiment of the present invention is directed to the computer investigation of target machines connected to a network and security and authentication protocols that enable computer investigations to take place in a secure environment.
In one aspect of the present invention, a method of examining a storage device coupled to a target machine in a communications network is disclosed. The method includes installing a servelet on the target machine, commanding the servelet over the communications network to retrieve data from the storage device, using the servelet to retrieve data from the storage device, receiving data from the servelet over the communications network, and storing the retrieved data on a client machine.
In another aspect of the present invention, a machine coupled to a storage device and coupled to a network is disclosed. The machine includes a processing unit and a servelet, the servelet including computer code that executes on the processing unit, the code comprising: code that receives a command to read a portion of the storage device, code that reads the storage device according to the command received, and code that sends data from the reading of the storage device to a client machine.
In yet another aspect of the present invention, a method for secure forensic investigation of a target machine by a client machine over a communications network is disclosed. The method includes establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.
In yet another aspect of the present invention, a system for secure forensic investigation over a communication network is disclosed. The system includes a target machine coupled to the communication network, the target machine coupled to a storage device, a client machine coupled to the communications network, the client machine configured to investigate the target machine over the communications network, and an intermediate node coupled to the communications network, wherein the intermediate node is configured to facilitate secure communication between the client machine and the target machine over the communications network.
In yet another aspect of the present invention, an apparatus for secure forensic investigation of a target machine by a client machine over a communications network is disclosed. The apparatus includes means for establishing secure communication with a server over a communications network, means for establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes means for establishing secure communication between the server and the target machine, means for installing a servelet on the target machine, means for transmitting a secure command to the servelet over the communications network, means for executing the secure command in the servelet, means for transmitting data, by the target machine, in response to a servelet instruction, and means for receiving the data from the target machine over the communication network.
It is understood that other aspects of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is shown and described only exemplary embodiments of the invention, simply by way of illustration. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various respects, all without departing from the invention. Accordingly, the drawings and description are to be regarded as illustrative in nature, and not as restrictive.