Forensics generally refers to “pertaining to or used in a court of law,” and often relates to methods for obtaining evidence. Computer forensics is the systematic inspection of a computing device and its contents to collect, preserve and analyze data for possible use as evidence in a legal proceeding. Computer forensics typically is performed in a manner that adheres to the standards of evidence that are admissible in a court of law. Accordingly, specialized expertise and tools are used that go beyond the normal data collection and preservation techniques available to end-users or system support personnel.
The field of computer forensics maintains established practices which include processes and procedures for the collection, preservation, and analysis of data stored on computer systems. Application of these practices in conducting a digital forensics investigation upon a subject computer has historically required considerable time and effort from an experienced forensics practitioner. Accordingly, there is a need for faster, more cost effective methods of performing a forensics investigation.
There are many challenges to be overcome when providing forensic services, including for example the need to comply with evidentiary requirements of a court of law. Evidence must be unchanged and have a documented chain of custody. Accordingly, any viable forensics method needs to maintain the integrity of the evidence.
Another challenge to providing forensic services is gaining access to the computing device. The computing device may be used in an ongoing business enterprise and include sensitive data, which if made public could compromise legitimate business or personal interests. Another challenge is that of identifying computing devices which may have desired evidence. A large corporation may have hundreds, perhaps thousands of computers connected by various networks. Culpable data might be present only on relatively few computers, if any. Obtaining physical custody of all these computers could shut down a large enterprise, or otherwise damage legitimate ongoing business operations. Consequently, it is desirable to gain access to computing devices remotely.
Further, a computer forensic analysis may be a very time consuming and expensive process. Typically, the forensic practitioner takes custody of the subject computer, documents it, images it, analyses it, issues a report, and returns the computer to the customer. In many instances, this substantial effort may reveal that the computer has no desired evidence stored on it. Consequently, spending such a large effort (time and money) to determine whether or not evidentiary data is present (and is in need of preservation) on one computer often is not practical or economically feasible. Accordingly, there is a need for more cost effective forensic analyses.
Embodiments of the present invention address these and other challenges to provide an effective forensics service allowing secure, remote access to a subject computer, which may remain situated in its working environment.