37 results about "Computer forensics" patented technology

Systems and methods for collection of volatile forensic data from active systems are described. In an embodiment of the methods, a selected set of forensics data items can be selected. Runtime code capable of launching data collection modules from a removable storage device with little or no user input is generated and stored on the device. The collection of forensic data can then be accomplished covertly using the removable storage device by a person with minimal training. In another embodiment, pre-deployed agents in communication with servers and controlled by console software can collect forensic data covertly according to schedule, immediately at the command of an analyst using a remote administrative console, or in response to a triggering event.

Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital signatures are generated proactively for a specified target. The digital signature represents a digest of the content of the target, and can be readily stored. Searching and comparing digital signatures allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allow more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

A method for assessing capability and maturity of an organization's computer forensics processes defines an architecture for a computer forensics capability and maturity model (CMM), a computer forensics CMM appraisal method, implements the computer forensics CMM for improving computer forensics processes within the organization, and conducts an appraisal of the organization according to the CMM appraisal method.

The present invention concerns an electronic forensic tool for conducting electronic discovery and computer forensic analysis. The present invention allows a non-technical person such as a non-forensic expert to conduct electronic discovery and thereby obviate the need for an expert in many situations. The present invention allows for electronic discovery in a forensically sound manner. The present invention also concerns a business method for electronic discovery involving a software program and a command server for generating expanded functionality. The client software may be distributed at minimal or no cost, preferably as a CD. Using the client software, a user boots a target machine to determine whether a target machine contains data of interest. The client software will, however, only display limited data such as file information, date, last modified, and file size. To access and examine the actual underlying data, the user must obtain additional functionality, e.g. by purchasing a command block from the control server. The additional functionality will allow the client program to extract the data of interest or the entire contents of the target machine to an external device for further analysis.

A computer forensic accelerator engine designed to speed up the forensic analysis process is disclosed. It is a device for use with an analysis device to analyze data on a suspect computer device, and includes a first interface for connecting to the suspect computer device, a second interface for connecting to the analysis device, and a processing unit programmed to read data from the suspect device via the first interface, perform analysis on the data, transmit the data to the analysis device via the second interface, and transmit results of the analysis to the analysis device via the second interface. A drive write protect module may be integrated in the computer forensic accelerator engine. The computer forensic accelerator engine allows data read from the suspect drive to be analyzed while acquiring the data. Also disclosed is a computer forensic analysis system and method using the computer forensic accelerator engine.

The invention discloses a method for extracting a text data file from a physical memory image. The method comprises the following steps of: searching an eprocess structure of a notepad.exe progress by utilizing characteristic values of the eprocess structure and offset between the characteristic values, and acquiring a page directory base address of the progress; and acquiring text data description information and labeling information in memory, and accurately acquiring the text data in the notepad.exe progress through the principle of converting the address of an operating system. The method can be used for data recovery, data extraction, computer forensic and the like.

The invention discloses a method for detecting the integration of high-efficiency finegrained data, relating to a method for detecting data integrity in the fields of data security and computer forensics. In the method, through encoding design based on the association and combination relation of lines and points in finite projective geometry, each supervision Hash corresponds to a point in a finite projective space, data objects to be supervised correspond to lines in the finite projective space, the point-line relation is utilized to determine the Hash supervision relation, multiple errors in a group of data objects can be accurately indicated, the compression rate is higher, the processing requirement of mass data can be met, and the storage space of Hash data and the network bandwidth required for Hash data transmission are saved. The method can be used for integration indication of forensic mapping in the computer forensics, and is applicable to integration detection of mass data,electronic data and computer evidences of data processing service department and judicial department, and also applicable to the occasions needing finegrained integration detection and fewer data error indication.

The invention relates to the field of computer forensics, in particular to a write protection lock for a hard disk in the Windows environment. The write protection lock comprises a USB unit, a loading program deposited in the sector 0 of the USB unit, a hard disk write-protection lock program deposited in the hidden sector of the USB unit. The loading program monitoring Windows operation system intermits the read-write of an objective hard disk through INT13H; when a computer is started up, the hard disk write protection lock program is embedded into the Windows operation system. The hard disk write-protection lock program monitoring Windows operation system reads and writes the objective hard disk through a drive program, and redirects write operation to the UBS unit, thereby preventing the data on the hard disk from being modified. The write protection lock is designed originally; no additional hardware units are needed between a computer motherboard and the hard disk. The service cost is low, and just one USB unit supporting the start-up from USB is needed; the use value is high; the write protection lock can be used as a running platform for computer crime forensics software.

The invention relates to a secret level marking identification method based on a Krawtchouk moment and a KNN-SMO classifier. The method relates to a theory based on the Krawtchouk moment and the KNN-SMO classifier applied to the secret level marking identification of the computer forensics, and the method comprises the steps: a secret level marking image is performed the image preprocessing, the feature vector is formed by calculated Krawtchouk moments of the image, and the secret level marking image is performed the classification and identification by the KNN-SMO classifier. On one side, the low-stage Krawtchouk moment can be used to express the characteristic of the image well and has good stability under the common attack, on the other side, the KNN-SMO classifier is used, so that the classifier has KNN quick sorting capacity and SMO advantage of solving small sample problem, so that precision and speed of the secret level marking identification is improved.

The invention discloses a computer forensics system and a method thereof based on user intention detection applied to a cloud computing environment. The system comprises a client end and a cloud proxyserver end. The client end is provided with an initialization driving module, a system control center and a system support module group. The cloud proxy server is deployed with forensics function module group. The invention realizes a lightweight virtual machine monitor at the client end, The forensic tools can directly utilize the convenience and flexibility brought by the hardware virtualization technology, provide tools for rapid analysis and real-time evidence acquisition, and build a cloud proxy server between the client and the server, so that the server can directly use the functions of the forensic system without reconstructing the cloud system architecture. The method overcomes the shortcomings of current forensics after the event, overcomes the flexibility shortcomings of the virtualization technology itself, has a wider application scope than the traditional security system, and ensures the credibility and accuracy of evidence collection.

The invention belongs to the technical field of data processing, and discloses a digital evidence integrality storage control system based on computer forensics. The system comprises: wireless sensor data collection nodes, a central data transmission node, a state signal module, a read-write control module and an operation module. Data read from a data memory are processed according to a signal transmitted by the read-write control module. The data collection nodes in the digital evidence integrality storage control system disclosed by the invention performs self organization to form a regional storage network, the data on each data collection node are stored in the nodes of the system in an encoding manner, and when the storage space of the ad hoc storage network is insufficient, the system covers the historical data with the newly collected data according to a certain interval through a set data coverage rule; and the digital evidence integrality storage control system disclosed by the invention greatly improves the reliability of the data storage of the system. The digital evidence integrality storage control system disclosed by the invention has popularization and application values.

The invention relates to a log-based computer forensics system. The system comprises a forensics server, forensics equipment, a database, a forensics management console, a target system and a forensics front end, The evidence obtaining device is connected with the evidence obtaining server, the database, the evidence obtaining management console and the target system. The database is also connected with the evidence obtaining management console; Wherein the target system is connected with the forensics front end; The forensics management console comprises a database management unit, a log forensics front-end management unit, a log recording unit, a log file storage and backup unit and a log data analysis and reporting unit; According to the system, the log file library is established, formats and default storage positions of most of system logs can be identified, and help is provided for understanding and analyzing log data; Meanwhile, log data collected by various systems can be imported into a database, keyword query and correlation analysis of various logs are carried out, and reports are generated and printed.

The invention discloses a computer forensic investigation equipment, which comprises a flat plate, the left and right ends of the flat plate are fixedly connected to the inner corresponding sides of the slip ring, the middle part of the slip ring is slidably installed with a sliding column, and the lower end of the sliding column passes through a rotating shaft Rotate and connect the upper side of the triangular plate, the lower end of the triangular plate is fixedly connected to the upper middle part of the grounding plate, the lower end of the grounding plate is provided with an anti-skid surface, and the upper end of the sliding column is fixedly connected to the lower end middle part of the limiting plate. The right-angle insert rod is inserted into the lock groove to stabilize the position of the slip ring, and then the device is placed on the uneven ground for use, and the small evidence is placed in the cylinder, which is inserted into the cylinder groove, and the clamping plate corresponds to the clamping Slot, rotate the right-angle turning lever, and the card board is stuck in the card slot, which is convenient for placing small documents on the device. After the lock lever is out of the socket, the card board comes out of the card slot, and the small evidence is taken out of the cylinder Use, and then it is convenient to use when looking for small documents next time.

The described systems and methods allow for selective collection of computer security data from client devices, such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device includes a domain name service (DNS) agent that marks outgoing DNS messages with a client ID. The DNS server selects a client for data collection by returning a DNS response including a service activation flag. Some embodiments thus enable per DNS message selectivity for data collection. In some embodiments, subsequent network access requests made by the selected client are rerouted to a secure server for analysis.

This application discloses a method, device and system for anti-tampering of data evidence based on computer forensics, including: No. 1 blockchain node uses a visible light flash as a light source to collect and process images to obtain No. 1 image; perform hash calculation to obtain The first hash value; the second block chain node uses ultraviolet flashlight as the light source, and performs image acquisition and processing to obtain the second image; performs hash calculation to obtain the second hash value; the third block chain node uses visible light flashlight and The ultraviolet flash lamp is used as a light source to perform image acquisition and processing to obtain the No. 3 image; perform hash calculation to obtain the third hash value; the No. 1 block chain node obtains the first ciphertext and stores it in the first block chain; The No. 2 block chain node obtains the second ciphertext and stores it in the second block chain; the No. 3 block chain node obtains the third ciphertext and stores it in the third block chain. In this way, the data security of computer forensics is guaranteed, and the possibility of being tampered with is reduced.