GB2454715A - Computer program for extracting forensic data form a target computer - Google Patents

Computer program for extracting forensic data form a target computer Download PDF

Info

Publication number
GB2454715A
GB2454715A GB0722510A GB0722510A GB2454715A GB 2454715 A GB2454715 A GB 2454715A GB 0722510 A GB0722510 A GB 0722510A GB 0722510 A GB0722510 A GB 0722510A GB 2454715 A GB2454715 A GB 2454715A
Authority
GB
United Kingdom
Prior art keywords
data
forensic
target computer
source path
destination folder
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0722510A
Other versions
GB0722510D0 (en
Inventor
Ali Jahangiri
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0722510A priority Critical patent/GB2454715A/en
Publication of GB0722510D0 publication Critical patent/GB0722510D0/en
Publication of GB2454715A publication Critical patent/GB2454715A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Disclosed is a computer program and method for automated evidence gathering from a target computer hard drive. A graphical user interface allows the section of the source drive, the section of the destination storage medium and the starting of the data extraction. The program copies forensic data from pre-programmed forensic data paths on the source drive to the destination storage medium while preserving the MD5 checksum of the data for file integrity. Data folder names are re-designated to correspond to a categorization of the data based on its location on the target computer. The program produces a report with the name of the forensic data and the MD5 checksum of the forensic data. The method includes loading the program onto the target computer selecting the operating system, selecting the source drive, selecting the destination storage medium and starting the data extraction. The program may also determine the target computers network connections and open ports. The pre-programmed data paths may be in a data file that list the paths for a particular operating system.

Description

INVENTION TITLE
Tool and method for forensic examination of a computer
DESCRIPTION
Heading
FIELD OF INVENTION
[Para 1] In the field of computer forensics, a tool and corresponding method for automated evidence gathering from a computer hard drive or other computer storage device.
Heading
BACKGROUND OF THE INVENTION
[Para 2] Currently, computer forensics are undertaken based on searching a computer for the certain type of the evidence, such as for example, searching through the temporary files or the files with the TMP extensions. Electronic forensics is increasingly important for investigative disciplines, such as in civil litigation and crime detection. But it also has uses in private and commercial disciplines. For example, parents and other computer owners are increasingly desirous of monitoring computer usage; and, companies sometimes have need to investigate employee misconduct, wrongdoing and fraud.
[Para 3] Cyber forensic investigators examine data stored in a computer's hard drive or other storage medium to conduct the cyber forensic investigations. Such data contains information about the activities performed with the computer, which is under investigation.
Typically, forensic investigators would study the temporary files and folders, the system files, the computer software or application files, log files and the temporary files which are related to certain computer software. These data provide the means to prove a user's activities and often constitute digital evidence that may be used to take further action.
[Para 4] The process of computer forensics has heretofore been a hit or miss search of a hard disk for one or more specific types of the files thought to be relevant. A forensics search often targets and manages relevant information through keyword searching, filtering, data culling, and indexing. The data location and extraction process is labor intensive and can typically take days to months of effort to complete and the conversion of the data to useful files is susceptible to the vagaries of human error.
[Para 5] There is a need for an automated tool that substantially reduces the labor intensity of the process and can rapidly extract forensic evidence from a computer storage device, such as for example within an hour for a 1 20 gigabyte hard drive. There is a need for a forensic tool that automatically saves the data in an easily recognizable naming and organizational structure that preserves the traceabilty and authenticity of the recovered forensic data to ensure that it is valid and reliable evidence.
[Para 6] A solution in the form of the present invention was developed after extensive research involving various computer operating systems, a methodical characterization of the locations of forensic information for each such computer operating system, and the development of a program to aid in the automated extraction and transforms the information by storage into an organized system that preserves its source identification and integrity.
Heading
DESCRIPTION OF PRIOR ART
[Para 7] Tools and methods employing software to assist in a forensic evaluation of a computer hard drive exists in various embodiments. These typically require intensive user participation via a graphical user interface, including for example input of search terms and intensive evaluation of the data to be extracted and stored. While a graphical user interface is used in the current invention, its is greatly simplified to election of the operating system, the drive where data is stored, the destination location where the extracted forensic data is to be stored and a button to start the process. No search words are needed or used and no evaluation of the data is performed prior to extraction and storage.
[Para 81 Unlike the present invention, which is fully automated as to the extraction and storage of forensic data, such prior art typically attempts to guide a user through various steps in conducting a complicated forensic examination and then extract and store the desired information. In addition, the prior art generally does not provide the means to automatically index and categorize the evidence in a manner that preserves the identification of its source location, simplifies its subsequent analysis and virtually eliminates human error and chain of custody issues.
[Para 9] One example of this type of prior art is United States Patent Application 200702261 70 ("1 70 application"), which discloses an electronic forensic tool for conducting electronic discovery and computer forensic analysis. The 1 70 application teaches that a device usable by a non-technical person such as a non-forensic expert to conduct electronic discovery and thereby obviate the need for an expert in many situations. It also teaches a business method for electronic discovery involving a software program and a command server for generating expanded functionality. Using software, a user boots a computer and examines the electronic contents. The software enables the user to conduct limited examination of available data, which is facilitated through the use of a graphical user interface.
[Para 1 0] Some prior art also enables a remote user to view the computer evidence acquired from the target computing device. An example of this type of prior art is United States Patent Application 20040260733 published December 23, 2004, which teaches techniques for allowing a user to remotely interrogate a target computing device through a graphical user interface. Remote operability allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise shutting down the target device. While remote operability is an added feature, this type of prior art requires the same type of user interaction involving a complicated forensic examination and decision structure leading to the extraction and storage of the desired information.
[Para 11] Accordingly, the present invention will serve to improve the state of the art by providing an automated system and method that rapidly finds forensic evidence, documents the origin of extracted data, saves the original information without alteration in an indexed categorization system and virtually eliminates human error and chain of custody issues.
The present invention improves the state of the art by reducing the time needed for reliable forensics data extraction from potentially months of effort to about an hour.
Heading
BRIEF SUMMARY OF THE INVENTION
[Para 1 2] A tool and method for automated evidence gathering from a computer hard drive or other computer storage device. The tool comprises a computer memory device on which resides a client program. The client program is operable by the target computer's operating system. The client program presents a graphical user interface that allows a user to implement acts comprising election of the operating system on the target computer; election of the source drive where forensic data is stored; election of the destination storage medium where extracted forensic data is to be stored; and, starting data extraction. The client program copies forensic data from pre-programmed forensic data paths on the source drive to the destination storage medium while preserving the MD5 checksum of the data for file integrity. The client program redesignates a data folder name to correspond to a categorization of the data based on its location on the target computer. The client program is operable produce a report with the name of the forensic data and the MD5 checksum of the forensic data.
[Para 1 3] The method uses the tool to conduct electronic forensic examination on a target computer. Steps include loading the client program on the target computer; electing an operating system; electing a source drive; electing a destination storage medium; and, starting data extraction.
Heading
BRIEF DESCRIPTION OF THE DRAWINGS
[Para 14] FIG.1 is a flow diagram of a process of using the invention for forensic examination of a computer.
Heading
DETAILED DESCRIPTION
[Para 1 5] In the following description, reference is made to the accompanying drawing, which forms a part hereof and which illustrates several embodiments of the present invention. The drawing and the preferred embodiments of the invention are presented with the understanding that the present invention is susceptible of embodiments in many different forms and, therefore, other embodiments may be utilized and structural and operational changes may be made without departing from the scope of the present invention.
[Para 1 6] The apparatus of the invention is a tool for extracting forensic data from a target computer. A target computer is one in the ordinary sense of a computer. Typically, a computer has a hard disk for storing programs, files and other digital information, random access memory to operate the programs, and an operating system, such as MICROSOFT WINDOWS XP and MICROSOFT WINDOWS VISTA. An alternative embodiment provides a radio button and limits the election of the operating system on the target computer comprises to either MICROSOFT WINDOWS XP or MICROSOFT WINDOWS VISTA.
[Para 1 7]The tool comprises a computer memory device on which resides a client program.
The computer memory device may be any such device capable of storing the client program, for example, portable and network-accessible computer memory devices. Typical examples of portable computer memory devices include a compact disk, digital video disk, removable flash memory card, removable drive, a USB flash drive, and a ZIP disk. A typical example of a network accessible-computer memory device is a remote server accessible via an Internet connection.
[Para 1 8] The client program is operable by the target computer's operating system. This essentially means that client program on the computer memory device must be accessible and readable by the target computer.
[Para 1 9] Once in operation, the client program presents a graphical user interface on the target computer so that a user can make an election as to the operating system on the target computer, make an election as to the source drive where forensic data is stored, make an election as to the destination storage medium where extracted forensic data is to be stored. These elections enable the program to automatically function in extracting forensics data from the target computer. Once these elections are made, the graphical user interface enables the user to start data extraction.
[Para 20] In an alternative embodiment the graphical user interface further allows selection of a user account on the target computer. Most operating systems all computers to have files and programs restricted to various users. This selection option would limit the data extraction to the particular user being investigated.
[Para 21] For embodiments where a user is selected, the client program is further operable by the target computer's operating system to create a first folder on the destination storage medium with the name of the target computer and create inside of the first folder a second folder with the name of the user account from which the forensic data is extracted.
[Para 22] Data extraction copies forensic data from pre-programmed forensic data paths on the source drive to the destination storage medium. The client program automatically calls up the pre-programmed forensic data paths based on the operating system selected by the user. Preferably, each operating system has a corresponding data file apart from the program file, wherein the data file lists the paths for that operating system. Thus, for a preferred embodiment, the pre-programmed forensic data paths are in a data file, wherein the data file lists the paths for a single operating system.
[Para 23JA separate data file permits the client program to be easily updated with a revised data file whenever the paths need to be changed or supplemented due to revisions in a computer operating system or computer program or when a new user program is created.
[Para 241 Data extraction preserves the MD5 checksum of the data for file integrity. The MD5 checksum (Message-Digest algorithm 5) for a file is typically a 1 28-bit value, akin to a fingerprint of the file. There is a very small possibility of getting two identical checksums of two different files. This feature is useful both for comparing the files and for their integrity control.
[Para 25] Data extraction also redesignates a data folder name to correspond to a categorization of the data based on its location on the target computer.
[Para 26] The client program also operable to produce a report comprising the name of the forensic data and the MD5 checksum of the forensic data. This report may be saved for display elsewhere or may be displayed on the target computer.
[Para 27] In an alternative embodiment, the client program is further operable to determine the target computer's network connections and open ports and for this embodiment, the report would further contain this information.
[Para 28] FIG.1 is a flow diagram of a method using a preferred embodiment of the invention as described above with some optional steps representing alternative embodiments. The optional steps are shown with dashed arrows. The method enables an electronic forensic examination of a target computer by implementing the steps of loading the client program on the target computer (1 0); electing an operating system (1 5); electing a source drive (20); electing a destination storage medium (25); and, starting data extraction (30).
[Para 29] While starting data extraction runs the extraction program, this step may be further limited by the functionality of the client program wherein the client program implements steps comprising: loading a file from the computer memory device, said file containing pie-programmed forensic data paths located on the elected source drive as relevant to the elected operating system (31); searching for forensic data on the elected source drive using the pre-programmed forensic data paths (32); copying forensic data found from searching for forensic data on the elected source drive using the pre-programmed forensic data paths (33); storing the copied forensic data on the destination storage medium while preserving the MD5 checksum of the data for file integrity and redesignating a data folder name to correspond to a categorization of the data based on its location on said target computer (34); and, producing the report (35). As described above, the report contains the file name of the forensic data and the MD5 checksum of the forensic data (36) and it may optionally contain network connection details (37). Producing the report includes saving the report (38), typically on the destination storage medium, and, optionally, displaying the report (39).
Heading Example 1 -pre-programmed forensic data paths on a source drive and redesignated destination folder names.
[Para 30] The current possible source paths for the MICROSOFT WINDOWS VISTA operating system including the folders name which to be used to copy forensic data and the destination folder names to store the forensic data: o Source Path: \users\%username%\AppData\Local\Temp o Destination Folder: \TempFiles\ o Source Path \users\%username%\AppData\Roami ng\Microsoft\Wi ndows\Recent o Destination Folder:\RecentFiles\ o Source Path \users\%username%\AppData\Roami ng\Microsoft\Wi ndows\Network Shortcuts o Destination Folder:\Network5hortcuts\ o Source Path \users\%username%\AppData\Roami ng\Microsoft\Wi ndows\Printer Shortcuts o Destination Folder: \PrinterShortcuts\ o Source Path :\users\%username%\AppData\Roami ng\Microsoft\Windows\Web Server Extensions o Destination Folder: \WebServerExtensions\ o Source Path: \users\%username%\AppData\Roaming\Microsoft\ActiveSync o Destination Folder: \ActiveSync\ o Source Path: \users\%username%\AppData\Roaming\Microsoft\lnstaller o Destination Folder: \lnstalledProgramRecords\ o Source Path: \users\%username%\AppData\Roaming\Microsoft\MSN Messenger o Destination Folder:\MSNMessenger\ o Source Path: \users\%username%\AppData\Roaming\Microsoft\uProof o Destination Folder: \MSOfficeRecords\ o Source Path: \ users \%username%\AppData\ Roaming \ Microsoft\Office\ Recent o Destination Folder: \OfficeO7RecentFile\ o Source Path: \users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files o Destination Folder: \TemplnternetFiles\ o Source Path: \use rs\%username%\AppData\Roam I ng\Microsoft\Wi ndows\Cookies o Destination Folder: \lECookies\ o Source Path: \users\%username%\AppData\Local\Microsoft\Windows Live Contacts o Destination Folder:\WindowsLive\ o Source Path: \users\%username%\AppData\Local\Microsoft\Windows Calendar o Destination Folder: \WindowsCalendar\ o Source Path: \users\%username%\AppData\Local\Microsoft\Windows Mail o Destination Folder: \WindowsMail\ o Source Path: \users\%username%\AppData\Roami ng\Mozilla\Firefox\Profiles o Destination Folder: \FireFox\ o Source Path: "\users\%username%\AppData\Roaming\Microsoft\Crypto o Destination Folder:\SavedPasswords-Crypto\ o Source Path: \users\%username%\AppData\Local\Microsoft\Outlook o Destination Folder:\OutlookO7\ o Source Path: \users\%username%\AppData\Local\Microsoft\OIS o Destination Folder:\ViewedPictures\ o Source Path: \users\%username%\AppData\Local\Microsoft\Media Player o Destination Folder:\MediaPlayer\ o Source Path: \users\%username%\AppData\Local\Microsoft\Office o Destination Folder:\OfficeETC\ o Source Path: \users\%username%\AppData\Local\Microsoft\Signatures o Destination Folder:\OfficeSignatures\ o Source Path: \users\%username%\AppData\Local\Microsoft\Terminal Server Client I0 o Destination Folder:\TerminalServerClient\ o Source Path: \users\%username%\AppData\Local\Microsoft\ Windows Defender o Destination Folder:\WindowsDefender\ o Source Path: \$recycle.bin o Destination Folder:\RecycleBin\ o Source Path: \System.Sav\ o Destination Folder:\SystemSave\ o Source Path: \users\%username%\Searches o Destination Folder:\SearchesRecords\ o Source Path: "\users\%username%\Contacts o Destination Folder:\ContactsRecords\ o Source Path: \users\%username%\Desktop o Destination Folder:\Desklop o Source Path: \users\%username%\Documents o Destination Folder:\Documents\ o Source Path: \users\%username%\Downloads o Destination Folder:\DownloadsRecords\ o Source Path: \users\%username%\Favorites o Destination Folder:\lEFavorites\ o Source Path: \users\%username%\Links o Destination Folder:\Links\ o Source Path: \users\%username%\Music o Destination Folder:\Music\ o Source Path: \users\%username%\Pictures o Destination Folder: \Pictures\ t o Source Path: \users\%username%\ Videos o Destination Folder:\Videos\ o Source Path: \users\%username%\Links o Destination Folder:\Links\ o Source Path: \Windows\security o Destination Folder:\SecurityLogs\ o Source Path: \Windows\SoftwareDistribution o Destination Folder: \ApplicationLogs-lnfo\ o Source Path: \Windows\System32\config o Destination Folder:\WindowsConfig\ o Source Path: \Windows\Prefetch o Destination Folder:\WindowsPrefetch\ o Source Path: \Program Files\Netscape\Navigator\Cache o Destination Folder:\Netscape\NavigatorCash\ o Source Path: \Program Files\Netscape\Users\default\Cache o Destination Folder:\Netscape\UsersCash\ o Source Path: Program Files\Netscape\Users\default o Destination Folder:\Netscape\UsersCash\ o Source Path: \Program Files\Netscape\Navigator\Mail o Destination Folder:\Netscape\Mail\ o Source Path: \Program Files\Netscape\Users\default\Mail o Destination Folder:\Netscape\Mail\Users o Source Path: \Windows\lnternet Logs o Destination Folder:\lnternetLog\ o Source Path: \Windows\ModemLogs o Destination Folder:\ModemLog\ o Source Path: \program files\divx\divx player o Destination Folder:\DivxRecords\ o Source Path: \Program Files\Qualcomm\Eudora o Destination Folder:\EudoraRecords\ o Source Path: \users\%username%\AppData\Local\Roaming\Opera o Destination Folder:\Opera\ o Source Path: \Program Files\Opera75\profile o Destination Folder:\Opera\Profile\ o Source Path: \Program Files\Opera o Destination Folder:\Opera\Opera 2\ o Source Path: \Users\%username%\AppData\Roaming\Microsoft\Credentials o Destination Folder:\Win-Credentials\ o Source Path: \Users\%username%\AppData\Local\Microsoft\Credentials o Destination Folder:\Win-Credentials 2\ o Source Path: \Users\%username%\AppData\Roami ng\Microsoft\SystemCertificates o Destination Folder:\SystemCertificates\ o Source Path: \Users\%username%\AppData\Roaming\Symantec o Destination Fotder:\SymantecRecords\ o Source Path: \Users\%usernmae%\AppData\Local\Microsoft\Feeds o Destination Folder:\FeedsRecords\ o Source Path: \users\%username%\appdata\local\Skype\Phone o Destination Folder:\Skype\Phone o Source Path: \users\%username%\appdata\Roaming\Skype\Phone o Destination Folder:\Skype\Phonel o Source Path: \users\%username%\AppData\Roaming\Skype o Destination Folder:\Skype\Skype\ o Source Path: \users\%username%\AppData\Local\Skype o Destination Folder:\Skype\Skype2\ o Source Path: \ProgramData\Microsoft\Search o Destination Folder:\SearchsRecords 2\ o Source Path: \Users\%username%\AppData\Local\Microsoft\Messenger o Destination Folder: \MsnMessenger 2\ Heading Example 2 -pre-programmed forensic data paths on a source drive and redesignated destination folder names.
[Para 31]The current possible source paths for the MICROSOFT WINDOWS XP operating system operating system including the folders name which to be used to copy forensic data and the destination folder names to store the forensic data: o Source Path: \recycled o Destination Folder: \RecycleBin\ o Source Path: \Documents and Settings\%username%\Local Settings\Temp o Destination Folder: \TempFiles\ o Source Path:\Documents and Settings\AII Users\Application Data\Microsoft\OFFICE o Destination Folder: \MSOffice\ o Source Path:\WINDOWS\system32\CatRoot2 o Destination Folder: \CryptoService-CatRoot\ o Source Path:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles o Destination Folder: \ Firefox\ o Source Path:\Documents and Settings\%username%\Application Data\Mozilla\Firefox o Destination Folder: \ Firefox 2\ o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Mozilla\Firefox o Destination Folder: \ Firefox 3\ o Source Path:\WINDOWS\system32\CatRoot2 o Destination Folder: CryptoService-CatRoot o Source Path:\WINDOWS\security\ o Destination Folder:\WindowsSecurity\ o Source Path:\WINDOWS\SoftwareDistributjori\ o Destination Folder:\ApplicationLogs-lnfo\ o Source Path:\WINDOWS\system32\config o Destination Folder: \WindowsConfig\ o Source Path:\WINDOWS\prefetch o Destination Folder: \WindowsPrefetch\ o Source Path:\Windows\temp o Destination Folder: \WindowsTempFiles\ o Source Path:\WINDOWS\temp\History\History.lE5 o Destination Folder:\lEHistory\ o Source Path: \Documents and Settings\%username%\Local Settings\Temp o Destination Folder: \TempFiles 2\ o Source Path: \Documents and Settings\%username%\Recent o Destination Folder: \RecentFiles\ o Source Path: \Documents and Settings\%username%\Local Settings\Temporary Internet Files o Destination Folder: \Templnternet Files\ o Source Path: \Documents and Settings\%username%\Local Settings\History o Destination Folder: \WindowsExplorerHistory\ o Source Path: \Documents and Settings\%username%\Local Settings \ History\History. 1E5 o Destination Folder: \lEHistory 2 \ o Source Path: \Documents and Settings\%username%\Cookies o Destination Folder:\lECookies\ o Source Path: \Documents and Settings\%username%\Application Data\Microsoft\Media Player o Destination Folder: \MediaPlayer\ o Source Path: \Documents and settings\all users\Application Data\Microsoft\Media Index o Destination Folder:\Medialndex\ o Source Path:\Program Files\Netscape\Navigator\cache o Destination Folder:\Netscape\NavigatorCash\ o Source Path:\Program Files\Netscape\Users\default\Cache o Destination Folder:\Netscape\lJsersCash\ o Source Path:\Program Files\Netscape\Users\default o Destination Folder:\Netscape\UsersCash 2\ o Source Path:\Program Files\Netscape\Navigator\Mail o Destination Folder: \NavigatorMail\ o Source Path:\Program Files\Netscape\Users\default\Majl o Destination Folder:\Netscape\LisersMail\ o Source Path:\WINDOWS\repair o Destination Folder:\WindowsRepair\ !L7 o Source Path:\program files\divx\divx player o Destination Folder: \DivxPlayerRecords\ o Source Path:\Program Files\Qualcomm\Eudora o Destination Folder: \EudoraRecords\ o Source Path: \Documents and Settings\%username%\Application Data\M icrosoft\Office\Recent o Destination Folder: \RecentFiles\ o Source Path: \Documents and Settings\%username%\Application Data\Opera o Destination Folder: \Opera o Source Path:\Program Files\Opera75\profile o Destination Folder: \Opera\Profile\ o Source Path:\Program Files\Opera o Destination Folder: \Opera 2\ o Source Path:\Documents and Settings\%username%\Local Settings\Temporary Internet Files o Destination Folder:\TemplnternetFiles\ o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\ldentities o Destination Folder:\Windowsldentities\ o Source Path:\Documents and Settings\%username%\Application Data\Google o Destination Folder:\Google\ o Source Path:\Documents and Settings\%username%\Application Data\Macromedia o Destination Folder:\Macromedia\ o Source Path: \Documents and Settings\%username%\Application Data\Microsoft\Address Book o Destination Folder:\AddressBook\ o Source Path:\Documents and Settings \%username%\Application Data\Microsoft\Crypto o Destination Folder: \SavedPasswords-Crypto\ o Source Path:\Documents and Settings\%username%\Application Data\Microsoft\Cryptnetljrlcache o Destination Folder: \ CryptnetUrlCache\ o Source Path:\Documents and Settings\%username%\Application Data\Microsoft\Network o Destination Folder: \Networks\ o Source Path:\Documents and Settings\%username%\Application Data\ Microsoft \Office o Destination Folder:\MSOffjce 2\ o Source Path: \Documents and Settings\%username%\Applicatjon Data\Microsoft\Signatures o Destination Folder: \Signatures\ o Source Path:\Documents and Settings\%username%\Application Data\Microsoft\SystemCertificates o Destination Folder: \SystemCertificates\ o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Symantec o Destination Folder: \SymantecRecords\ o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Windows Media o Destination Folder:\Windows Media o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Terminal Server Client o Destination Folder: \TerminalServerClient\ o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Outlook o Destination Folder: \Outlook\ o Source Path: \Documents and Settings\%username%\Local Settings \Application Data\Microsoft\Ol5 o Destination Folder: \ViewedPictures\ o Source Path: \Documents and Settings\%username%\Local Settings\Application Data\Microsoft\lnternet Explorer o Destination Folder:\InternetExplorer o Source Path: \Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Feeds o Destination Folder: \FeedsRecords\ o Source Path: \Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Credentials o Destination Folder: \Windows\Credentials\ o Source Path: \WINDOWS\internet logs o Destination Folder:\lnternetLogs\ o Source Path: \program files\yahoo! o Destination Folder: \Yahoo!\ o Source Path: \Documents and Settings\%username%\NetHood o Destination Folder: \NetHood\ o Source Path: \Documents and Settings\%username%\Favorites o Destination Folder: \Favorites\ o Source Path: \Documents and Settings\%username%\Desktop o Destination Folder:\Desktop\ o Source Path: \Documents and Settings\%username%\My Documents o Destination Folder: \My Documents\ o Source Path:\appdata\Skype\Phone o Destination Folder: \Skype\ o Source Path:\users\%username%\AppData\Roaming\Skype o Destination Folder: \Skype\Skype 2 o Source Path: \Documents and Settings\%username%\Application Data\Skype o Destination Folder: \Skype\Skype 3 o Source Path:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Messenger o Destination Folder:\Messenger\ [Para 32] The above-described embodiments including the drawing are examples of the invention and merely provide illustrations of the invention. Other embodiments will be obvious to those skilled in the art. Thus, the scope of the invention is determined by the appended claims and their legal equivalents rather than by the examples given.

Claims (1)

  1. What is claimed is: [Claim 1] A tool for extracting forensic data from a target computer comprising a computer memory device on which resides a client program wherein said client program is operable by the target computer's operating system to: (a) present a graphical user interface wherein a user can implement acts comprising: (1) election of the operating system on the target computer, (2) election of the source drive where forensic data is stored, (3) election of the destination storage medium where extracted forensic data is to be stored, and, (4) starting data extraction, wherein said data extraction copies forensic data from pre-programmed forensic data paths on the source drive to the destination storage medium while preserving the MD5 checksum of the data for file integrity and redesignating a data folder name to correspond to a categorization of the data based on its location on said target computer; and, (b) produce a report comprising the name of the forensic data and the MD5 checksum of the forensic data.
    [Claim 2] The tool of claim 1 wherein election of the operating system on the target computer comprises selecting a radio button for either MICROSOFT WINDOWS XP or MICROSOFT WINDOWS VISTA operating system.
    [Claim 3] The tool of claim 1 wherein said client program is further operable by the target computer's operating system to determine the target computer's network connections and open ports.
    [Claim 4] The tool of claim 1 wherein said client program is further operable by the target computer's operating system to display the report on the target computer.
    [Claim 5] The tool of claim 1 wherein the pre-programmed forensic data paths are in a data file, wherein the data file lists the paths for a single operating system.
    [Claim 6] The tool of claim 1 wherein the graphical user interface further allows selection of a user account on the target computer.
    [Claim 71 The tool of claim 6 wherein said client program is further operable by the target computer's operating system to create a first folder on the destination storage medium with the name of the target computer and create inside of the first folder a second folder with the name of the user account from which the forensic data is extracted.
    [Claim 81 A method of using the tool of claim 1 to conduct electronic forensic examination of a target computer comprising the steps of: (a) loading the client program on the target computer; (b)electing an operating system; (c) electing a source drive; (d) electing a desination storage medium; and, (e) starting data extraction.
    [Claim 9] The method of claim 8 wherein the step of starting data extraction runs the client program wherein said client program implements steps comprising: (a) loading a file from the computer memory device, said file containing pre-programmed forensic data paths located on the elected source drive as relevant to the elected operating system; (b) searching for forensic data on the elected source drive using the pre-programmed forensic data paths; (C) copying forensic data found from searching for forensic data on the elected source drive using the pre-programmed forensic data paths; (d) storing the copied forensic data on the desination storage medium while preserving the MD5 checksum of the data for file integrity and redesignating a data folder name to correspond to a categorization of the data based on its location on said target computer; and, 2-2- (e) producing the report.
GB0722510A 2007-11-19 2007-11-19 Computer program for extracting forensic data form a target computer Withdrawn GB2454715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0722510A GB2454715A (en) 2007-11-19 2007-11-19 Computer program for extracting forensic data form a target computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0722510A GB2454715A (en) 2007-11-19 2007-11-19 Computer program for extracting forensic data form a target computer

Publications (2)

Publication Number Publication Date
GB0722510D0 GB0722510D0 (en) 2007-12-27
GB2454715A true GB2454715A (en) 2009-05-20

Family

ID=38896427

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0722510A Withdrawn GB2454715A (en) 2007-11-19 2007-11-19 Computer program for extracting forensic data form a target computer

Country Status (1)

Country Link
GB (1) GB2454715A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070091746A1 (en) * 2005-10-12 2007-04-26 Storage Appliance Corporation Optical disc for simplified data backup
WO2007067424A2 (en) * 2005-12-06 2007-06-14 David Sun Forensics tool for examination and recovery of computer data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070091746A1 (en) * 2005-10-12 2007-04-26 Storage Appliance Corporation Optical disc for simplified data backup
WO2007067424A2 (en) * 2005-12-06 2007-06-14 David Sun Forensics tool for examination and recovery of computer data

Also Published As

Publication number Publication date
GB0722510D0 (en) 2007-12-27

Similar Documents

Publication Publication Date Title
US20080065811A1 (en) Tool and method for forensic examination of a computer
US9853930B2 (en) System and method for digital evidence analysis and authentication
Leigland et al. A formalization of digital forensics
US20210314343A1 (en) System and method for identifying cybersecurity threats
US7886049B2 (en) Extensible software tool for investigating peer-to-peer usage on a target device
US8799317B2 (en) Forensic system, forensic method, and forensic program
Quick et al. Big forensic data management in heterogeneous distributed systems: quick analysis of multimedia forensic data
US20010052121A1 (en) Installation method, activation method, execution apparatus and medium of application program
US9680844B2 (en) Automation of collection of forensic evidence
US20110191306A1 (en) Computer, its processing method, and computer system
EP2893480B1 (en) Snippet matching in file sharing networks
US20140358868A1 (en) Life cycle management of metadata
JP2006302170A (en) Log management method and device
US20110047130A1 (en) Method and apparatus for collecting evidence
Lohiya et al. Survey on mobile forensics
Satrya et al. Proposed method for mobile forensics investigation analysis of remnant data on Google Drive client
US10885070B2 (en) Data search method and device
US7937430B1 (en) System and method for collecting and transmitting data in a computer network
Quick et al. Big Digital Forensic Data: Volume 2: Quick Analysis for Evidence and Intelligence
Quick et al. Forensic analysis of windows thumbcache files
Simon et al. Enhancement of forensic computing investigations through memory forensic techniques
Quick et al. Quick analysis of digital forensic data
GB2454715A (en) Computer program for extracting forensic data form a target computer
CN107741956B (en) Log searching method based on web container configuration file
US20190129670A1 (en) Information processing apparatus

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)