Digital forensic analysis using empirical privilege profiling (EPP) for filtering collected data

摘要

A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance.