The present disclosure generally relates to electronic evidence management and, in particular, relates to systems and methods for capturing electronic evidence.
Information is growing at staggering rates, in a manner that is regulated, legislated, litigated, and depended on as never before. This situation presents significant information risk management (IRM) issues for organizations in many different areas. One area is litigation and investigation, where there is a need to comply with litigation requirements or support internal investigations. Another area is regulatory compliance, where there is a need for handling all information and records in accordance with applicable laws and regulations. Yet another area is information governance, where there is a need to protect critical confidential information and trade secrets. In another area, business continuity, there is a need for assurance that data is manageable, accessible, and in the case of unforeseen disasters, recoverable. Presently available systems only offer point solutions that address risks for typically one of the above categories to solve specific issues. Such prior art systems do not typically address risks for more than one area, and often exacerbate problems for other areas. Furthermore, such systems have static, non-extensible frameworks for capturing and organizing information that limits an organization's ability to manage risk or investigate incidents where organization or regulatory policy is violated.
Organizations typically have rules or policies for information management, but do not have methods to consistently apply the rules or policies to all electronic information in an organization's network. Organizations are typically subject to a myriad of information-related rules, regulations, and compliance regimes and laws. These information management regimes change over time. Often, a single electronic record is associated with multiple compliance regimes. Compliance regimes can potentially be in conflict with one another. Most organizations strive to destroy electronic information not subject to regulatory retention schedules as soon as practicable. However, it is difficult to destroy electronic information, since there are frequently multiple copies of the information existing throughout an organization. Also, the electronic information that has been deleted can frequently be recovered by forensic computer processes.
For many organizations, recorded information management schedules are often challenging to implement and process, as is complying with a legal hold order. It is often difficult for the organization follow the trail of who has sent, received, or viewed the electronic information, and where it has been stored. Furthermore, sequestering or restricting electronic access to electronic information is challenging, as information often resides on multiple nodes in an organization's computer network.
A violation of a policy of an organization can be considered an incident. Depending on the nature of the incident, the violation of organizational policy can ultimately lead to a lawsuit or regulatory agency investigation. Every piece of information that exists in the company (not just paper) the moment an incident occurs is potential evidence. Organizations that do not address paper and electronic information when it is created have difficulty in complying with a legal obligation to preserve the information, being able to guarantee the integrity of the information, being able to produce the information when subpoenaed, and not knowing what opposing counsel will find when they review the information.
Exemplary embodiments provide systems and methods for integrated information risk management (IRM). More specifically, these exemplary embodiments provide capture of potential electronic evidence, organization and storage of the electronic evidence, and enforcement of organization or regulatory policy (e.g., retention policies, behavior policies, conduct policies, etc.).
Exemplary embodiments as described herein capture electronic evidence within an organization without the need for individual users to explicitly publish the evidence to an evidence management system. Captured electronic evidence may include, but is not limited to, electronic documents, email, scanned documents, reports, messages, voice over internet protocol (VoIP), logs, any combination thereof, or any other suitable information. Systems and methods of the exemplary embodiments described herein identify, decompose, analyze, interpret, classify, index, and apply policies (e.g., organization specific retention and behavior policies, regulatory policies, behavior policies, etc.). The captured electronic evidence and associated extensible metadata may be stored in a secure digital storage repository.
An exemplary embodiment relates to a method for capturing electronic evidence, comprising deploying one or more agents to one or more sources of electronic evidence over a communications network, wherein the one or more deployed agents are undetectable by the one or more sources. The exemplary method further comprises transmitting one or more instructions point to the one or more deployed agents to capture electronic evidence from at least one service control, wherein the one or more deployed agents are inactive unless the one or more instructions are received. Upon receipt of the one or more instructions by the one or more deployed agents from the at least of service control point, the exemplary method further comprises capturing electronic evidence from the one or more sources of electronic evidence and monitoring the use of resources of the one or more sources by the one or more deployed agents.
Another exemplary embodiment relates to a system for capturing electronic evidence, comprising means for deploying one or more agents to one or more sources of electronic evidence over a communications network, wherein the one or more deployed agents are undetectable by the one or more sources. The exemplary system further comprises means for transmitting one or more instructions to the one or more deployed agents to capture electronic evidence from at least one service control point, wherein the one or more deployed agents are inactive unless the one or more instructions are received. Upon receipt of the one or more instructions by the one or more deployed agents from the at least of service control point, the exemplary system has means for capturing electronic evidence from the one or more sources of electronic evidence and means for monitoring the use of resources of the one or more sources by the one or more deployed agents.
Yet another exemplary embodiment relates to a computer readable medium comprising software that, when executed by a computer, causes an electronic evidence management system to perform a method for capturing electronic evidence, the method comprising deploying one or more agents to one or more sources of electronic evidence over a communications network, wherein the one or more deployed agents are undetectable by the one or more sources. The exemplary embodiment further comprises transmitting one or more instructions to the one or more deployed agents to capture electronic evidence from at least one service control point, wherein the one or more deployed agents are inactive unless the one or more instructions are received. Upon receipt of the one or more instructions by the one or more deployed agents from the at least of service control point, the exemplary embodiment further comprises capturing electronic evidence from the one or more sources of electronic evidence and monitoring the use of resources of the one or more sources by the one or more deployed agents.
Additional features of the exemplary embodiments will be set forth in the description below, and in part will be apparent from the description, or may be learned by practice of the exemplary embodiments. The exemplary embodiments will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the claims.
The accompanying drawings, which are included to provide further understanding of the exemplary embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments and together with the description serve to explain the embodiments. In the drawings:
In the following detailed description, numerous specific details are set forth to provide a full understanding of the exemplary embodiments. It will be obvious, however, to one ordinarily skilled in the art that the embodiments may be practiced without some of these specific details. In other instances, well-known structures and techniques have not been shown in detail so as not to obscure the embodiments.
Corporate Evidence Management System (“CEMS”) captures electronic evidence of an organization and stores it in a CEMS repository for searching, analyzing, and managing policies and production. CEMS may be configured on one or more computers, servers, or other computing devices, and may be communicatively coupled with a communications network and one or more digital storage devices. CEMS system 100 illustrated in
The electronic evidence captured by capture system 110 may be comprised of at least two components. These components of the captured electronic evidence comprise a “file pair,” for example, file pair 180 as illustrated in
After capture, file pair 180 is placed in a CEMS drop zone (e.g., drop zone 200 illustrated in
CEMS system 100 may be configured to have scalable metadata such that an object has multiple classifications (e.g., metadata classification tags) and is not restricted by initial classification categories (e.g., the categories configured upon installation of CEMS or initially defined by an administrator). For example, an object stored in object file system 242 (show in
In one exemplary embodiment, CEMS system 100 has a centralized events system (e.g., events system 600 shown in
CEMS system 100 illustrated in
CEMS agents (e.g., agents 510, 520, or 560 illustrated in
As illustrated in
Agents may also be deployed on file systems 406 to collect electronic evidence and perform other activities as instructed by agent control 408 of capture system 400. File systems 406 may be one or more digital storage devices for storing data of at least a portion of an organization, or any other suitable file system of a computing device. Agent control 408, which is preferably a component of capture system 400 and communicatively coupled via communications network 170 with file systems 406, may deploy agents (e.g., agents 520 illustrated in
CEMS capture system 400 may be configured to collect information from and perform other activities on an organization's on-line transaction processing (OLTP) applications 410 through a common transaction integration point 412. OLTP applications 410 may be, for example, electronic commerce applications, or any other suitable applications. OLTP applications 410 may, for example, run on a server, a personal computer, a laptop computer, a processor, or any suitable computing device. Transactional integration point 412, which is preferably a component of capture system 400 and communicatively coupled via communications network 170 with OLTP applications 410, may deploy agents (e.g., agents similar to agents 510 or 520 illustrated in
CEMS capture system 400 may be configured to capture electronic messages and voice messages. Email control point 412, which is preferably a component of capture system 400 and communicatively coupled via communications network 170 with unified messaging system 414, may deploy agents (e.g., agents similar to agents 510 or 520 illustrated in
Email control point 412 may be configured such that CEMS capture system 400 captures emails, voicemails, or any combination thereof. Email Control Point 416 performs actions on the email servers or voice messaging systems of united messaging systems 414 which are directed by CEMS policies (e.g., organizational policies defined in policies system 265 and enforced by policy enforcer 260 of
CEMS capture system 400 may be configured to capture of information (e.g., messages, log files, documents, etc.) from other devices, such as personal digital assistants (PDAs), cellular phones, portable email devices (e.g., BlackBerry® devices, etc.) and other services, such as Instant Messages (IMs). As shown in
CEMS system 100 may be configured such that users may publish documents (i.e., deliver evidence) to CEMS system 100 through Service Oriented Architecture (SOA) interface 424 of CEMS capture system 400. SOA interface 424 may also be configured for interfacing (e.g., over communications network 170) with other document management systems (e.g., application systems 422, Microsoft® Sharepoint, etc.) for automatically publishing documents into CEMS system 100 or for bulk capture of documents from media (e.g., compact discs, DVDs, etc.). Preferably, SOA interface 424 may be configured to capture potential evidence from alternative sources, where such potential evidence may not be captured from, for example, sources such as desktop systems 402, file systems 406, OLTP applications 410, unified messaging systems 414, or IM/PDA systems 418. SOA interface 424 provides CEMS system 100 with bulk capture interface 426 configured to capture electronic evidence from sources of media (e.g., compact discs, DVDs, etc.) and file capture interface 428 which may capture electronic evidence from other document management systems (e.g., applications 422).
Agents 510, 520, and 560 are exemplary agents, and one or more agents may be deployed by CEMS system 100 and communicate with capture system 400 (shown in
Once the agents (e.g., agents 510, 520, or 560) are deployed and installed on client systems, they communicatively connect via communications network 170 to SCP 500, using the CEMS agent-SCP protocol 530.
Agent-SCP protocol 530 is preferably based on TCP/IP (transfer control protocol/internet protocol) for reliable communication. Agent-SCP protocol 530 is preferably encrypted for secure communication. For example, agent-SCP protocol 530 may use SSL (secure socket layer), TLS (transport layer security), or HTTPS (secure hypertext transfer protocol), or any other suitable secure communications protocol.
SCP 500 may be configured to be a server for an agent (e.g., agent 510, 520, 560, etc.) to communicate with. SCP 500 may monitor communications network 170 to determine if agents are attempting to connect to SCP 500. During installation, agents may be, for example, configured with the IP address, port number, public certificate, or other information in order to facilitate connection with SCP 500. Once the agent manager (e.g., agent manager 562 of agent 560) is active, it may initiate communication with SCP 500 and transmit the certificate for authentication. Once SCP 500 validates the authenticity of the certificate, it may open at least one communications channel over communications network 170 for the agent and SCP 500 to communicate.
Upon establishing a transport layer for communications between an agent (e.g., agent 510, 520, 560, etc.) and SCP 500, the agent and SCP 500 may exchange control and data messages via agent-SCP protocol 530 with each other. Agents may initially request that SCP 500 transmit their configurations (e.g., configurations stored on agent configuration and status 550). Next, agents may transmit events to SCP 500 that have been generated by the agent (e.g., where the generated events are stored in event queue 576 for uploading to SCP 500 by event uploader 574 as shown in
This communication is preferably initiated by the agent on an interval (e.g., a time interval set by a user or administrator, etc.). If the agent cannot connect to SCP at the end of one interval, it may wait for the next interval. Alternatively, it may reattempt connection one or more times before waiting until the next interval. During a communication interval, agent buffers events (e.g., in event queue 576 shown in
SCP 500 may be configured as a central control point for agents. For example, SCP 500 may authenticate agents (e.g., authenticate agents by using digital certificates), configure agents prior to or after deployment (or both), receive events (e.g., agents may upload events from event queue 576 using event uploader 574 shown in
SCP 500 may configure each agent separately, or may configure groups of agents by using a common configuration for a group. Configuration options, may include, for example, the client machine name (i.e., host name), agent parameters (e.g., agent configuration file 566), agent private key (preferable stored in agent configuration and status 550 associated with SCP 500), grouping of agents (e.g., agents that share the same configurations can be grouped for ease of use), any suitable combination thereof, or any other configuration option. If agents are grouped, SCP 500 may determine a schedule for agents to connect to SCP 500 at particular times or at particular intervals so as to avoid a substantial number of agents connecting to SCP 500 at the same time and overloading SCP 500.
In one embodiment, the CEMS agents are passive and do not perform actions on a client system unless directed by SCP 500. CEMS agents may, for example, crawl the file system on the client system (e.g. user laptop), and monitor the systems for changes to the file system. CEMS agents can also monitor device changes (e.g., addition of plug-and-play devices) to identify any new storage device being attached to the client machine. Thus, agents may detect devices that are connected to the client system that may be sources of electronic evidence (e.g., universal serial bus (USB) thumb-drives, etc.) and to detect the copying of certain files or other electronic information to a removable storage device. The agent activities are controlled by SCP through policies defined by CEMS administrators.
At the direction of CEMS system 100 in the enforcement of organization policy (e.g., organizational policies defined in policies system 265 and enforced by policy enforcer 260 of
Once CEMS agents (e.g., agents 510, 520, etc.) are deployed and installed on a client system (e.g., desktop systems 402, file system 406, etc.), they are updated with new software substantially automatically by the SCP (e.g., SCP 500). SCP 500 may receive a notification from CEMS system 100 regarding the release of a software update, and, in turn, SCP 500 send commands to agents to update their software accordingly. SCP 500 may track agent activity, as well as the software version information for each agent. Agent information (e.g., agent configurations, software versions, etc.) may be stored in agent configuration and status system 550, illustrated in
Agent configuration file system 566 may store one or more agent configuration files. Agent configuration files may be, for example, an XML document of the current agent configuration and its tasks. The configuration file, or the agent configuration file system 566, or any combination thereof may be encrypted, and may also be hidden from other users on the client machine. Agent manager 562 may read the configuration file, and may periodically update the tasks detailed within the file.
Event dispatcher 564 of agent 560 is configured to wait for incoming events from SCP 500, and dispatches the events so that the tasks for agent (as defined by the received event) are registered for the specific event (e.g., registered in the configuration file of configuration file system 566). During the configuration phase, agent manager 562 may read one or more event registrations from the configuration file stored on configuration file system 566, and update event dispatcher 564 with this information. Event dispatcher 564 may be configured to provide interfaces for agent manager 562 to add an event registration.
Event uploader 574 may be configured to provide interfaces for agent manager 564 to add events to the event registrations stored in configuration file system 566. Event uploader 574 may be configured to read events from the event queue manager 576 and send them to SCP 500. Event uploader 574 may upload the events as defined in the configuration file stored in configuration file system 566. SCP 500, through agent manager 562, may configure the frequency of uploading events by event uploader 574. Preferably, events may be handled on a first in, first out (FIFO) basis. Event uploader 574 may be configured to read an event from event queue manager 576 and inform event queue manager 576 upon successful completion of sending the event to SCP 500 via communications network 170.
If the communicative coupling between an agent (e.g., agent 560) and SCP 500 is not operational, event uploader 574 may generate an event for agent manager 562 to indicate the communication has been interrupted or is unavailable. Agent manager 562 may control event uploader 574 to stop the event uploader task and restart it upon successful connection to SCP 500.
Event queue manager 578 is configured to manage event queue 576 for events to be transmitted to SCP 500. Event queue manager 578 may be configured so that events generated by agent tasks are saved in event queue 576. These events in event queue 576 may eventually be uploaded by event uploader 574. Event queue manager 578 may be configured to provide interfaces for tasks to add events and for event uploader 574 to deliver events to SCP 500.
Upon receipt of an event, event queue manager 578 may store it locally for persistence. Event manager 578 may also maintain a small number of events in memory in, for example, a FIFO structure for faster response to event uploader 574. During a restart of event queue manager 578, it may first determine if there are any pending events and cache part of them in memory (e.g., an encrypted portion of client system memory). When an event uploader task becomes active, these events may be transmitted to SCP 500.
SCP 500 may instruct agents (e.g., agents 510, 520, 560, etc.) to carry out various tasks. Tasks received by an agent (e.g., agent 560) from SCP 500 may be handled by event handler 580. For example, SCP 500 may provide event handler 580 of agent 560 with the file path of the file to be deleted. Event handler 580 may handle any other suitable task as directed by SCP 500.
File system crawler 568 of agent 560 may be configured to iterate over the file system residing on the client machine. Alternatively, file system crawler 568 may be instructed to iterate over files except those files listed in an exclude list (e.g., an exclude list provided by SCP 500). Depending on the client machine, file system crawler 568 may, for example, be configured to utilize the Microsoft Windows API (Application Program Interface) to crawl the file system. File system crawler 568 or monitor 572 may, for example, be configured to exclude certain directories, system directories, file extensions, or files, or any combination thereof. File system crawler 568 or monitor 572 may be configured to search for at least one particular type of file (e.g., Microsoft® Word documents, etc.).
Upon crawling the file system, file system crawler 568 may find a file (which is not part of an exclude list) may add an entry in file catalog 570, add an event in event queue 576 to be transmitted to SCP 500, or perform any other suitable action. Events may contain, for example, file metadata such as the name of the file, the file path where the file resides on the client machine, or any other suitable information. Upon completing a crawl of the file system of the client machine, file system crawler 568 may, with the direction of agent manager 562, update the agent configuration file stored in configuration file system 566 with the time of the last file crawl or other suitable information.
Agent manager 562 may initiate a file system crawl of the client machine by directing file system crawler 568 when it is first started on a client machine or at a particular time specified by SCP 500. After an initial crawl of the file system, agent manager 562 may track the file monitoring of monitor 572 and may perform another file system crawl if file monitoring by monitor 572 was interrupted. If the crawler is restarted due to an interrupt, it may check file catalog 570 if the file already exists and what its status is, and accordingly add an event (and catalog entry) for the file.
On subsequent crawls after the first successful crawl of the file system, file system crawler 568 may go through substantially all the files on the client system and determine if the time of the last modification of the file is greater that the last successful crawl time in the agent configuration file stored in configuration file system 566. If it is greater, file system crawler 568 may raise an event to transfer the file and update file catalog 570 with the new information.
File system crawler 568 or monitor 572 may create an event for each new file found on a client machine. Upon creation of an event for a new file found (i.e., a file creation and modification event), the event may be transmitted to SCP 500 by event uploader 574. Upon receiving the event, SCP 500 may send back an event to the agent (e.g., agent 560) to upload the file (e.g., file uploader 582 may upload the file). SCP 500 may transmit the event to upload one or more files. File uploader 582 may be registered to receive events from event dispatcher 564.
Upon receipt of the event, file uploader 582 may change the status of the file in file catalog 570 to “file transfer start” and copy the file to a temporary area (e.g., temporary storage 584). Next, it may transfer the file to SCP 500. In some embodiments, the start transfer watermark value, which is set by SCP 500 and is saved in configuration file of configuration file system 566 is true. The start transfer watermark value may be, for example a combination of the following CPU (central processing unit) load is below about 50%, and network utilization is less than about 25%. The start transfer watermark value may be comprised of other suitable percentages of CPU load and network utilization, or other factors of the client machine. For example, on a client machine with the Microsoft Windows operating system, these load values may be obtained from the Task Manager APIs.
If file uploader 582 if interrupted during transfer of a file to SCP 500, it may either restart the transfer of the file or, by maintaining a marker for how many bytes have been transferred, it may restart a file transfer starting at the marker point. Periodically, file uploader 582 may check, for example, the CPU and network utilization values of the client system and may decide to stop the transfer it the load usage (CPU and network) is meeting or exceeding a stop transfer watermark value (which may be set by SCP 500). The stop transfer watermark value may be, for example, a CPU load value above about 80%, and a network utilization value of above about 75%.
File catalog 570 of agent 560 in
When file system crawler 568 is initially executed on a client system, it adds entries to file catalog 570, sets the status to “event sent” in file catalog 570, and transmits the events to SCP 500. When SCP 500 requests to download a file, file uploader 582 of agent 560 may update the status in file catalog 570 to “file transfer start” before copying the file temporary storage 584 and to “file transfer finish” after a successful upload operation. File uploader 582 may also update the file last upload time in file catalog 570 before copying the file to temporary storage 584. If the copy operation fails, file uploader 582 may reset the status values for the file in file catalog 570 to the previous state or a default state. Upon deletion or destruction of a file, file catalog 570 is accordingly updated.
Monitor 572 may be configured to monitor activity on a client machine. Such activities may include, but are not limited to file systems monitoring, network monitoring, plug-and-play device monitoring, or other suitable activities.
After a successful crawl of the file system on the client machine, monitor 572 may monitor the file system in order to determine whether a user has, for example, deleted a file, added a new file (e.g., creating a file, saving a file, copying files from another location, saving a file attached in an email, etc.), or moved a file to a different location (i.e., the file contents have not changed, but the metadata associated with a file has changed).
Monitor 572 may, for example, monitor the file system by utilizing a filter driver which may procure the file system events from the operating system of the client machine. The filter driver may be, for example, implemented in the kernel mode of the operating system and may forward the file delete, file move, file save and file close events to monitor 572.
Upon receipt of a file save event, monitor 572 may check the status of this file in file catalog 570, and if the status is “event sent,” it may drop the event. Otherwise, it may modify the status to “event sent” and add the event to event queue 576 (where the event may be stored until it is sent to SCP 500 the next time the agent connects to SCP 500). SCP 500 may request that agents send events periodically.
Monitor 572 may also monitor plug-and-play devices, and notify SCP 500 if devices are discovered on the client machine. In addition, monitor 572 may monitor network traffic events of the client system, and provide logs or network activity information to SCP 500.
Turning to
As shown in
IOA 230 extracts the metadata (e.g., extrinsic and intrinsic metadata) from file pair 180 in drop zone 200. If the object contains other embedded objects (e.g., a Microsoft® PowerPoint presentation object with a Microsoft® Excel spreadsheet document as an embedded object in the presentation, etc.), IOA 230 may extract the embedded objects first. IOA 230 may also extract text (e.g., unformatted text, etc.) from an object or at least one embedded object and direct it to an indexer within IOA 230 for full text indexing, lexical analysis, classification, social network analysis, or any other suitable analysis.
IOA 230 may be configured to be scalable for analyzing electronic evidence (e.g., documents). In order to apply and enforce organizational policies, IOA 230 may classify the electronic evidence (blob) based on its content, and update the site-specific metadata associated with the document. The classification may occur with the blob stored in encrypted file system 242, and the associated updated metadata may be stored in metadata database 244. IOA 230 may also be configured extract social network information from the document, including, but not limited to the name of the creator of the document, viewers of the document, updaters of the document, email recipients of the document, proxies used in the documents, or any other suitable information. IOA 230 may be configured to update the document metadata (e.g., metadata stored in metadata database 244) appropriately after extracting the social information from the electronic evidence. IOA 230 may also be configured to perform lexical analysis of the document, create lexical thumbprints or tokens for the document, which may increase a user's ability to quickly and accurately search for the electronic evidence with CEMS system 100.
CEMS system 100 (shown in
As events are dispatched (e.g., by events dispatcher 606), event handlers (e.g., event handler 608) may perform actions as defined by policies which have been defined in CEMS system 100. CEMS may be configured such that multiple event handlers register for the same event. The CEMS event manager 620 of events system 600 may log the events (e.g., event 602) in events tables 630. Preferably, events tables 630 may be comprised of non-encrypted events tables 640 and encrypted events tables 650. Non-encrypted events table 640 is a read-only copy for users to browse, search, analyze, produce, or perform any other suitable action on. CEMS system 100 does not allow modification or deletion of events in event tables 630 after they are logged. Preferably, only event manager 620 may write to events tables 630. Writing by events manager 620 into events tables 630 may preferably be performed by using database constructs to monitor changes to events tables 630 (e.g., non-encrypted events tables 640 and encrypted events tables 650). Yet, a system-level attacker could attempt to circumvent the CEMS system security to modify the events in the tables. Encrypted events tables 650 may be used to verify if the non-encrypted table has been modified or tampered with.
As described above in connection with
One or more agents may be configured to operate on one or more sources (i.e., remote device or client system), such as a laptop, desktop, file servers, or other devices to crawl the file system to capture one or more files (e.g., documents, etc.) from the one or more sources. The agents may be configured to perform the crawl of the file system in a manner such that the user of the remote device (i.e., one or more sources) is not aware of the agent's activities. In addition, the one or more agents monitor the resource load placed on the one or more sources by their activities so as to avoid detection by users of the sources. For example, if the load on the system resulting from the agent's activities increases to a predetermined threshold (e.g., a threshold as defined by the CEMS administrator, etc.), the agent may decrease its activities so as to minimize its use of the host system's resources, and increases its activities when appropriate system resources are available. After crawling, the one or more CEMS agents may monitor the changes to the file system. For example, an agent may be configured to modify, create, delete, or save files, or any combination thereof, or perform any other suitable activity, and capture these events as instructed by the CEMS system. These events and associated file system changes may be sent to the SCP of CEMS over a communications network from the one or more agents deployed on one or more sources, and the events may be stored in the CEMS repository. If instructed by CEMS, one or more agents may also monitor plug-in storage devices (e.g., USB drives, etc.) and capture the contents or event changes of those devices.
CEMS system 100 may be configured to enable the journaling of emails on one or more email servers and store them in a mailbox or other digital storage facility in which one or more agents, when instructed, may connect to and upload them via email control point 416 (shown in
The above-described evidence repository (e.g., CEMS repository 240) may be used for risk mitigation and incident management. CEMS system 100 may configure one or more agents to collect electronic evidence from one or more sources within an organization. Electronic evidence is preferably captured without the requirement for individual users to actively place objects of electronic evidence into a repository or to publish the objects. One or more agents may be configured to silently, intelligently, and passively capture potentially relevant evidence. The collection by the one or more agents may advantageously assure the organization that it has captured and committed substantially all of the necessary electronic evidence, which may be then analyzed, acted upon, or any suitable combination thereof. In contrast to CEMS system 100, prior art systems cannot assure system administrators that evidence has been captured, or that users have published the information correctly.
The detailed description set forth above in connection with the appended drawings is intended as a description of various embodiments and is not intended to represent the only embodiments which may be practiced. The detailed description includes specific details for the purpose of providing a thorough understanding of the embodiments. However, it will be apparent to those skilled in the art that the embodiments may be practiced without these specific details. In some instances, well known structures and components are shown in block diagram form in order to avoid obscuring the concepts of the exemplary embodiments.
It is understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged while remaining within the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.
The previous description is provided to enable any person skilled in the art to practice the various embodiments described herein. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments. Thus, the claims are not intended to be limited to the embodiments shown herein, but is to be accorded the full scope consistent with the language claims, wherein reference to an element in the singular is not intended to mean “one and only one” unless specifically so stated, but rather “one or more.” All structural and functional equivalents to the elements of the various embodiments described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. No claim element is to be construed under the provisions of 35 U.S.C. §112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or, in the case of a method claim, the element is recited using the phrase “step for.”