Systems and methods for graphical exploration of forensic data

US 10,565,221 B2
Filed: 05/22/2017
Issued: 02/18/2020
Est. Priority Date: 05/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method of examining digital forensic data using a viewer computer comprising a memory and a processor, the digital forensic data extracted from at least one target device by a forensic data retrieval application, the method comprising:

receiving, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device;

scanning the data collection to identify a plurality of data artifacts;

for a first artifact in the plurality of artifacts, determining at least one attribute possessed by the first artifact, and adding the first artifact to at least one of a plurality of ontological sets based on possession of the at least one attribute, wherein the plurality of ontological sets comprises a first ontological set associated with a first attribute, and a second ontological set associated with a second attribute;

providing a forensic data investigation application to the viewer computer;

receiving a selection of the first ontological set in the forensic data investigation application;

determining that the first ontological set is related to the plurality of ontological sets;

displaying the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph, and wherein each of the nodes is selectable in the graphical user interface;

for each respective set in the plurality of ontological sets, determining a respective relationship between the first ontological set and the respective set, and displaying a respective edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective edge is selectable in the graphical user interface;

receiving a user edge selection of a selected edge in the graphical user interface;

determining a selected ontological definition associated with the edge;

determining a selected subject, a selected object and a selected predicate associated with the selected ontological definition;

displaying data associated with the selected subject and the selected object in the graphical user interface;

receiving at least one filter input via the graphical user interface;

filtering the graphical user interface based on the at least one filter input; and

displaying an active filter indication to indicate that the graphical user interface is filtered based on the at least one filter input.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. The display types and presentation formats also enable the user to easily switch between a source location view and a related artifacts view.

33 Citations

View as Search Results

14 Claims

1. A method of examining digital forensic data using a viewer computer comprising a memory and a processor, the digital forensic data extracted from at least one target device by a forensic data retrieval application, the method comprising:
- receiving, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device;
  
  scanning the data collection to identify a plurality of data artifacts;
  
  for a first artifact in the plurality of artifacts, determining at least one attribute possessed by the first artifact, and adding the first artifact to at least one of a plurality of ontological sets based on possession of the at least one attribute, wherein the plurality of ontological sets comprises a first ontological set associated with a first attribute, and a second ontological set associated with a second attribute;
  
  providing a forensic data investigation application to the viewer computer;
  
  receiving a selection of the first ontological set in the forensic data investigation application;
  
  determining that the first ontological set is related to the plurality of ontological sets;
  
  displaying the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph, and wherein each of the nodes is selectable in the graphical user interface;
  
  for each respective set in the plurality of ontological sets, determining a respective relationship between the first ontological set and the respective set, and displaying a respective edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective edge is selectable in the graphical user interface;
  
  receiving a user edge selection of a selected edge in the graphical user interface;
  
  determining a selected ontological definition associated with the edge;
  
  determining a selected subject, a selected object and a selected predicate associated with the selected ontological definition;
  
  displaying data associated with the selected subject and the selected object in the graphical user interface;
  
  receiving at least one filter input via the graphical user interface;
  
  filtering the graphical user interface based on the at least one filter input; and
  
  displaying an active filter indication to indicate that the graphical user interface is filtered based on the at least one filter input.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the first artifact is added to the first ontological set based on possession of the first attribute, and wherein the first artifact is added to the second ontological set based on possession of the second attribute.
  - 3. The method of claim 2, wherein the first ontological set comprises at least one additional artifact, and wherein the first artifact and the at least one additional artifact each possess the first attribute in common.
  - 4. The method of claim 1, wherein the at least one attribute comprises a third attribute, further comprising creating a third ontological set in the plurality of ontological sets, the third ontological set associated with the third attribute, wherein the first artifact is added to the third ontological set based on possession of the third attribute.
  - 5. The method of claim 1, further comprising displaying a respective label corresponding to each respective edge.
  - 6. The method of claim 1, wherein each respective relationship is determined based on at least one ontological definition.
  - 7. The method of claim 6, wherein each respective relationship defines a subject, an object and a predicate based on the at least one ontological definition, and wherein each respective relationship corresponds to one or more respective predicate of the at least one ontological definition.
  - 8. The method of claim 1, further comprising:
    - receiving a user selection of a selected ontological set in the plurality of ontological sets via the graphical user interface, wherein the user selection is an activation selection of a selected node in the graph;
      
      determining a second plurality of ontological sets, wherein each of the second plurality of ontological sets is related to the selected ontological set;
      
      displaying the second plurality of ontological sets as additional nodes in the graph, in the ontological display.
  - 9. The method of claim 8, further comprising, prior to receiving the user selection, adding the first ontological set to a visited collection and, after receiving the user selection, adding the selected ontological set to the visited collection.
  - 10. The method of claim 9, further comprising:
    - prior to receiving the user selection of the selected ontological set, receiving a pinning command associated with a subset of the plurality of ontological sets to determine a pinned subset of ontological sets; and
      
      following determining the second plurality of ontological sets, removing from the graphical user interface any of the plurality of ontological sets that are not also members of the pinned subset of ontological sets, the visited collection or the second plurality of ontological sets.
  - 11. The method of claim 1, wherein the filtering comprises:
    - determining a filter criteria based on the at least one filter input;
      
      applying the filter criteria to the plurality of ontological sets; and
      
      based on the application of the filter criteria, removing from display at least one filtered ontological set.
  - 12. The method of claim 11, wherein the filtering further comprises:
    - receiving at least one additional filter input via the graphical user interface;
      
      re-determining the filter criteria based on the at least one additional filter input;
      
      re-applying the filter criteria to the plurality of ontological sets; and
      
      based on the re-application of the filter criteria, re-displaying at least one ontological set.

13. A non-transitory computer-readable medium storing computer-executable instructions, the instructions when executed by a computer processor for causing the computer processor to carry out a method of examining digital forensic data using a viewer computer comprising a memory and the computer processor, the digital forensic data extracted from at least one target device by a forensic data retrieval application, the method comprising:
- receiving, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device;
  
  scanning the data collection to identify a plurality of data artifacts;
  
  for a first artifact in the plurality of artifacts, determining at least one attribute possessed by the first artifact, and adding the first artifact to at least one of a plurality of ontological sets based on possession of the at least one attribute, wherein the plurality of ontological sets comprises a first ontological set associated with a first attribute, and a second ontological set associated with a second attribute;
  
  executing a forensic data investigation application at the viewer computer;
  
  receiving a selection of the first ontological set in the forensic data investigation application;
  
  determining that the first ontological set is related to the plurality of ontological sets;
  
  displaying the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph, and wherein each of the nodes is selectable in the graphical user interface;
  
  for each respective set in the plurality of ontological sets, determining a respective relationship between the first ontological set and the respective set, and displaying a respective edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective edge is selectable in the graphical user interface;
  
  receiving a user edge selection of a selected edge in the graphical user interface;
  
  determining a selected ontological definition associated with the edge;
  
  determining a selected subject, a selected object and a selected predicate associated with the selected ontological definition; and
  
  displaying data associated with the selected subject and the selected object in the graphical user interface;
  
  receiving at least one filter input via the graphical user interface;
  
  filtering the graphical user interface based on the at least one filter input; and
  
  displaying an active filter indication to indicate that the graphical user interface is filtered based on the at least one filter input.

14. A viewer computer for examining digital forensic data extracted from at least one target device by a forensic data retrieval application, the viewer computer comprising a memory and a processor, the processor configured to:
- receive, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device;
  
  scan the data collection to identify a plurality of data artifacts;
  
  for a first artifact in the plurality of artifacts, determine at least one attribute possessed by the first artifact, and add the first artifact to at least one of a plurality of ontological sets based on possession of the at least one attribute, wherein the plurality of ontological sets comprises a first ontological set associated with a first attribute, and a second ontological set associated with a second attribute;
  
  provide a forensic data investigation application to the viewer computer;
  
  receive a selection of the first ontological set in the forensic data investigation application;
  
  determine that the first ontological set is related to the plurality of ontological sets;
  
  display the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph, and wherein each of the nodes is selectable in the graphical user interface;
  
  for each respective set in the plurality of ontological sets, determine a respective relationship between the first ontological set and the respective set, and display a respective edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective edge is selectable in the graphical user interface;
  
  receive a user edge selection of a selected edge in the graphical user interface;
  
  determine a selected ontological definition associated with the edge;
  
  determine a selected subject, a selected object and a selected predicate associated with the selected ontological definition; and
  
  display data associated with the selected subject and the selected object in the graphical user interface;
  
  receive at least one filter input via the graphical user interface;
  
  filter the graphical user interface based on the at least one filter input; and
  
  display an active filter indication to indicate that the graphical user interface is filtered based on the at least one filter input.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Royal Bank of Canada (The PNC Financial Services Group, Inc.)
Original Assignee
Magnet Forensics, Inc.
Inventors
Kordasiewicz, Roman Czeslaw, MacKenzie, Michelle Elizabeth Allix, Windover, Jared Daniel
Primary Examiner(s)
Sax, Steven P

Application Number

US15/600,990
Publication Number

US 20170337251A1
Time in Patent Office

1,002 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 21/552   involving long-term monitor...

G06F 3/04812   Interaction techniques base...

G06F 3/0482   Interaction with lists of s...

G06Q 10/00   Administration; Management

G06Q 10/06   Resources, workflows, human...

G06Q 10/10   Office automation; Time man...

Systems and methods for graphical exploration of forensic data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for graphical exploration of forensic data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links