Systems and methods for graphical exploration of forensic data

US 10,740,409 B2
Filed: 09/15/2017
Issued: 08/11/2020
Est. Priority Date: 05/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method of examining digital forensic data using a viewer computer comprising a memory and a processor, the digital forensic data extracted from at least one target device by a forensic data retrieval application, the method comprising:

providing a forensic data investigation application to the viewer computer;

receiving, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device, wherein the data items correspond to textual data stored on the at least one target device;

scanning the data collection to identify a plurality of data artifacts, wherein at least one of the plurality of data artifacts is a structured representation of one or more of the plurality of data items that defines a subject-predicate relationship thereof;

for a first artifact in the plurality of artifacts, determining a first attribute associated with the first artifact, and creating a first ontological set associated with the first attribute;

displaying the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph;

receiving a selection of the first ontological set in the forensic data investigation application;

determining that the first ontological set is related to the plurality of ontological sets; and

for each respective set in the plurality of ontological sets, determining a respective predicate relationship between the first ontological set and the respective set, and displaying a respective oriented edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective oriented edge is oriented based on the respective predicate relationship between the first ontological set and the respective set.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. A relation graph presentation format is provided for visual exploration of data relationships.

Citations

26 Claims

1. A method of examining digital forensic data using a viewer computer comprising a memory and a processor, the digital forensic data extracted from at least one target device by a forensic data retrieval application, the method comprising:
- providing a forensic data investigation application to the viewer computer;
  
  receiving, at the viewer computer, a data collection generated by the forensic data retrieval application, the data collection comprising a plurality of data items extracted from the at least one target device, wherein the data items correspond to textual data stored on the at least one target device;
  
  scanning the data collection to identify a plurality of data artifacts, wherein at least one of the plurality of data artifacts is a structured representation of one or more of the plurality of data items that defines a subject-predicate relationship thereof;
  
  for a first artifact in the plurality of artifacts, determining a first attribute associated with the first artifact, and creating a first ontological set associated with the first attribute;
  
  displaying the first ontological set and the plurality of ontological sets in an ontological display in a graphical user interface, wherein each of the plurality of ontological sets are displayed respectively as nodes in a graph;
  
  receiving a selection of the first ontological set in the forensic data investigation application;
  
  determining that the first ontological set is related to the plurality of ontological sets; and
  
  for each respective set in the plurality of ontological sets, determining a respective predicate relationship between the first ontological set and the respective set, and displaying a respective oriented edge connecting a first node representing the first ontological set and a respective node representing the respective set, wherein each respective oriented edge is oriented based on the respective predicate relationship between the first ontological set and the respective set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the first artifact comprises an ontological definition, and wherein the first attribute is determined based on the ontological definition.
  - 3. The method of claim 2, wherein the ontological definition comprises a subject definition, an object definition and a predicate definition.
  - 4. The method of claim 3, wherein the first ontological set is identified as a subject ontological set, based on the subject definition.
  - 5. The method of claim 4, further comprising determining a second attribute, and creating a second ontological set associated with the second attribute.
  - 6. The method of claim 5, wherein the second ontological set is identified as an object ontological set, based on the object definition.
  - 7. The method of claim 6, further comprising identifying a predicate association between the subject ontological set and the object ontological set.
  - 8. The method of claim 7, wherein the second attribute comprises a plurality of discrete attributes, the method further comprising creating a plurality of normalized ontological sets corresponding to the plurality of discrete attributes, wherein each of the normalized ontological sets inherits the predicate association of the second attribute.
  - 9. The method of claim 8, further comprising identifying at least one duplicate ontological set in the plurality of normalized ontological sets, and merging the at least one duplicate ontological set with a pre-existing ontological set.
  - 10. The method of claim 5, wherein the second attribute is associated with the first artifact.
  - 11. The method of claim 5, wherein the second attribute is associated with a second artifact.
  - 12. The method of claim 1, further comprising displaying a respective label corresponding to each respective edge.
  - 13. The method of claim 1, further comprising:
    - receiving a user selection of a selected ontological set in the plurality of ontological sets via the graphical user interface;
      
      determining a second plurality of ontological sets, wherein each of the second plurality of ontological sets is related to the selected ontological set; and
      
      displaying the second plurality of ontological sets in the ontological display.
  - 14. The method of claim 13, further comprising, prior to receiving the user selection, adding the first ontological set to a visited collection and, after receiving the user selection, adding the selected ontological set to the visited collection.
  - 15. The method of claim 14, further comprising:
    - prior to receiving the user selection of the selected ontological set, receiving a pinning command associated with a subset of the plurality of ontological sets to determine a pinned subset of ontological sets; and
      
      following determining the second plurality of ontological sets, removing from the graphical user interface any of the plurality of ontological sets that are not also members of the pinned subset of ontological sets, the visited collection or the second plurality of ontological sets.
  - 16. The method of claim 1, further comprising:
    - receiving at least one filter input via the graphical user interface;
      
      filtering the graphical user interface based on the at least one filter input; and
      
      displaying an active filter indication to indicate that the graphical user interface is filtered based on the at least one filter input.
  - 17. The method of claim 16, wherein the filtering comprises:
    - determining a filter criteria based on the at least one filter input;
      
      applying the filter criteria to the plurality of ontological sets; and
      
      based on the application of the filter criteria, removing from display at least one filtered ontological set.
  - 18. The method of claim 17, wherein the filtering further comprises:
    - receiving at least one additional filter input via the graphical user interface;
      
      re-determining the filter criteria based on the at least one additional filter input;
      
      re-applying the filter criteria to the plurality of ontological sets; and
      
      based on the re-application of the filter criteria, re-displaying at least one ontological set.
  - 19. The method of claim 1, further comprising:
    - receiving a user selection of a subset of ontological sets in the plurality of ontological sets via the graphical user interface;
      
      receiving a merge command selection via the graphical user interface;
      
      merging the subset of ontological sets into a merged ontological set; and
      
      displaying the second plurality of ontological sets in the ontological display.
  - 20. The method of claim 1, wherein the ontological definition is user-defined.
  - 21. A non-transitory computer-readable medium storing computer-executable instructions, the instructions when executed by a computer processor for causing the computer processor to carry out the method of claim 1.
  - 22. A viewer computer comprising a memory and a processor, the processor configured to carry out the method of claim 1.
  - 23. The method of claim 1, wherein for a first set of the plurality of ontological sets comprising the first ontological set and a second ontological set, the first ontological set is the subject of the predicate relationship between the first ontological set and the second ontological set, and a first oriented edge is oriented from the first node to a second node representing the second ontological set.
  - 24. The method of claim 23, wherein for a second set of the plurality of ontological sets comprising the first ontological set and a third ontological set, the first ontological set is the object of the predicate relationship between the first ontological set and the third ontological set, and a second oriented edge is oriented to the first node from a third node representing the third ontological set.
  - 25. The method of claim 1, wherein for a third set of the plurality of ontological sets comprising the first ontological set and a fourth ontological set, the first ontological set is the object of the predicate relationship between the first ontological set and the fourth ontological set, and a third oriented edge is oriented from a fourth node representing the fourth ontological set to the first node.
  - 26. The method of claim 1, wherein each respective oriented edge is an arrow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Royal Bank of Canada (The PNC Financial Services Group, Inc.)
Original Assignee
Magnet Forensics, Inc.
Inventors
Kordasiewicz, Roman Czeslaw, MacKenzie, Michelle Elizabeth Allix, Windover, Jared Daniel, McIlveen, Samantha Jo
Primary Examiner(s)
Sax, Steven P

Application Number

US15/706,173
Publication Number

US 20180032518A1
Time in Patent Office

1,061 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/156   Query results presentation

G06F 16/338   Presentation of query results

G06F 16/367   Ontology

G06F 16/438   Presentation of query results

G06F 16/638   Presentation of query results

G06F 16/9038   Presentation of query results

G06F 16/904   Browsing; Visualisation the...

G06F 16/93   Document management systems

G06F 3/0481   based on specific propertie...

G06F 3/0482   Interaction with lists of s...

G06Q 50/18   Legal services

Systems and methods for graphical exploration of forensic data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for graphical exploration of forensic data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links