Electronic discovery system and method

US 20070112783A1
Filed: 10/06/2006
Published: 05/17/2007
Est. Priority Date: 10/06/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for conducting investigations of one or more target machines in a data communications network via an examining machine, the method comprising:

defining, under control of the examining machine, a set of investigation criteria;

automatically generating by the examining machine, a unique identifier for the set of investigation criteria;

automatically investigating the one or more target machines based on the set of investigation criteria and outputting results of the investigation;

preserving the results of the investigation in an evidence data store; and

storing the unique identifier in the evidence data store in association with the preserved results for tracing the results to the set of investigation criteria.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer investigation system and method that conducts electronic discovery of desired files across a live network in a forensically sound manner. The investigation entails an examining machine electronically identifying, collecting, and preserving evidence from target machines that is responsive to a set of investigation criteria. The set of investigation criteria is associated with an investigation subject that is identified by a global unique identifier (GUID). As the investigation subject is applied to the various files, the responsive files are stamped with the GUID and preserved in a container file referred to as a logical evidence file (LEF). The GUID allows the results of an investigation to be easily and reliably traced to the particular investigation subject that was applied.

150 Citations

20 Claims

1. A computer-implemented method for conducting investigations of one or more target machines in a data communications network via an examining machine, the method comprising:
- defining, under control of the examining machine, a set of investigation criteria;
  
  automatically generating by the examining machine, a unique identifier for the set of investigation criteria;
  
  automatically investigating the one or more target machines based on the set of investigation criteria and outputting results of the investigation;
  
  preserving the results of the investigation in an evidence data store; and
  
  storing the unique identifier in the evidence data store in association with the preserved results for tracing the results to the set of investigation criteria.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the evidence data store is a container file storing metadata of files that are responsive to the investigation criteria and copies of the responsive files.
  - 3. The method of claim 1, wherein the unique identifier is randomly generated by the examining machine.
  - 4. The method of claim 1, wherein the investigation criteria includes one or more filter conditions for identifying one or more files based on the filter conditions.
  - 5. The method of claim 4, wherein the filter conditions specify file metadata, the method further comprising:
    - retrieving by the examining computer filesystem data of the one or more target machines;
      
      comparing by the examining computer the filesystem data with the specified file metadata; and
      
      identifying the one or more files based on the comparison.
  - 6. The method of claim 1, wherein the investigation criteria includes one or more keywords for identifying files in the one or more target machines containing the one or more keywords.
  - 7. The method of claim 1, wherein the investigation criteria identifies a specific source file for identifying a file in the one or more target machines matching the source file.
  - 8. The method of claim 7 further comprising:
    - identifying lengths of the source file and a file in a particular target machine that is being considered for a match;
      
      determining whether the lengths are equal;
      
      if the lengths are equal, invoking the target machine to compute a digital signature value of the file being considered for a match;
      
      retrieving the digital signature values of the source file and the file being considered for a match;
      
      determining whether the digital signature values are equal; and
      
      if the digital signature values are equal, identifying the file being considered for a match as a matching file.
  - 9. The method of claim 1 further comprising:
    - receiving an examiner report including the unique identifier for the set of investigation criteria used for the investigating;
      
      comparing the unique identifier in the examiner report with the unique identifier in the evidence data store; and
      
      outputting a verification message based on the comparison.
  - 10. The method of claim 1 further comprising:
    - retrieving the unique identifier from the evidence data store; and
      
      reconstructing the set of investigation criteria based on the unique identifier.

11. An examining machine conducting investigations of one or more target machines in a data communications network, the examining machine comprising:
- a processor;
  
  a memory operably coupled to the processor storing program instructions therein, the processor being operable to execute the program instructions, the program instructions including;
  
  defining a set of investigation criteria;
  
  automatically generating a unique identifier for the set of investigation criteria;
  
  automatically investigating the one or more target machines based on the set of investigation criteria and outputting results of the investigation;
  
  preserving the results of the investigation in an evidence data store; and
  
  storing the unique identifier in the evidence data store in association with the preserved results for tracing the results to the set of investigation criteria.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The examining machine of claim 11, wherein the evidence data store is a container file storing metadata of files that are responsive to the investigation criteria and copies of the responsive files.
  - 13. The examining machine of claim 11, wherein the unique identifier is randomly generated by the examining machine.
  - 14. The examining machine of claim 11, wherein the investigation criteria includes one or more filter conditions for identifying one or more files based on the filter conditions.
  - 15. The examining machine of claim 14, wherein the filter conditions specify file metadata, the program instructions further including:
    - retrieving filesystem data of the one or more target machines;
      
      comparing the filesystem data with the specified file metadata; and
      
      identifying the one or more files based on the comparison.
  - 16. The examining machine of claim 11, wherein the investigation criteria includes one or more keywords for identifying files in the one or more target machines containing the one or more keywords.
  - 17. The examining machine of claim 11, wherein the investigation criteria identifies a specific source file for identifying a file in the one or more target machines matching the source file.
  - 18. The examining machine of claim 17, wherein the program instructions further include:
    - identifying lengths of the source file and a file in a particular target machine that is being considered for a match;
      
      determining whether the lengths are equal;
      
      if the lengths are equal, invoking the target machine to compute a digital signature value of the file being considered for a match;
      
      retrieving the digital signature values of the source file and the file being considered for a match;
      
      determining whether the digital signature values are equal; and
      
      if the digital signature values are equal, identifying the file being considered for a match as a matching file.
  - 19. The examining machine of claim 11 further comprising a second processor configured to execute a second set of program instructions including:
    - receiving an examiner report including the unique identifier for the set of investigation criteria used for the investigating;
      
      comparing the unique identifier in the examiner report with the unique identifier in the evidence data store; and
      
      outputting a verification message based on the comparison.
  - 20. The examining machine of claim 11, wherein the program instructions further include:
    - retrieving the unique identifier from the evidence data store; and
      
      reconstructing the set of investigation criteria based on the unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Text Holdings, Inc. (Open Text Corporation)
Original Assignee
Guidance Software Incorporated (Open Text Corporation)
Inventors
McCreight, Shawn, Botta, Brent, Stewart, Jon

Granted Patent

US 7,809,686 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/00   Administration; Management

H04L 63/12   Applying verification of th...

Electronic discovery system and method

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

150 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic discovery system and method

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links