Method and apparatus for forensic analysis of information stored in computer-readable media

US 6,279,010 B1
Filed: 01/12/1999
Issued: 08/21/2001
Est. Priority Date: 07/20/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of automatically extracting from a large ambient data file containing a mixture of textual data and binary data information that has a relatively high probability of corresponding to Internet-related activity of interest to an investigator, the method comprising:

providing an ambient data file including ambient data from one or more of the following sources, alone or in combination;

unallocated storage space, file slack space at the end of one or more computer files, a windows swap, and one or more temporary system files;

reading a portion of the ambient data file into random access memory;

searching the portion of the ambient data to determine the presence of a first character or character group within a pre-specified proximity to a second character or character group to locate Internet-related identifiers of interest to the investigator;

if internet-related identifiers are located, copying the internet-related identifiers to an output file, thereby providing an output file for the investigator to review that excludes non-textual data, is greatly reduced in size from the original ambient data file; and

that includes most or all of the internet-related information of interest to an investigator in the ambient data file.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Ambient data is data created or retained as an artifact of a computer system, rather than by an intention of the user. Ambient data typically includes both textual and binary, i.e., non-textual, data. Ambient data can include information of which the user is unaware, and an investigator can review ambient data to learn about the Internet-related activity performed on the computer. Most of the information in the ambient data is not useful, and the large amount of ambient data on a typical computer system can require significant time to review. The invention locates useful internet-related information in the ambient data and outputs the information in a useful database format, excluding non-textual data and text that is unrelated to Internet activity. The system locates internet-related information of interest using proximity rules, that is, the system writes output when only when certain characters appear in the ambient data within a specified proximity to other characters. The characters can include including symbols, abbreviations, or words, specified either individually or on a pre-compiled list. Exclusionary rules can also eliminate firewall aliases, internet identifiers that are less useful to an investigator. By applying such rules, an output file including only textual data representing useful Internet addresses and URL is presented to an investigator.

Citations

22 Claims

1. A computer-implemented method of automatically extracting from a large ambient data file containing a mixture of textual data and binary data information that has a relatively high probability of corresponding to Internet-related activity of interest to an investigator, the method comprising:
- providing an ambient data file including ambient data from one or more of the following sources, alone or in combination;
  
  unallocated storage space, file slack space at the end of one or more computer files, a windows swap, and one or more temporary system files;
  
  reading a portion of the ambient data file into random access memory;
  
  searching the portion of the ambient data to determine the presence of a first character or character group within a pre-specified proximity to a second character or character group to locate Internet-related identifiers of interest to the investigator;
  
  if internet-related identifiers are located, copying the internet-related identifiers to an output file, thereby providing an output file for the investigator to review that excludes non-textual data, is greatly reduced in size from the original ambient data file; and
  
  that includes most or all of the internet-related information of interest to an investigator in the ambient data file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 in which searching the portion of the ambient data to determine the presence of a first character or character group within a pre-specified proximity to a second character or character group includes searching the portion of the ambient data to determine the presence the character “
    - @”
      
      within a pre-specified proximity to an Internet country code or a top level domain name.
  - 3. The method of claim 2 further comprising determining the number of periods between the “
    - @”
      
      sign and the top level domain name and copying the Internet-related identifier to the output file only if the Internet-related identifier includes less than a pre-specified number of periods, thereby copying the Internet-related identifier only if it is unlikely to represent a firewall alias.
  - 4. The method of claim 2 in which the second character or character group includes country codes from a list of countries of interest to the investigator.
  - 5. The method of claim 1 in which searching the portion of the ambient data to determine the presence of a first character or character group within a pre-specified proximity to a second character or character group includes searching the portion of the ambient data to determine the presence of the characters “
    - HTTP;
      
      //”
      
      or “
      
      WWW.”
      
      within a pre-specified proximity to an internet country code, a top level domain name, or the characters “
      
      .HTM”
      
      or “
      
      .HTML”
      
      .
  - 6. The method of claim 1 in which searching the portion of the ambient data to determine the presence of a first character or character group within a pre-specified proximity to a second character or character group includes searching the portion of the ambient data to determine the presence for characters identifying graphics or compressed files within a pre-specified proximity of words from a pre-compiled list of topics of interest to the investigator.
  - 7. The method of claim 5 in which the characters identifying graphics or compressed files include the characters “
    - .JPG”
      
      , “
      
      GIF”
      
      , “
      
      .ZIP”
      
      or “
      
      .BMP”
      
      .
  - 8. The method of claim 1 in which the Internet-related identifier includes e-mail addresses, universal resource locators, or file names.
  - 9. The method of claim 1 in which the output file comprises a list of internet-related identifiers in a format readable by a commercial database application thereby facilitating determination of frequency of occurrence of the internet-related identifiers in the ambient data file.
  - 10. The method of claim 1 in which the second character or character group includes words from a list of words related to activities of interest.

11. A computer-implemented method of reducing the amount of data requiring review by an investigator from a large ambient computer data file containing a mixture of textual data and binary data by eliminating non-textual data unrelated to Internet activity in a subject area of interest to the investigator, the method comprising:
- searching the ambient data to locate a first character or group of characters;
  
  searching the ambient data to locate a second character or group of character within a specified proximity to the first group of characters, the presence and proximity of the characters or character groups being indicative of Internet-related activity of interest to an investigator;
  
  if the second character or group of characters is located within the specified proximity of the first character or group of characters, writing a portion of the ambient data including the first and second characters or groups of characters to an output file, thereby providing an output file for the investigator to review that excludes non-textual data, is greatly reduced in size from the original ambient data file, and that includes most or all of the internet-related information in the ambient data file and of interest to the investigator.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11 in which the output file is in a format readable by a commercial database application thereby facilitating the determination of frequency of occurrence of the internet identifier in the ambient data file.
  - 13. The method of claim 11 in which the first character or group of characters includes the character “
    - @” and
      
      in which the second character or group of characters includes an internet country code or a top level domain name.
  - 14. The method of claim 13 in which searching the ambient data to locate a second character or group of character within a specified proximity to the first group of characters includes determining the number period between the “
    - @”
      
      character and the country code or a top level domain name to prevent copying of firewall aliases to the output file.
  - 15. The method of claim 11 in which searching the ambient data to locate a second character or group of character within a specified proximity to the first group of characters includes searching for words from a pre-compiled list of English language words related to topics of interest to the investigator.
  - 16. The method of claim 11 in which the first character or group of characters includes the characters “
    - HTTP;
      
      //”
      
      or “
      
      WWW.” and
      
      in which the second character or group of characters includes a top level domain name, an internet country code, or the file extension “
      
      .HTM”
      
      or “
      
      .HTML”
      
      .
  - 17. The method of claim 11 in which the first character or group of characters includes identifiers of graphics or compressed files.
  - 18. The method of claim 11 in which searching the ambient data to locate a second character or group of characters includes searching the ambient data to locate top level domain names or country codes.

19. An apparatus for extracting from a large ambient data file containing a mixture of textual data and binary data information that has a relatively high probability of corresponding to an Internet-related activity of interest to an investigator, the method comprising:
- data storage means including an ambient data file including ambient data from one or more of the following sources;
  
  unallocated storage space, file slack space at the end of one or more computer files, a windows swap, and a temporary system file;
  
  random access memory for sequentially storing portions of the ambient data file;
  
  means for searching the ambient data to locate a first character or group of characters;
  
  means for searching the ambient data to locate a second character or group of characters within a specified proximity of the first group of characters, the presence and proximity of the characters being indicative of Internet-related activity of interest to an investigator;
  
  means for copying information corresponding to the Internet related activity to an output file, thereby providing an output file for the investigator to review that is greatly reduced in size from the original ambient data file, that excludes non-textual data, and that includes most or all of the Internet-related information of interest to an investigator in the ambient data file.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19 in which the means for searching the ambient data to locate a first character or group of characters includes means for searching for the character “
    - @” and
      
      in which means for searching the ambient data to locate a second character or group of character within a specified proximity to the first group of characters includes means for searching for a top level domain name or a country code.
  - 21. The apparatus of claim 20 in which means for searching the ambient data to locate a top level domain name or a country code within a specified proximity to the character “
    - @”
      
      includes means to determine the number of periods between the character “
      
      @” and
      
      the top level domain name or a country code thereby excluding firewall aliases.
  - 22. The apparatus of claim 19 in which the means for copying includes means for writing the output file is in a format readable by a commercial database application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Safariland LLC
Original Assignee
New Technologies Armor, Inc. (Safariland LLC)
Inventors
Anderson, Michael R.
Primary Examiner(s)
Alam, Hosain T.
Assistant Examiner(s)
Kindred, Alford W.

Application Number

US09/228,700
Time in Patent Office

952 Days
Field of Search

707/1-10, 707/100-102, 707/200-206, 707/500, 707/513, 707/524, 707/526, 711/1-6, 711/100-173, 711/200, 711/202, 360/1, 360/4-5, 360/53, 360/97.01, 369/13-15, 713/1-2, 713/100, 713/152, 713/154-155, 713/161, 713/165-171, 713/176, 713/200-201, 714/100, 714/2, 714/6, 714/15
US Class Current

1/1
CPC Class Codes

G06F 16/683 using metadata automaticall...

Y10S 707/99953 Recoverability

Method and apparatus for forensic analysis of information stored in computer-readable media

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for forensic analysis of information stored in computer-readable media

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links