Methods for searching forensic data

US 7,603,344 B2
Filed: 12/23/2005
Issued: 10/13/2009
Est. Priority Date: 10/19/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-readable storage medium upon which is embodied and stored a sequence of programmed instructions that, when executed by a processor, cause the processor to perform functions comprising:

extracting information from input data;

detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first agency, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;

including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;

outputting a report identifying said suspect data; and

outputting said forensic search tool by said computing platform associated with said first agency to at least one computing platform associated with a second agency,wherein the instructions associated with said digital forensic search tool further comprisea header;

a search markup language portion;

a data features portion containing features of data,wherein the digital forensic search tool enables said computing platform associated with said first agency to share the suspect data with said at least one computing platform associated with a second agency in a manner that enables utilization of the suspect data by the second agency while not revealing the actual content of the sensitive data to the second agency; and

wherein instructions implementing said digital forensic search tool are provided in accordance with a search markup language.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital forensic search tool which enables a first entity, such as a federal investigation agency, to share its suspect and sensitive data with a second entity, such as another investigative agency, in a manner that allows the second agency to utilize the suspect data while not revealing the actual content of the sensitive data to the second agency. The second agency can perform comparisons and other operations on the sensitive data without having to know the actual content of the data. The search tool allows an investigative agency to define an investigative strategy for a particular case via the search markup language programs and by the data features that it includes in the search tool. Thus, by sharing search tools among agencies, an agency can share or inform others of that agency'"'"'s theory of the case and investigative goal.

37 Citations

View as Search Results

23 Claims

1. A computer-readable storage medium upon which is embodied and stored a sequence of programmed instructions that, when executed by a processor, cause the processor to perform functions comprising:
- extracting information from input data;
  
  detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first agency, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;
  
  including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;
  
  outputting a report identifying said suspect data; and
  
  outputting said forensic search tool by said computing platform associated with said first agency to at least one computing platform associated with a second agency,wherein the instructions associated with said digital forensic search tool further comprisea header;
  
  a search markup language portion;
  
  a data features portion containing features of data,wherein the digital forensic search tool enables said computing platform associated with said first agency to share the suspect data with said at least one computing platform associated with a second agency in a manner that enables utilization of the suspect data by the second agency while not revealing the actual content of the sensitive data to the second agency; and
  
  wherein instructions implementing said digital forensic search tool are provided in accordance with a search markup language.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage medium as recited in claim 1, further comprising a data verification portion containing a plurality of actual data representations for identifying potential suspect data.
  - 3. The computer-readable storage medium as recited in claim 1, wherein the features of data cannot be directly modified by the second agency.
  - 4. The computer-readable storage medium as recited in claim 1, wherein the search markup language portion and the data features portion enable the first agency to share an investigative strategy for a particular case with the second agency.
  - 5. The computer-readable storage medium as recited in claim 1, wherein the features of data cannot be used to recreate the sensitive data.
  - 6. The computer-readable storage medium as recited in claim 1, further comprising:
    - collecting said input data.
  - 7. The computer-readable storage medium as recited in claim 1, further comprising:
    - modifying content of said forensic search tool to change said pre-defined data patterns specified by said forensic search tool.

8. A digital forensic analysis method, comprising:
- extracting information from input data;
  
  detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first agency, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;
  
  including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;
  
  outputting a report identifying said suspect data; and
  
  outputting said forensic search tool by said computing platform associated with said first agency to at least one computing platform associated with a second agency,wherein the digital forensic search tool comprisesa header;
  
  a search markup language portion;
  
  a data features portion containing features of data,wherein the digital forensic search tool enables said computing platform associated with said first agency to share the suspect data with said at least one computing platform associated with said second agency in a manner that enables utilization of the suspect data by the second agency while not revealing the actual content of the sensitive data to the second agency, andwherein said forensic search tool is implemented using said search markup language to permit sharing of said forensic search tool by said computing platform associated with the first agency with said at least one computing platform associated with the second agency.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 9. The digital forensic analysis method of claim 8, further comprising:
    - storing said report in a reports repository,said report including forensic analysis findings.
  - 10. The digital forensic analysis method of claim 8, wherein said suspect data is conclusive data.
  - 11. The digital forensic analysis method of claim 8, wherein said detecting suspect data further comprises:
    - serially searching said extracted data using a plurality of said forensic search tools.
  - 12. The digital forensic analysis method of claim 8,wherein said detecting suspect data further comprises identifying suspect text, images, videos, objects, audio messages, and binary patterns.
  - 13. The digital forensic analysis method of claim 8, further comprising:
    - outputting an alert upon occurrence of a match between said extracted data and one of said pre-defined data patterns specified by said forensic search tool; and
      
      logging all user activities.
  - 14. The digital forensic analysis method of claim 8, wherein said detecting suspect data uses a semantic hash function.
  - 15. The digital forensic analysis method of claim 8, further comprising:
    - booting a suspect computer with a specialized operating system;
      
      computing one or more checksums to verify a before analysis state and an after analysis state of a memory device of said suspect computer; and
      
      copying files identified to include said detected suspect data and a findings report onto a removable storage medium.
  - 16. The digital forensic analysis method of claim 8, further comprising:
    - collecting said input data.
  - 17. The digital forensic analysis method of claim 8, further comprising:
    - modifying content of said forensic search tool to change said pre-defined data patterns specified by said forensic search tool.
  - 18. The digital forensic analysis method of claim 8, further comprising:
    - representing sensitive data using a digital fingerprint to prevent disclosure of said sensitive data to said at least one computing platform associated with a second agency.
  - 19. The digital forensic analysis method of claim 18, wherein said digital fingerprint is provided using a cryptographic one-way hash function.
  - 20. The digital forensic analysis method of claim 8, further comprising:
    - editing said forensic search tool based on at least one of an investigative strategy and an investigative goal.
  - 21. The digital forensic analysis method of claim 20, wherein said editing said forensic search tool further comprises:
    - creating said forensic search tool using said search markup language.
  - 22. The digital forensic analysis method of claim 8, further comprising:
    - computing said features of data based on said extracted data,wherein said detecting suspect data further comprises matching said computed features of data with said extracted data.
  - 23. The digital forensic analysis method of claim 22, wherein the computed features of data comprise speech recognition features.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ADA Solutions Incorporated (Surewerx, Inc.)
Original Assignee
Advanced Digital Forensic Solutions, Inc.
Inventors
Bousquet, Raphael, Wallia, Jai Jit Singh
Primary Examiner(s)
Vo; Tim T.
Assistant Examiner(s)
TRAN, ANHTAI V

Application Number

US11/318,084
Publication Number

US 20070085710A1
Time in Patent Office

1,390 Days
Field of Search

707/3
US Class Current

1/1
CPC Class Codes

G06F 16/2465   Query processing support fo...

G06F 2216/03   Data mining

G06Q 50/18   Legal services

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99943   Generating database or data...

Methods for searching forensic data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for searching forensic data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links