System and method for searching for static data in a computer investigation system

US 7,711,728 B2
Filed: 12/21/2005
Issued: 05/04/2010
Est. Priority Date: 06/20/2002
Status: Expired due to Term

First Claim

Patent Images

1. In a networked computer investigation system including a client device and a plurality of target devices coupled to the client device, a method for investigating data stored in one or more storage devices coupled to the plurality of target devices, the method comprising:

Identifying by the client device a search key;

Identifying by the client device, based on file metadata, a first file stored in a first storage device coupled to a first target device and a second file stored in a second storage device coupled to a second target device;

Transmitting the search key to the first and second target devices over a secure data communications network;

Streaming by the client device, over the secure data communications network, a plurality of first file extents associated with the first file to the first target device, and a plurality of second file extents associated with the second file to the second target device, each file extent identifying a range of data of the corresponding file to be searched;

Receiving and processing by respectively the first and second target devices the streamed first and second file extents,Storing the received first and second file extents in respectively first and second in-queues at respectively the first and second target devices;

Monitoring fullness of the first and second in-queues;

Responsive to the monitoring, streaming by the client device a second plurality of first file extents associated with the first file to the first target device and a second plurality of second file extents associated with the second file to the second target device, over the secure data communications network;

Concurrently searching by the first and second target devices for the search key at respectively each range of data specified in each received first file extent and at each range of data specified in each received second file extent; and

Generating search results by the first and second target devices based on the respective searching of each range of data, wherein the search results identify information relating to the search key located during the searching.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for concurrent investigations of static data stored in one or more secondary storage devices of one or more target machines in a data communications network. The network includes an examining machine, a secure server, and various target machines. The examining machine transmits to the target machines a search request including a search key. The examining machine also streams to each target machine metadata information and file extents of the files to be searched. The target machines concurrently search the indicated file extents for the search key. The target machines then stream the search results to the examining machine.

39 Citations

View as Search Results

30 Claims

1. In a networked computer investigation system including a client device and a plurality of target devices coupled to the client device, a method for investigating data stored in one or more storage devices coupled to the plurality of target devices, the method comprising:
- Identifying by the client device a search key;
  
  Identifying by the client device, based on file metadata, a first file stored in a first storage device coupled to a first target device and a second file stored in a second storage device coupled to a second target device;
  
  Transmitting the search key to the first and second target devices over a secure data communications network;
  
  Streaming by the client device, over the secure data communications network, a plurality of first file extents associated with the first file to the first target device, and a plurality of second file extents associated with the second file to the second target device, each file extent identifying a range of data of the corresponding file to be searched;
  
  Receiving and processing by respectively the first and second target devices the streamed first and second file extents,Storing the received first and second file extents in respectively first and second in-queues at respectively the first and second target devices;
  
  Monitoring fullness of the first and second in-queues;
  
  Responsive to the monitoring, streaming by the client device a second plurality of first file extents associated with the first file to the first target device and a second plurality of second file extents associated with the second file to the second target device, over the secure data communications network;
  
  Concurrently searching by the first and second target devices for the search key at respectively each range of data specified in each received first file extent and at each range of data specified in each received second file extent; and
  
  Generating search results by the first and second target devices based on the respective searching of each range of data, wherein the search results identify information relating to the search key located during the searching.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 21, 22, 23, 24, 25, 27, 28, 29, 30)
- - 2. The method of claim 1 further comprising:
    - maintaining by the client device a file directory of files stored in the first and second storage devices; and
      
      retrieving by the client device file properties information on the first and second files.
  - 3. The method of claim 2, wherein the file properties information includes file access information streamed to the first and second target devices for respectively accessing the first and second files.
  - 4. The method of claim 1 further comprising:
    - storing first and second search results in respectively first and second out-queues at respectively the first and second target devices;
      
      polling a particular out-queue coupled to a particular target device by the client device during a polling period; and
      
      streaming by the particular target device one or more search results stored in the particular out-queue responsive to the poll.
  - 5. The method of claim 1 further comprising:
    - establishing secure communication between a server and the client device over a data communications network;
      
      establishing secure communication between the server and each of the target devices over the data communications network; and
      
      establishing secure communication between the client device and each of the target devices over the data communications network.
  - 6. The method of claim 1 further comprising:
    - identifying by the client device a third file stored in a particular storage device coupled to a particular target device;
      
      retrieving file properties of the third file;
      
      determining based on the file properties whether the third file meets one or more filter criteria;
      
      transmitting a request to the particular target device for the third file responsive to the determination;
      
      receiving the third file from the particular target device responsive to the request;
      
      locally searching the third file by the client device responsive to the filtering.
  - 7. The method of claim 6, wherein the one or more filter criteria is a size of the third file.
  - 8. The method of claim 1, wherein the first and second storage devices are hard disks.
  - 21. The method of claim 1, wherein respectively the first and second target devices receiving the streamed first and second file extents each proceed to search contents of the corresponding file for the search key at the range of data specified in a received first one of the streamed file extents before receipt of a second one of the streamed file extents.
  - 22. The method of claim 1 further comprising:
    - displaying the search results on a display monitor coupled to the client device.
  - 23. The method of claim 1, wherein the search key is a non-metadata data pattern contained in the first or second file.
  - 24. The method of claim 1, wherein the first and second file extents respectively identify blocks of data storing contents of respectively the first and second files.
  - 25. The method of claim 1 further comprising:
    - retrieving by the client device file properties of the first and second files to be searched; and
      
      determining by the client device, based on the retrieved file properties, whether each of the first and second files to be searched satisfies a filter criteria, wherein the filter criteria is selected from a group consisting of a threshold file size and file type, wherein the transmitting, streaming, receiving, identifying, concurrently searching, and generating steps with respect to the first and second target devices are engaged only if the determining outputs a first result with respect to the corresponding first or second file, but if the determining outputs a second result;
      
      receiving the corresponding first or second file by the client device from the corresponding first or second target device; and
      
      searching the contents of the corresponding file locally by the client device for the search key instead of invoking the corresponding first or second target device.
  - 27. The method of claim 1, wherein the search results identify a location in which the search key is stored.
  - 28. The method of claim 22, wherein the first file is identified by a first file identifier included in the first file metadata and the second file is identified by a second file identifier included in the second file metadata.
  - 29. The method of claim 1 further comprising:
    - streaming by the client device first file metadata and second file metadata to respectively the first target device and the second target device; and
      
      identifying by respectively the first and second target devices the first and second files based on the received first and second file metadata.
  - 30. The method of claim 1, wherein the monitoring fullness of the first and second in-queues is by the client device.

9. A computer investigation system comprising:
- a client device;
  
  first and second target devices coupled to the client device over a data communications network;
  
  first and second storage devices coupled respectively to the first and second target devices;
  
  a server brokering secure communication between the client device and the first and second target devices over the data communications network, wherein the client device;
  
  identifies a search key,identifies, based on file metadata, a first file stored in the first storage device coupled to the first target device and a second file stored in the second storage device coupled to the second target device,Transmits the search key to the first and second target devices over a secure data communications network, andStreams over the secure data communications network plurality of first file extents associated with the first file to the first target device, and a plurality of second file extents associated with the second file to the second target device, each file extent identifying a range of data of the corresponding file to be searched,Wherein the first and second target devices respectively;
  
  Receive and process the streamed first and second file extents,Concurrently search for the search key at respectively each range of data specified in each received first file extent and at each range of data specified in each received second file extent, andRespectively generating search results based on the searching of each range of data, wherein the search results identify information relating to the search key located during the searching; and
  
  First and second in-queues respectively coupled to the first and second target devices and respectively storing the received first and second file extents,Wherein the first and second in-queues are monitored for fullness, andin response to the monitoring, the client device streams a second plurality of first file extents associated with the first file to the first target device and a second plurality of second file extents associated with the second file to the second target device for causing the first and second target devices to search for the search key at the range of data specified in respectively each of the second plurality of first file extents and each of the second plurality of second file extents.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the client device maintains a file directory of files stored in the first and second storage devices and retrieves file property information on the first and second files.
  - 11. The system of claim 10, wherein the file properties information includes file access information streamed to the first and second target devices for respectively accessing the first and second files.
  - 12. The system of claim 9 further comprising:
    - first and second out-queues respectively coupled to the first and second target devices, the first and second out-queues respectively storing first and second search results, wherein the client device polls a particular out-queue coupled to a particular target device during a polling period and, responsive to the poll, the particular target device streams one or more search results stored in the particular out-queue.
  - 13. The system of claim 9, wherein the server establishes secure communication with the client device over a data communications network and further establishes secure communication with each of the target devices for allowing secure communication between the client device and each of the target devices.
  - 14. The system of claim 9, wherein the client device identifies a third file stored in a particular storage device coupled to a particular target device, retrieves file properties of the third file, determines based on the file properties whether the third file meets one or more filter criteria, transmits a request to the particular target device for the third file responsive to the determination, receives the third file from the particular target device responsive to the request, and locally searches the third file responsive to the filtering.
  - 15. The system of claim 14, wherein the one or more filter criteria is a size of the third file.
  - 16. The system of claim 9, wherein the first and second storage devices are hard disks.

17. In a networked computer investigation system, a client device investigating data stored in first and second storage devices respectively coupled to first and second target devices, the client device comprising:
- a processor;
  
  a memory operably coupled to the processor and storing program instructions therein, the processor being operable to execute the program instructions, the program instructions including;
  
  identifying a search key;
  
  identifying, based on file metadata, a first file stored in the first storage device coupled to the first target device and a second file stored in the second storage device coupled to the second target device;
  
  transmitting the search key to the first and second target devices over a secure data communications network;
  
  streaming over the secure data communications network a plurality of first file extents associated with the first file to the first target device, and a plurality of second file extents associated with the second file to the second target device, each file extent identifying a range of data of the corresponding file to be searched,Wherein the first and second target devices are configured to concurrently search for the search key at respectively each range of data specified in each received first file extent and at each range of data specified in each received second fileWherein the first and second target devices are respectively coupled to first and second in-queues respectively storing received first and second file extents,Wherein the first and second in-queues are monitored for fullness;
  
  responsive to the monitoring, streaming by the client device a second plurality of first file extents associated with the first file to the first target device and a second plurality of second file extents associated with the second file to the second target device, over the secure data communications network,wherein the first and second target devices are configured to search for the search key at the range of data specified in respectively each of the second plurality of first file extents and each of the second plurality of second file extents; and
  
  Receiving first and second search results generated by respectively the first and second target devices based on the respective searching of each range of data, wherein the search results identify information relating to the search key located during the searching.
- View Dependent Claims (18, 19, 20)
- - 18. The client device of claim 17 further comprising:
    - a file manager maintaining a file directory of files stored in the first and second storage devices and retrieving file properties information on the first and second files.
  - 19. The client device of claim 18, wherein the file properties information includes file access information streamed to the first and second target devices for respectively accessing the first and second files.
  - 20. The client device of claim 19, wherein the computer instructions further comprise:
    - identifying a third file stored in a particular storage device coupled to a particular target device;
      
      retrieving file properties of the third file;
      
      determining based on the file properties whether the third file meets one or more filter criteria;
      
      transmitting a request to the particular target device for the third file responsive to the determination;
      
      receiving the third file from the particular target device responsive to the request; and
      
      locally searching the third file responsive to the filtering.

26. In a networked computer investigation system including a client device and a plurality of target devices coupled to the client device, a method for investigating data stored in one or more storage devices coupled to the plurality of target devices, the method comprising:
- identifying by the client device the search key for conducting a search of contents of files stored in the various target devices;
  
  identifying by the client device, based on file metadata, a first file stored in a first storage device coupled to a first target device and a second file stored in a second storage device coupled to a second target device;
  
  retrieving by the client device file properties of the first and second files to be searched;
  
  determining by the client device, based on the retrieved file properties, whether the first and second files to be searched each satisfies a filter criteria;
  
  if the determining outputs a first result;
  
  transmitting by the client device the search key to the first and second target devices over a secure data communications network;
  
  streaming by the client device over the secure data communications network a plurality of first file extents associated with the first file to the first target device, and a plurality of second file extents associated with the second file to the second target device, each file extent identifying a range of data of the corresponding file to be searched;
  
  receiving and processing by respectively the first and second target devices the streamed first and second file extents;
  
  storing the received first and second file extents in respectively first and second in-queues at respectively the first and second target devices;
  
  monitoring fullness of the first and second in-queues;
  
  responsive to the monitoring, streaming by the client device a second plurality of first file extents associated with the first file to the first target device and a second plurality of second file extents associated with the second file to the second target device, over the secure data communications network;
  
  concurrently searching by the first and second target devices for the search key at respectively each range of data specified in each received first file extent and at each range of data specified in each received second file extent; and
  
  receiving by the client device from the one of the plurality of target devices search results generated by the first and second target devices based on the respective searching of each range of data, wherein the search results identify information relating to the search key located during the searching; and
  
  if the determining outputs a second result;
  
  receiving the file by the client device from one of the plurality of target devices; and
  
  searching the contents of the file locally by the client device for the search key instead of invoking the plurality of target devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Text Holdings, Inc. (Open Text Corporation)
Original Assignee
Guidance Software Incorporated (Open Text Corporation)
Inventors
Weber, Dominik, McCreight, Shawn
Primary Examiner(s)
Ali; Mohammad
Assistant Examiner(s)
Hocker; John P

Application Number

US11/315,761
Publication Number

US 20060101009A1
Time in Patent Office

1,595 Days
Field of Search

707 1- 10
US Class Current

707/712
CPC Class Codes

G06F 16/14 Details of searching files ...

System and method for searching for static data in a computer investigation system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for searching for static data in a computer investigation system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links