Electronic discovery system and method

US 7,809,686 B2
Filed: 10/06/2006
Issued: 10/05/2010
Est. Priority Date: 10/06/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for conducting investigations of one or more target devices in a data communications network, the method comprising:

defining, under control of a computer, one or more filter conditions for culling one or more files stored in the one or more target devices;

grouping the one or more filter conditions into a single investigation subject;

automatically generating, under control of the computer, at least one global unique identifier uniquely identifying the investigation subject;

locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier;

storing in memory the locked investigation subject and the locked global unique identifier, in association with each other;

generating an evidence container file on an examining machine;

applying by the examining machine the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session;

receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching filesstoring in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing;

storing by the examining machine in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer investigation system and method that conducts electronic discovery of desired files across a live network in a forensically sound manner. The investigation entails an examining machine electronically identifying, collecting, and preserving evidence from target machines that is responsive to a set of investigation criteria. The set of investigation criteria is associated with an investigation subject that is identified by a global unique identifier (GUID). As the investigation subject is applied to the various files, the responsive files are stamped with the GUID and preserved in a container file referred to as a logical evidence file (LEF). The GUID allows the results of an investigation to be easily and reliably traced to the particular investigation subject that was applied.

Citations

28 Claims

1. A computer-implemented method for conducting investigations of one or more target devices in a data communications network, the method comprising:
- defining, under control of a computer, one or more filter conditions for culling one or more files stored in the one or more target devices;
  
  grouping the one or more filter conditions into a single investigation subject;
  
  automatically generating, under control of the computer, at least one global unique identifier uniquely identifying the investigation subject;
  
  locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier;
  
  storing in memory the locked investigation subject and the locked global unique identifier, in association with each other;
  
  generating an evidence container file on an examining machine;
  
  applying by the examining machine the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session;
  
  receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching filesstoring in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing;
  
  storing by the examining machine in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1 further comprising:
    - regenerating the global unique identifier in response to a user command to modify the one or more filter conditions; and
      
      storing the regenerated global unique identifier in association with the investigation subject.
  - 3. The method of claim 1, wherein at least one of the one or more filter conditions specify file metadata, the method further comprising:
    - retrieving filesystem data of the one or more target devices;
      
      comparing the filesystem data with the specified file metadata; and
      
      identifying the one or more of the plurality of files based on the comparison.
  - 4. The method of claim 1, wherein at least one of the one or more filter conditions includes one or more keywords for identifying files in the one or more target devices containing the one or more keywords.
  - 5. The method of claim 1, wherein at least one of the one or more filter conditions identifies a specific source file for identifying a file in the one or more target devices matching the source file.
  - 6. The method of claim 5 further comprising:
    - identifying lengths of the source file and a file in a particular target machine that is being considered for a match;
      
      determining whether the lengths are equal;
      
      if the lengths are equal, invoking the target machine to compute a digital signature value of the file being considered for a match;
      
      retrieving the digital signature values of the source file and the file being considered for a match;
      
      determining whether the digital signature values are equal; and
      
      if the digital signature values are equal, identifying the file being considered for a match as a matching file.
  - 7. The method of claim 1 further comprising:
    - storing the global unique identifier in an examiner report;
      
      receiving the examiner report including the global unique identifier;
      
      retrieving the global unique identifier from the evidence container file;
      
      comparing the global unique identifier in the examiner report with the global unique identifier in the evidence container file; and
      
      outputting a verification message upon a match of the global unique identifiers.
  - 8. The method of claim 1 further comprising:
    - retrieving by a computer device the stored global unique identifier from the evidence container file;
      
      searching by the computer device for an investigation subject matching the global unique identifier;
      
      reconstructing the one or more filter conditions in the investigation subject identified from the searching; and
      
      displaying on a display coupled to the computer device, the reconstructed plurality of filter conditions as the filter conditions applied for obtaining at least the metadata stored in the evidence container file.
  - 17. The method of claim 1 further comprising:
    - establishing a data communications link with the one or more target devices; and
      
      copying the matching files from the one or more target devices in one continuous period of time.
  - 18. The method of claim 17, wherein the copying of the matching files in one continuous period of time includes:
    - detecting disruption of the data communications link; and
      
      re-scanning the one or more target devices from the start position in response to a resuming of the data communications link.
  - 19. The method of claim 1 further comprising:
    - storing in the evidence container file a hash value of at least one of the matching files which content is stored in the evidence container file;
      
      re-computing the hash value of the at least one of the matching files; and
      
      comparing the stored hash value against the re-computed hash value for detecting corruption of the evidence container file.
  - 20. The method of claim 1 further comprising:
    - extracting preserved full file directory structure of the matching files for recreating, by the examining machine, the matching files as existing in the one or more target machines devices.
  - 21. The method of claim 1, wherein the global unique identifier is separate from a plurality of encryption keys for encrypting communication to and from the examining machine.
  - 22. The method of claim 1, wherein contents of the matching files are stored in the evidence container file without making a disk image of one or more hard disks of the one or more target devices storing the matching files.
  - 23. The method of claim 1, wherein the metadata includes timestamps, the method further comprising:
    - preserving, without modification, timestamps of when each of the matching files was modified, accessed, and created; and
      
      writing into the evidence container file the preserved timestamps of each of the matching files.
  - 24. The method of claim 1, wherein the locked investigation subject is concurrently applied to a plurality of target devices over the data communications network.
  - 25. The method of claim 24 further comprising:
    - maintaining in a database status of the investigation for each of the plurality of target devices.
  - 26. The method of claim 1, wherein the received metadata is stored in a body of the evidence container file as text data.
  - 27. The method of claim 1, wherein the one or more target machines conduct a non-indexed search of the plurality of files for a key word specified as one of the filter conditions.
  - 28. The method of claim 1 further comprising:
    - maintaining in a database one or more log files for the one or more target machines; and
      
      storing in the one or more log files information of each of the plurality of files considered by the one or more target machines for a match against the one or more filter conditions.

9. A system for conducting investigations of one or more target devices in a data communications network, the system comprising:
- one or more processors; and
  
  one or more memory devices operably coupled to the one or more processors storing program instructions therein, each of the one or more processors being operable to execute one or more of the program instructions, the program instructions including;
  
  defining one or more filter conditions for culling one or more files stored in the one or more target devices;
  
  grouping the one or more filter conditions into a single investigation subject;
  
  automatically generating at least one global unique identifier uniquely identifying the investigation subject;
  
  locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier;
  
  storing the locked investigation subject and the locked global unique identifier, in association with each other, in the one or more memory devices;
  
  generating an evidence container file on the one or more memory devices;
  
  applying the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session;
  
  receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching files;
  
  storing in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing;
  
  storing in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the program instructions further include:
    - regenerating the global unique identifier in response to a user command to modify the one or more filter conditions; and
      
      storing the regenerated global unique identifier in association with the investigation subject.
  - 11. The system of claim 9, wherein at least one of the one or more filter conditions specify file metadata, the program instructions further including:
    - retrieving filesystem data of the one or more target devices;
      
      comparing the filesystem data with the specified file metadata; and
      
      identifying the one or more of the plurality of files based on the comparison.
  - 12. The system of claim 9, wherein at least one of the one or more filter conditions includes one or more keywords for identifying files in the one or more target devices containing the one or more keywords.
  - 13. The system of claim 9, wherein at least one of the one or more filter conditions identifies a specific source file for identifying a file in the one or more target devices matching the source file.
  - 14. The system of claim 13, wherein the program instructions further include:
    - identifying lengths of the source file and a file in a particular target machine that is being considered for a match;
      
      determining whether the lengths are equal;
      
      if the lengths are equal, invoking the target machine to compute a digital signature value of the file being considered for a match;
      
      retrieving the digital signature values of the source file and the file being considered for a match;
      
      determining whether the digital signature values are equal; and
      
      if the digital signature values are equal, identifying the file being considered for a match as a matching file.
  - 15. The system of claim 9, wherein the-program instructions further include:
    - storing the global unique identifier in an examiner report;
      
      receiving the examiner report including the global unique identifier;
      
      retrieving the global unique identifier from the evidence container file;
      
      comparing the global unique identifier in the examiner report with the global unique identifier in the evidence container file; and
      
      outputting a verification message upon a match of the global unique identifiers.
  - 16. The system of claim 9 further comprising a computer device configured to:
    - retrieve the stored global unique identifier from the evidence container file;
      
      search for an investigation subject matching the global unique identifier;
      
      reconstruct the one or more filter conditions in the investigation subject identified from the searching; and
      
      display on a display the reconstructed plurality of filter conditions as the filter conditions applied for obtaining the one or more files in the evidence container file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Text Holdings, Inc. (Open Text Corporation)
Original Assignee
Guidance Software Incorporated (Open Text Corporation)
Inventors
McCreight, Shawn, Botta, Brent, Stewart, Jon
Primary Examiner(s)
Mofiz; Apu M
Assistant Examiner(s)
Jacob; Ajith

Application Number

US11/544,534
Publication Number

US 20070112783A1
Time in Patent Office

1,460 Days
Field of Search

707/204, 707/653
US Class Current

707/653
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/00   Administration; Management

H04L 63/12   Applying verification of th...

Electronic discovery system and method

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic discovery system and method

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links