Electronic discovery system and method
First Claim
1. A computer-implemented method for conducting investigations of one or more target devices in a data communications network, the method comprising:
- defining, under control of a computer, one or more filter conditions for culling one or more files stored in the one or more target devices;
grouping the one or more filter conditions into a single investigation subject;
automatically generating, under control of the computer, at least one global unique identifier uniquely identifying the investigation subject;
locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier;
storing in memory the locked investigation subject and the locked global unique identifier, in association with each other;
generating an evidence container file on an examining machine;
applying by the examining machine the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session;
receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching filesstoring in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing;
storing by the examining machine in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject.
8 Assignments
0 Petitions
Accused Products
Abstract
A computer investigation system and method that conducts electronic discovery of desired files across a live network in a forensically sound manner. The investigation entails an examining machine electronically identifying, collecting, and preserving evidence from target machines that is responsive to a set of investigation criteria. The set of investigation criteria is associated with an investigation subject that is identified by a global unique identifier (GUID). As the investigation subject is applied to the various files, the responsive files are stamped with the GUID and preserved in a container file referred to as a logical evidence file (LEF). The GUID allows the results of an investigation to be easily and reliably traced to the particular investigation subject that was applied.
-
Citations
28 Claims
-
1. A computer-implemented method for conducting investigations of one or more target devices in a data communications network, the method comprising:
-
defining, under control of a computer, one or more filter conditions for culling one or more files stored in the one or more target devices; grouping the one or more filter conditions into a single investigation subject; automatically generating, under control of the computer, at least one global unique identifier uniquely identifying the investigation subject; locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier; storing in memory the locked investigation subject and the locked global unique identifier, in association with each other; generating an evidence container file on an examining machine; applying by the examining machine the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session; receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching files storing in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing; storing by the examining machine in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
9. A system for conducting investigations of one or more target devices in a data communications network, the system comprising:
-
one or more processors; and one or more memory devices operably coupled to the one or more processors storing program instructions therein, each of the one or more processors being operable to execute one or more of the program instructions, the program instructions including; defining one or more filter conditions for culling one or more files stored in the one or more target devices; grouping the one or more filter conditions into a single investigation subject; automatically generating at least one global unique identifier uniquely identifying the investigation subject; locking the investigation subject and the at least one global unique identifier for preventing modification of the filter conditions and the global unique identifier; storing the locked investigation subject and the locked global unique identifier, in association with each other, in the one or more memory devices; generating an evidence container file on the one or more memory devices; applying the locked investigation subject to a plurality of files stored in the one or more target devices during an investigation session; receiving from the one or more target devices at least metadata of one or more of the plurality of files matching the plurality of filter conditions of the applied investigation subject, wherein the matching files is only a subset of the plurality of files stored in the one or more target devices and the one or more target devices transmit at least the metadata for only the matching files; storing in the evidence container file at least the received metadata of the matching files without modification to the received metadata due to the storing; storing in the evidence container file or attaching to one or more of the matching files in the evidence container file, the locked global unique identifier, wherein the locked global unique identifier associates the matching files to the applied investigation subject thereby evidencing that the matching files resulted from the investigation session that applied the investigation subject. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification