Methods for searching forensic data

US 8,219,588 B2
Filed: 05/26/2011
Issued: 07/10/2012
Est. Priority Date: 10/19/2005
Status: Active Grant

First Claim

Patent Images

1. A nontransitory computer-readable storage medium upon which is embodied and stored a sequence of programmed instructions that, when executed by a processor, cause the processor to perform functions comprising:

extracting data from input data;

detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first entity, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;

including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;

outputting a report identifying said suspect data; and

outputting said forensic search tool by said computing platform associated with said first entity to at least one computing platform associated with a second entity,wherein instructions associated with said digital forensic search tool further comprise a header,a search markup language portion, anda data features portion containing features of data,wherein the digital forensic search tool enables said computing platform associated with said first entity to share the digital forensic search tool with said at least one computing platform associated with a second entity in a manner that enables utilization of the representation of sensitive data by the second entity while not revealing the actual content of the sensitive data to the second entity; and

wherein instructions implementing said digital forensic search tool are provided in accordance with a search markup language.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect of the present invention, a software component for conducting digital forensic searches is described. The software component has a header; one or more search markup language programs, and a data features section. The software component, also referred to as a search pack, enables a first entity, such as a federal investigation agency, to share its suspect and sensitive data with a second entity, such as another investigative agency in a manner that allows the second agency to utilize the suspect data while not revealing the actual content of the sensitive data to the second agency. The second agency can perform comparisons and other operations on the sensitive data without having to know the actual content of the data. The search pack allows an investigative agency to define an investigative strategy for a particular case via the search markup language programs and by the data features that it includes in the search pack. Thus, by sharing search packs among agencies, an agency can share or inform others of that agency'"'"'s theory of the case and investigative goal. Search packs can also be updated automatically as new information is learned about a particular case. A search pack is updated is determined by the agency that created it and manages it.

Citations

22 Claims

1. A nontransitory computer-readable storage medium upon which is embodied and stored a sequence of programmed instructions that, when executed by a processor, cause the processor to perform functions comprising:
- extracting data from input data;
  
  detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first entity, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;
  
  including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;
  
  outputting a report identifying said suspect data; and
  
  outputting said forensic search tool by said computing platform associated with said first entity to at least one computing platform associated with a second entity,wherein instructions associated with said digital forensic search tool further comprise a header,a search markup language portion, anda data features portion containing features of data,wherein the digital forensic search tool enables said computing platform associated with said first entity to share the digital forensic search tool with said at least one computing platform associated with a second entity in a manner that enables utilization of the representation of sensitive data by the second entity while not revealing the actual content of the sensitive data to the second entity; and
  
  wherein instructions implementing said digital forensic search tool are provided in accordance with a search markup language.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-readable storage medium as recited in claim 1, further comprising a data verification portion containing a plurality of actual data representations for identifying potential suspect data.
  - 3. The computer-readable storage medium as recited in claim 1, wherein the features of data cannot be directly modified by the second entity.
  - 4. The computer-readable storage medium as recited in claim 1, wherein the search markup language portion and the data features portion enable the first entity to share an investigative strategy for a particular case with the second entity.
  - 5. The computer-readable storage medium as recited in claim 1, wherein the features of data cannot be used to recreate the sensitive data.
  - 6. The computer-readable storage medium as recited in claim 1, further comprising:
    - collecting said input data.
  - 7. The computer-readable storage medium as recited in claim 1, further comprising:
    - modifying content of said forensic search tool to change said pre-defined data patterns specified by said forensic search tool.

8. A digital forensic analysis method, comprising:
- extracting data from input data;
  
  detecting suspect data contained in said extracted data using a forensic search tool of a computing platform associated with a first entity, said detecting performed by matching said extracted data with one or more pre-defined data patterns specified by said forensic search tool, wherein said suspect data comprises data identified by said forensic search tool as being associated with inappropriate or illegal activities;
  
  including the suspect data and a non-readable and non-modifiable representation of sensitive data in the forensic search tool;
  
  outputting a report identifying said suspect data; and
  
  outputting said forensic search tool by said computing platform associated with said first entity to at least one computing platform associated with a second entity, wherein the said forensic search tool includes features portion containing features of data, a header, and a search markup language portion, wherein said forensic search tool enables said computing platform associated with said first entity to share said forensic search tool with said at least one computing platform associated with said second entity in a manner that enables utilization of the representation of sensitive data by the second entity while not revealing the actual content of the sensitive data to the second, andwherein said forensic search tool is implemented using said search markup language to permit sharing of said forensic search tool by said computing platform associated with the first entity with said at least one computing platform associated with the second entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 9. The digital forensic analysis method of claim 8, further comprising:
    - representing sensitive data using a digital fingerprint to prevent disclosure of said sensitive data to said at least one computing platform associated with a second entity.
  - 10. The digital forensic analysis method of claim 8, further comprising:
    - storing said report in a reports repository,said report including forensic analysis findings.
  - 11. The digital forensic analysis method of claim 8,wherein said suspect data is conclusive data.
  - 12. The digital forensic analysis method of claim 8, wherein said detecting suspect data further comprises:
    - serially searching said extracted data using a plurality of said forensic search tools.
  - 13. The digital forensic analysis method of claim 8,wherein said detecting suspect data further comprises identifying suspect text, images, videos, objects, audio messages, and binary patterns.
  - 14. The digital forensic analysis method of claim 8, further comprising:
    - computing said features of data based on said extracted data,wherein said detecting suspect data further comprises matching said computed features of data with said extracted data.
  - 15. The digital forensic analysis method of claim 8, further comprising:
    - outputting an alert upon occurrence of a match between said extracted data and one of said pre-defined data patterns specified by said forensic search tool; and
      
      logging all user activities.
  - 16. The digital forensic analysis method of claim 8, wherein said detecting suspect data uses a semantic hash function.
  - 17. The digital forensic analysis method of claim 8, further comprising:
    - booting a suspect computer with a specialized operating system;
      
      computing one or more checksums to verify a before analysis state and an after analysis state of a memory device of said suspect computer; and
      
      copying files identified to include said detected suspect data and a findings report onto a removable storage medium.
  - 18. The digital forensic analysis method of claim 8, further comprising:
    - collecting said input data.
  - 19. The digital forensic analysis method of claim 8, further comprising:
    - modifying content of said forensic search tool to change said pre-defined data patterns specified by said forensic search tool.
  - 20. The digital forensic analysis method of claim 9, wherein said digital fingerprint is provided using a cryptographic one-way hash function.
  - 21. The digital forensic analysis method of claim 14,wherein the computed features of data comprise speech recognition features.
  - 22. The digital forensic analysis method of claim 20, wherein said editing said forensic search tool further comprises:
    - creating said forensic search tool using said search markup language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ADA Solutions Incorporated (Surewerx, Inc.)
Original Assignee
ADA Solutions Incorporated (Surewerx, Inc.)
Inventors
Bousquet, Raphael, Wallia, Jai Jit Singh
Primary Examiner(s)
Vo, Tim T
Assistant Examiner(s)
TRAN, ANHTAI V

Application Number

US13/116,831
Publication Number

US 20110295886A1
Time in Patent Office

411 Days
Field of Search

None
US Class Current

707/791
CPC Class Codes

G06F 16/2465   Query processing support fo...

G06F 2216/03   Data mining

G06Q 50/18   Legal services

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99943   Generating database or data...

Methods for searching forensic data

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for searching forensic data

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links