Automated forensic document signatures
First Claim
1. A computerized method of proactively generating and comparing computer forensic evidence for a computer system, comprising the steps of:
- generating at least one signature for at least one target based on the content of the target; and
comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold,wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, andwherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital signatures are generated proactively for a specified target. The digital signature represents a digest of the content of the target, and can be readily stored. Searching and comparing digital signatures allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allow more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.
59 Citations
35 Claims
-
1. A computerized method of proactively generating and comparing computer forensic evidence for a computer system, comprising the steps of:
-
generating at least one signature for at least one target based on the content of the target; and comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold, wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, and wherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A non-transitory computer storage medium that configures a computer system to perform a method of proactively generating and comparing computer forensic evidence for a computer system, the method comprising the steps of:
-
generating at least one signature for at least one target based on the content of the target; and comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold, wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, and wherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target.
-
-
35. Apparatus for proactively generating and comparing computer forensic evidence;
- comprising;
a processor, CPU and memory arranged to generate at least one signature for at least one target based on the content of the target; and a comparator configured to compare the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold, wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, and wherein the processor extracts a set of tokens representing a subset of the content of the at least one target to generate the at least one signature.
- comprising;
Specification