Automated forensic document signatures

US 8,280,905 B2
Filed: 12/21/2007
Issued: 10/02/2012
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. A computerized method of proactively generating and comparing computer forensic evidence for a computer system, comprising the steps of:

generating at least one signature for at least one target based on the content of the target; and

comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold,wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, andwherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital signatures are generated proactively for a specified target. The digital signature represents a digest of the content of the target, and can be readily stored. Searching and comparing digital signatures allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allow more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

59 Citations

View as Search Results

35 Claims

1. A computerized method of proactively generating and comparing computer forensic evidence for a computer system, comprising the steps of:
- generating at least one signature for at least one target based on the content of the target; and
  
  comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold,wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, andwherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method of claim 1, wherein the target is a file.
  - 3. The method of claim 2, wherein the file is owned by a user.
  - 4. The method of claim 2, wherein the file is related to a network intrusion attack.
  - 5. The method of claim 2, wherein the at least one signature is generated upon occurrence of a predetermined operation, and the predetermined operation is one or more of creating, deleting, renaming, editing, moving, updating, linking, merging, modifying and copying the file.
  - 6. The method of claim 1, wherein the target is a database entry.
  - 7. The method of claim 6, wherein the at least one signature is generated upon occurrence of a predetermined operation, and the predetermined operation is one or more of select, insert, update, delete, merge, begin work, commit, rollback, create, drop, truncate, and alter the database entry.
  - 8. The method of claim 1, wherein the target is a database definition.
  - 9. The method of claim 8, wherein the at least one signature is generated upon occurrence of a predetermined operation, and the predetermined operation is one or more of create, drop, and alter the database definition.
  - 10. The method of claim 1, wherein the target is network traffic.
  - 11. The method of claim 10, wherein the at least one signature is generated upon occurrence of a predetermined operation, and the predetermined operation is when the network traffic enters a network or when the network traffic leaves a network.
  - 12. The method of claim 10, wherein the network traffic may be any one or more of a signal protocol, an email, an attachment of an email, an instant message conversation, a text message, a remote login, a virtual private network, a viewed webpage, a file transfer and file sharing of the network traffic.
  - 13. The method of claim 1, wherein generating the at least one signature for the at least one target comprises the steps of:
    - processing the set of tokens;
      
      generating a fingerprint from the set of tokens; and
      
      generating the signature for the at least one target by combining the fingerprints with other related information of the at least one target.
  - 14. The method of claim 13, wherein processing the set of tokens includes sorting the set of tokens.
  - 15. The method of claim 14, wherein processing the set of tokens further includes filtering the set of tokens.
  - 16. The method of claim 13, wherein generating the fingerprint from the set of tokens involves a hash method.
  - 17. The method of claim 13, wherein generating the fingerprint from the set of tokens involves implementation of a bit vector method.
  - 18. The method of claim 13, wherein the other related information of the target is accessible by an operating system, and is at least one of file name, date of record, time of record, user or owner information, network address, network protocol, access history and fingerprint history of the target.
  - 19. The method of claim 13, wherein the other related information of the target is accessible by an application.
  - 20. The method of claim 1, further comprising the step of storing the at least one generated signature in a manner preventing deletion or modification of the at least one generated signature by a user other than authorized personnel or a forensic investigator.
  - 21. The method of claim 1, wherein the at least one generated signature is available to authorized personnel or a forensic investigator with access, rights.
  - 22. The method of claim 1, where in the at least one generated signature and respective target are stored on the same computer system.
  - 23. The method of claim 1, where in the at least one generated signature is stored on a first computer system and the at least one target is stored on a second computer system accessible through a computer network.
  - 24. The method of claim 13, further comprising a step of generating a signature for a media file.
  - 25. The method of claim 24, wherein the media file comprises a video file.
  - 26. The method of claim 25, wherein the signature is generated based on meta data of the video file.
  - 27. The method of claim 26, wherein the signature for the video file is generated based on length information included in the meta data.
  - 28. The method of claim 25, wherein the signature for the video file is generated based on a closed caption of the video file.
  - 29. The method of claim 25, wherein the signature for the video file includes frames corresponding to feature points of the video file.
  - 30. The method of claim 25, wherein the signature for the video file includes frames corresponding to scene changes of the video file.
  - 31. The method of claim 24, wherein the media file comprises an audio file.
  - 32. The method of claim 31, wherein the audio file includes an audio file selected from the group consisting essentially of:
    - a music file and a speech file.
  - 33. The method of claim 31, wherein the step of generation a signature for the audio file includes a step of generating a transcript based on the audio file and a step of generating the signature for the audio file based on the transcript.

34. A non-transitory computer storage medium that configures a computer system to perform a method of proactively generating and comparing computer forensic evidence for a computer system, the method comprising the steps of:
- generating at least one signature for at least one target based on the content of the target; and
  
  comparing the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold,wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, andwherein generating the at least one signature further includes the step of extracting a set of tokens representing a subset of the content of the at least one target.

35. Apparatus for proactively generating and comparing computer forensic evidence;
- comprising;
  
  a processor, CPU and memory arranged to generate at least one signature for at least one target based on the content of the target; and
  
  a comparator configured to compare the at least one generated signature with at least one previously generated signature for the same at least one target to determine whether the signatures have similarities above a predetermined threshold,wherein both the at least one generated signature and the at least one previously generated signature are proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence, andwherein the processor extracts a set of tokens representing a subset of the content of the at least one target to generate the at least one signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgetown University
Original Assignee
Georgetown University
Inventors
Shields, Thomas Clay, Frieder, Ophir, Maloof, Marcus A.
Primary Examiner(s)
Trujillo, James
Assistant Examiner(s)
Mamillapalli, Pavan

Application Number

US11/963,186
Publication Number

US 20090164517A1
Time in Patent Office

1,747 Days
Field of Search

706/46
US Class Current

707/781
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1425 Traffic logging, e.g. anoma...

Automated forensic document signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Automated forensic document signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links