Automated forensic document signatures

US 8,312,023 B2
Filed: 05/12/2008
Issued: 11/13/2012
Est. Priority Date: 12/21/2007
Status: Active Grant

First Claim

Patent Images

1. A computerized method of a computer system for proactively generating and querying computer forensic evidence for a computer system, comprising:

generating a representation of content of at least one target within a set of targetsgenerating an inverted index of the set of targets, wherein the inverted index stores a mapping of terms from associated contents,wherein generating the inverted index further comprises pooling the terms contained in the set of targets and indexing the terms, andwherein the inverted index is associated with representations of the content of each target of the set of targets, andwherein the inverted index is proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence by maintaining a forensically accurate representation of the content of the at least one target including if the content changes, andwherein the inverted index is updated upon occurrence of a predetermined operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for a proactive approach for computer forensic investigations. The invention allows organizations anticipating the need for forensic analysis to prepare in advance. Digital representations are generated proactively for a specified target. A digital representation is a digest of the content of the target. Digital representations of a collection of targets indexed and organized in a data structure, such as an inverted index. The searching and comparison of digital representations of a collection of targets allows quick and accurate identification of targets having identical or similar content. Computational and storage costs are expended in advance, which allows more efficient computer forensic investigations. The present invention can be applied to numerous applications, such as computer forensic evidence gathering, misuse detection, network intrusion detection, and unauthorized network traffic detection and prevention.

67 Citations

View as Search Results

29 Claims

1. A computerized method of a computer system for proactively generating and querying computer forensic evidence for a computer system, comprising:
- generating a representation of content of at least one target within a set of targetsgenerating an inverted index of the set of targets, wherein the inverted index stores a mapping of terms from associated contents,wherein generating the inverted index further comprises pooling the terms contained in the set of targets and indexing the terms, andwherein the inverted index is associated with representations of the content of each target of the set of targets, andwherein the inverted index is proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence by maintaining a forensically accurate representation of the content of the at least one target including if the content changes, andwherein the inverted index is updated upon occurrence of a predetermined operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method of claim 1, wherein the set of targets comprises one or more files.
  - 3. The method of claim 2, wherein the predetermined operation is one or more of creating, deleting, renaming, editing, moving, updating, linking, merging, modifying and copying a file.
  - 4. The method of claim 1, wherein the set of targets comprises one or more database entries.
  - 5. The method of claim 4, wherein the inverted index is updated upon occurrence of a predetermined operation, and the predetermined operation is one or more of select, insert, update, delete, merge, begin work, commit, rollback, create, drop, truncate, and alter of a database entry.
  - 6. The method of claim 1, wherein generating the representation of the content of at least one target comprises:
    - extracting a set of terms from the target; and
      
      processing the set of terms.
  - 7. The method of claim 6, wherein generating the representation of the content of at least one target further comprises:
    - extracting other related information of the target;
      
      and incorporating the other related information with the extracted and processed terms.
  - 8. The method of claim 7, wherein the other related information of the target is accessible by an operating system, and is at least one of file name, date of record, time of record, user or owner information, network address, network protocol, and access history of the target.
  - 9. The method of claim 7, wherein the other related information of the target is accessible by an application.
  - 10. The method of claim 1, wherein generating the inverted index of the set of targets comprises:
    - extracting a set of terms from the at least one target;
      
      processing the set of terms; and
      
      associating the set of terms with representations of the content of each of the one or more targets.
  - 11. The method of claim 1, wherein the representation of the content of the at least one target is stored permanently and is not removed when the target is modified or removed.
  - 12. The method of claim 1, wherein the inverted index retains association with the representation of the content of the at least one target when the target is modified or removed.
  - 13. The method of claim 1, further comprising:
    - storing the generated inverted index in a manner preventing deletion or modification of the inverted index by a user other than authorized personnel or a forensic investigator.
  - 14. The method of claim 1, wherein the generated inverted index is available only to authorized personnel or a forensic investigator with access rights.
  - 15. The method of claim 1, wherein the generated inverted index and the set of targets are stored on the same computer system.
  - 16. The method of claim 1, wherein the generated inverted index is stored on a first computer system and the set of targets is stored on a second computer system accessible to the first computer system through a computer network.
  - 17. The method of claim 1, further comprising the step of querying the inverted index.
  - 20. The method of claim 1, further comprising a step of generating a representation of content of a media file.
  - 21. The method of claim 20, wherein the media file comprises a video file.
  - 22. The method of claim 21, wherein the representation of content of the video file is generated based on meta data of the video file.
  - 23. The method of claim 22, wherein the representation of content of the video file is generated based on length information included in the meta data.
  - 24. The method of claim 21, wherein the representation of content of the video file is generated based on a closed caption of the video file.
  - 25. The method of claim 21, wherein the representation of content of the video file includes frames corresponding to feature points of the video file.
  - 26. The method of claim 25, wherein the representation of content of the video file includes frames corresponding to scene changes of the video file.
  - 27. The method of claim 1, wherein the media file comprises an audio file.
  - 28. The method of claim 27, wherein the audio file includes an audio file selected from the group consisting essentially of:
    - a music file and a speech file.
  - 29. The method of claim 27, wherein the step of generation a representation of content of the audio file includes a step of generating a transcript based on the audio file and a step of generating the representation of content of the audio file based on the transcript.

18. A non-transitory computer-readable storage that configures a computer system to perform a method of proactively generating and comparing computer forensic evidence for a computer system, the method comprising:
- generating a representation of content of at least one target within a set of targets; and
  
  generating an inverted index of the set of targets,wherein the inverted index stores a mapping of terms from associated contents,wherein generating the inverted index further comprises pooling the terms contained in the set of targets and indexing the terms,wherein the inverted index is associated with representations of the content of each target of the set of targets,wherein the inverted index is proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence by maintaining a forensically accurate representation of the content of the at least one target including if the content changes, andwherein the inverted index is updated upon occurrence of a predetermined operation.

19. An apparatus for proactively generating and comparing computer forensic evidence, comprising:
- a processor arranged to generate a representation of content of at least one target within a set of targets; and
  
  a processor arranged to generate an inverted index of the set of targets,wherein the inverted index stores a mapping of terms from associated contents,wherein the processor is further arranged to pool the terms contained in the set of targets and index the terms,wherein the inverted index is associated with representations of the content of each target of the set of targets,wherein the inverted index is proactively generated for computer forensic evidence for the at least one target and configured to allow a forensic analysis with the computer forensic evidence by maintaining a forensically accurate representation of the content of the at least one target including if the content changes, andwherein the inverted index is updated upon occurrence of a predetermined operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgetown University
Original Assignee
Georgetown University
Inventors
Shields, Thomas Clay, Frieder, Ophir, Maloof, Marcus A.
Primary Examiner(s)
Ehichioya, Fred I
Assistant Examiner(s)
Mobin, Hasanul

Application Number

US12/118,942
Publication Number

US 20090164427A1
Time in Patent Office

1,646 Days
Field of Search

None
US Class Current

707/742
CPC Class Codes

G06F 16/31   Indexing; Data structures t...

G06F 16/70   of video data

G06F 16/903   Querying for retrieval from...

G06F 16/9035   Filtering based on addition...

G06F 21/55   Detecting local intrusion o...

G10L 15/26   Speech to text systems G10L...

H04L 63/12   Applying verification of th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04N 21/44008   involving operations for an...

Automated forensic document signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

67 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Automated forensic document signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others