Online evidence collection

US 8,417,776 B2
Filed: 08/25/2008
Issued: 04/09/2013
Est. Priority Date: 08/25/2007
Status: Expired due to Fees

First Claim

Patent Images

1. An automated method of collecting and preserving evidence developed during an on-line investigation of a suspect, the method comprising:

with an online investigation and evidence collecting and preserving system;

automated storing of evidence gathered on-line by an online investigator while investigating the suspect on-line;

automated storing of files shared by the on-line investigator, a record of web pages accessed by the on-line investigator, and other data indicative of activities performed by the on-line investigator in the course of gathering evidence on-line;

automatically obtaining a time stamp from an external source, wherein the time stamp is indicative of when the on-line investigator gathered the evidence on-line;

automatically encoding the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator with the time stamp from the external source; and

automatically generating a report that sets forth the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator and demonstrates the authenticity of the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator by reference to the time stamp from the external source.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Collecting and preserving evidence developed during an on-line investigation. Evidence gathered on-line is hashed with a time stamp from an external time source and stored. Other data pertinent to an investigation is also stored and may also be hashed. The evidence may be presented later in a report that demonstrates the authenticity of the evidence. A computer system for on-line investigations includes a CPU, memory, input/output facilities, a communication element, and a security element such as a dongle. Communication software enables the investigator to communicate over the Internet and gather evidence. Investigation software enables the computer system to store and hash the evidence; this may be done automatically. A database structure includes tables for investigator and suspect data, cases, evidence, and provision for storing a time stamp indicating when the evidence was collected.

72 Citations

View as Search Results

21 Claims

1. An automated method of collecting and preserving evidence developed during an on-line investigation of a suspect, the method comprising:
- with an online investigation and evidence collecting and preserving system;
  
  automated storing of evidence gathered on-line by an online investigator while investigating the suspect on-line;
  
  automated storing of files shared by the on-line investigator, a record of web pages accessed by the on-line investigator, and other data indicative of activities performed by the on-line investigator in the course of gathering evidence on-line;
  
  automatically obtaining a time stamp from an external source, wherein the time stamp is indicative of when the on-line investigator gathered the evidence on-line;
  
  automatically encoding the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator with the time stamp from the external source; and
  
  automatically generating a report that sets forth the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator and demonstrates the authenticity of the data indicative of activities performed by the on-line investigator in the course of gathering the evidence on-line and the evidence gathered on-line by the on-line investigator by reference to the time stamp from the external source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. An automated method as in claim 1 and further comprising, with the online evidence collecting and preserving system:
    - automatically implementing an identity mask that prevents the suspect from detecting an internet protocol address of a computer being used by the online investigator.
  - 3. An automated method as in claim 2 wherein automatically implementing the identity mask comprises transmitting a message to the suspect through an unpredictable network of computers.
  - 4. An automated method as in claim 1 and further comprising, with the online evidence collecting and preserving system:
    - establishing an undercover identity for the online investigator.
  - 5. An automated method as in claim 1 and further comprising, with the online evidence collecting and preserving system:
    - automatically checking any internet protocol addresses accessed by the investigator for authenticity;
      
      automatically storing any internet protocol addresses accessed by the investigator; and
      
      automatically storing information respecting any internet protocol address found not to be authentic.
  - 6. An automated method as in claim 1 and further comprising, with the online evidence collecting and preserving system:
    - using a dongle to control access to the encoded data.
  - 7. An automated method as in claim 1 and further comprising, with the online evidence collecting and preserving system:
    - identifying a physical location of a computer system being used by the target and including that identification along with other data when encoding the data.
  - 8. An automated method as in claim 1 wherein automatically encoding the data comprises hashing.
  - 9. An automated method as in claim 8 wherein encoding the data comprises hashing that returns an identification key;
    - and wherein generating the report that demonstrates the authenticity of the data and the evidence by reference to the time stamp further comprises utilizing the identification key, whereby the method can show that the evidence and the data have not been altered.
  - 10. The automated method of claim 1, further comprising:
    - generating automatically a letter to an ISP requesting that the ISP preserve at least one of the web pages accessed by the online investigator in the course of gathering evidence.
  - 11. The automated method of claim 1, wherein the other data indicative of activities performed by the online investigator in the course of gathering the evidence comprises keystroke logging of each keystroke of the online investigator.

12. An automated evidence collection and authentication system comprising:
- a computer including a central processing unit, memory, an input terminal, an output terminal, a communication element, and a security element;
  
  communication software responsive to commands from an investigator to cause the computer to communicate electronically with a remotely located computer without revealing the investigator'"'"'s identity; and
  
  investigation software operative to cause the computer to store any data obtained from the remotely located computer by the investigator together with files shared by the investigator, a record of web pages accessed by the investigator, and other data indicative of activities performed by the investigator in the course of obtaining the data from the remotely located computer, obtain a time stamp from a remotely located time source, wherein the time stamp is indicative of when the investigator obtained the data from the remotely located computer, automatically encode the data obtained from the remotely located computer by the investigator and the other data indicative of the activities performed by the investigator in the course of obtaining the data from the remotely located computer with the time stamp from the external source, and automatically generate a report that sets forth the data indicative of the activities performed by the investigator in the course of gathering the data from the remotely located computer and the data obtained from the remotely located computer by the investigator and demonstrates authenticity of the data indicative of the activities performed by the investigator in the course of gathering the data from the remotely located computer and the data obtained from the remotely located computer by the investigator by reference to the time stamp from the external source.
- View Dependent Claims (13, 14, 15, 16)
- - 13. An automated system as in claim 12 wherein the investigation software functions automatically.
  - 14. An automated system as in claim 12 wherein the communication software is operative to automatically verify authenticity of any internet protocol addresses used by the investigator.
  - 15. An automated system as in claim 14 wherein the investigation software is operative to store any internet protocol addresses used by the investigator together with all available information respecting any internet protocol address found not to be authentic.
  - 16. An automated system as in claim 12 further comprising a media writer responsive to the investigation software to automatically encode the report on an unalterable medium.

17. A computerized on-line evidence collection and authentication system comprising:
- a computer including a central processing unit, a storage device, input and output terminals, and a communication element;
  
  a database structure in the storage device, the database structure including;
  
  an investigator table structured to contain data descriptive of a plurality of investigators including undercover identities and investigator handles;
  
  a suspect table structured to contain data, descriptive of a plurality of suspects including suspect handles;
  
  a case table structured to contain data descriptive of a plurality of investigative cases;
  
  an evidence table structured to contain evidence collected on-line by an investigator;
  
  a time-stamp structure for containing a time stamp indicative of a time when the evidence was collected; and
  
  investigation software in the storage device, operative to cause the computer to store in the evidence table any data obtained from a remotely located computer by an investigator through the communication element together with files shared by the investigator, a record of web pages accessed by the investigator, and other data indicative of activities performed by the investigator in the course of obtaining the data from the remotely located computer, obtain through the communication element a time stamp from a remotely located time source, wherein the time stamp is indicative of when the investigator obtained the data from the remotely located computer, store the time stamp in the time-stamp structure, encode the data obtained from the remotely located computer by the investigator and the other data indicative of the activities performed by the investigator in the course of obtaining the data from the remotely located computer with the time stamp from the external source, and generate a report that sets forth the data indicative of the activities performed by the investigator in the course of gathering the data from the remotely located computer and the data obtained from the remotely located computer by the investigator and demonstrates the authenticity of the data indicative of the activities performed by the investigator in the course of gathering the data obtained from the remotely located computer and the data obtained from the remotely located computer by the investigator by reference to the time stamp from the external source.
- View Dependent Claims (18, 19, 20, 21)
- - 18. A computerized system as in claim 17 wherein the database structure comprises cross-references between suspects and cases and between investigators and cases.
  - 19. A computerized system as in claim 18 wherein the evidence table comprises a structure for containing the evidence and the time stamp in hashed form.
  - 20. A computerized system as in claim 17 wherein the database structure comprises a table structured to contain categorized data pertaining to an undercover identity.
  - 21. A computerized system as in claim 17 wherein the database structure comprises a table structured to contain categorized data pertaining to a suspect.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vere Software
Original Assignee
VERE Software Incorporated
Inventors
Womack, Roy, Shipley, Todd G.
Primary Examiner(s)
Winder, Patrice
Assistant Examiner(s)
Chang, Julian

Application Number

US12/197,890
Publication Number

US 20090089361A1
Time in Patent Office

1,688 Days
Field of Search

709201-207
US Class Current

709/204
CPC Class Codes

G06F 21/64 Protecting data integrity, ...

G06F 2221/2151 Time stamp

Online evidence collection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Online evidence collection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links