Method and system for collecting and organizing data corresponding to an event

US 8,949,257 B2
Filed: 02/01/2008
Issued: 02/03/2015
Est. Priority Date: 02/01/2008
Status: Active Grant

First Claim

Patent Images

1. A method of organizing and presenting data gathered in response to an event, the method being performed by one or more computers coupled to a network and comprising the steps of:

(a) authenticating a plurality of memory sources by verifying whether a certificate presented by each of the plurality of memory sources is valid within a trust domain, each of the certificates indicating whether a respective one of the plurality of memory sources and all stored data of the respective one of the plurality of memory sources can be trusted;

(b) in response to a successful authentication of the plurality of memory sources, importing the stored data from the authenticated plurality of memory sources into a first memory coupled to the network;

(c) converting the stored data into a specified format to produce uniform data, the specified format being one of general purpose markup language and plain text format, the stored data providing a relational comparison between sets of the stored data;

(d) providing an interface to a user through which the user requests a search of the uniform data; and

(e) presenting one or more subsets of the uniform data to the user in response to the request from the user,wherein,the event is one of (i) a request for production of documents, and (ii) a data security breach.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for analyzing data from a plurality of computer environments. The computer environments are authenticated and data is imported to a memory location. The data is converted into a uniform format to enable expedited searching by one or more authenticated users. The data may be marked so that a user may determine which computer environment provided the data. The system may also create one or more indexes of the data to assist one or more users in searching the data.

173 Citations

33 Claims

1. A method of organizing and presenting data gathered in response to an event, the method being performed by one or more computers coupled to a network and comprising the steps of:
- (a) authenticating a plurality of memory sources by verifying whether a certificate presented by each of the plurality of memory sources is valid within a trust domain, each of the certificates indicating whether a respective one of the plurality of memory sources and all stored data of the respective one of the plurality of memory sources can be trusted;
  
  (b) in response to a successful authentication of the plurality of memory sources, importing the stored data from the authenticated plurality of memory sources into a first memory coupled to the network;
  
  (c) converting the stored data into a specified format to produce uniform data, the specified format being one of general purpose markup language and plain text format, the stored data providing a relational comparison between sets of the stored data;
  
  (d) providing an interface to a user through which the user requests a search of the uniform data; and
  
  (e) presenting one or more subsets of the uniform data to the user in response to the request from the user,wherein,the event is one of (i) a request for production of documents, and (ii) a data security breach.
- View Dependent Claims (2, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the plurality of memory sources are coupled to the first memory through the network.
  - 4. The method of claim 1 wherein the uniform data is stored in a database prior to the request from the user.
  - 6. The method of claim 1 wherein the interface is provided to a plurality of users through the network.
  - 7. The method of claim 1 wherein the request for production of documents is in a legal process.
  - 8. The method of claim 1, further comprising the step of:
    - creating a certificate authority in response to the event, the certificate authority (i) configured for use by the trust domain, and (ii) operable to create and sign each of the certificates.
  - 9. The method of claim 8, wherein the verification is based at least in part on a certificate revocation list published by the certificate authority.
  - 10. The method of claim 1, wherein the stored data is described in a schema form for the relational comparison between the sets of the stored data.
  - 11. The method of claim 10, wherein the schema form is a description of the data using a syntax.
  - 12. The method of claim 1, wherein the plurality of memory sources are disk drives.
  - 13. The method of claim 1, further comprising the step of:
    - installing an agent on the at least one memory source of the plurality of memory sources, the agent configured to connect to an agent discovery service.
  - 14. The method of claim 13, wherein the agent is configured to transmit the certificate to the agent discovery service.
  - 15. The method of claim 1, wherein the first memory is a form of removable media operable to permit installation of the stored data on a system.
  - 16. The method of claim 15, wherein the form of removable media is a USB memory storage key, an externally-connected hard drive, or a floppy disk.

3. The method of claim wherein the plurality of memory sources are servers.

5. The method of claim wherein the stored data comprises both content and metadata.

17. A method of organizing and presenting data gathered in response to an event, the method being performed by one or more computers coupled to a network and comprising the steps of:
- (a) installing an agent on at least one of a plurality of memory sources;
  
  (b) presenting a certificate from the at least one of the plurality of memory sources via the agent;
  
  (c) authenticating the at least one of the plurality of memory sources by verifying whether the certificate presented by the at least one of the plurality of memory sources is valid within a trust domain, the certificate indicating whether stored data of the at least one of the plurality of memory sources can be trusted;
  
  (d) in response to a successful authentication of the at least one of the plurality of memory sources, importing the stored data from the at least one of the plurality of memory sources into a first memory coupled to the network;
  
  (e) converting the stored data into a specified format to produce uniform data;
  
  (f) providing, via a computer coupled to the network, an interface to a user through which the user requests a search of the uniform data; and
  
  (g) presenting one or more subsets of the uniform data to the user in response to the request from the user,wherein,the event is one of (i) a request for production of documents, and (ii) a data security breach.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 18. The method of claim 17, wherein the plurality of memory sources are coupled to the first memory through the network.
  - 19. The method of claim 17, wherein the plurality of memory sources are servers.
  - 20. The method of claim 17, wherein the specified format is one of general purpose markup language and plain text format.
  - 21. The method of claim 17, wherein the stored data providing a relational comparison between sets of the stored data.
  - 22. The method of claim 17, wherein the uniform data is stored in a database prior to the request from the user.
  - 23. The method of claim 17, wherein the stored data comprises both content and metadata.
  - 24. The method of claim 17, wherein the interface is provided to a plurality of users through the network.
  - 25. The method of claim 17, wherein the request for production of documents is in a legal process.
  - 26. The method of claim 17, further comprising the step of:
    - creating a certificate authority in response to the event, the certificate authority (i) configured for use by the trust domain, and (ii) operable to create and sign the certificate.
  - 27. The method of claim 26, wherein the verification is based at least in part on a certificate revocation list published by the certificate authority.
  - 28. The method of claim 17, wherein the stored data provides a relational comparison of data.
  - 29. The method of claim 17, wherein the stored data is provided in a schema form with a description of the data using a syntax.
  - 30. The method of claim 17, wherein the agent is configured to connect to an agent discovery service.
  - 31. The method of claim 30, wherein the agent is configured to transmit the certificate to the agent discovery service.
  - 32. The method of claim 17, wherein the first memory is a form of removable media operable to permit the installation of the stored data on a system.
  - 33. The method of claim 32, wherein the form of removable media is a USB memory storage key, an externally-connected hard drive, or a floppy disk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
Mandiant LLC (Alphabet Inc.)
Inventors
Shiffer, Jason, Frazier, Matthew, Cunningham, Sean, Hogsten, Scott, Helvey, Eric, Butler, James, Villadsen, Peter
Primary Examiner(s)
Richardson, James E

Application Number

US12/024,852
Publication Number

US 20090198670A1
Time in Patent Office

2,559 Days
Field of Search

707/742, 707/746, 707/729, 707/671, 707/710, 707/653
US Class Current

707/756
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 16/2228   Indexing structures

G06F 16/245   Query processing

G06F 16/334   Query execution G06F16/335 ...

Method and system for collecting and organizing data corresponding to an event

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for collecting and organizing data corresponding to an event

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links