Method and system for forensic investigation of data access
First Claim
Patent Images
1. An apparatus to differentiate among various forms of accessing data which is stored in an information system, said differentiation being based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time;
- wherein said data includes a plurality of datum, the apparatus comprising;
a non-transitory machine-readable medium; and
a plurality of instructions in the machine-readable medium which, when executed by a processing machine, enable the processing machine to perform operations comprising;
obtaining and storing in an array a time of access for at least a plurality of said datum in said data;
iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period;
when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;
transforming said times of access into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and
,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination, transforming said times of access into a conclusion as to which of said various forms of access has occurred.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to a method for forensic examination of data access of an information system. The invention allows a user to determine the occurrence and nature of data access. In particular, it allows the user to determine if data were copied. The invention does not require modification of the information system or data beforehand, and requires access to no artifact or evidence other than information system itself.
27 Citations
37 Claims
-
1. An apparatus to differentiate among various forms of accessing data which is stored in an information system, said differentiation being based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time;
- wherein said data includes a plurality of datum, the apparatus comprising;
a non-transitory machine-readable medium; and a plurality of instructions in the machine-readable medium which, when executed by a processing machine, enable the processing machine to perform operations comprising; obtaining and storing in an array a time of access for at least a plurality of said datum in said data; iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period; when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;
transforming said times of access into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and
,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination, transforming said times of access into a conclusion as to which of said various forms of access has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- wherein said data includes a plurality of datum, the apparatus comprising;
-
18. A method for differentiating among various forms of accessing data which is stored in an information system based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time, wherein said data includes a plurality of datum, the method comprising:
-
a processor obtaining and storing in an array a time of access for a plurality of said datum during said finite time period; said processor iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period; when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;
transforming said stored time periods into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and
,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination said processor transforming said stored time periods into a conclusion as to which of said various forms of access to said data has occurred during said finite time period. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A method for differentiating among various possible forms of accessing an electronically accessed folder, wherein said folder is stored in an information system, said folder includes at least one subfolder stored in said information system, at least one of said folder and said subfolder includes an associated file stored therein, and wherein said folder and said subfolder are each implemented as a directory file in said information system, the method comprising:
a processor reviewing a characteristic of said electronic access to said folder and determining from said review whether said access is nonselective;
said processor concluding, when a result of said determination is that said electronic access to said folder is nonselective and when said access to said folder or to said subfolder does not have an access timestamp that is earlier than a time associated with a cutoff time of the nonselective access, that said form of accessing is that said folder has been copied.- View Dependent Claims (35, 36, 37)
Specification