Method and system for forensic investigation of data access

US 9,535,994 B1
Filed: 03/28/2011
Issued: 01/03/2017
Est. Priority Date: 03/26/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus to differentiate among various forms of accessing data which is stored in an information system, said differentiation being based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time;

wherein said data includes a plurality of datum, the apparatus comprising;

a non-transitory machine-readable medium; and

a plurality of instructions in the machine-readable medium which, when executed by a processing machine, enable the processing machine to perform operations comprising;

obtaining and storing in an array a time of access for at least a plurality of said datum in said data;

iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period;

when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;

transforming said times of access into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and

,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination, transforming said times of access into a conclusion as to which of said various forms of access has occurred.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to a method for forensic examination of data access of an information system. The invention allows a user to determine the occurrence and nature of data access. In particular, it allows the user to determine if data were copied. The invention does not require modification of the information system or data beforehand, and requires access to no artifact or evidence other than information system itself.

27 Citations

37 Claims

1. An apparatus to differentiate among various forms of accessing data which is stored in an information system, said differentiation being based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time;
- wherein said data includes a plurality of datum, the apparatus comprising;
  
  a non-transitory machine-readable medium; and
  
  a plurality of instructions in the machine-readable medium which, when executed by a processing machine, enable the processing machine to perform operations comprising;
  
  obtaining and storing in an array a time of access for at least a plurality of said datum in said data;
  
  iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period;
  
  when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;
  
  transforming said times of access into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and
  
  ,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination, transforming said times of access into a conclusion as to which of said various forms of access has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The apparatus according to claim 1 further comprising said processing machine further providing a user interface having features that enable selection of said data and said finite period of time.
  - 3. The apparatus according to claim 1 wherein said determination is said determining an earliest of said stored times of access and said processing machine further performs a comparison between said earliest of said stored times of access and said beginning time;
    - said comparison resulting in said earliest of said stored times of access being earlier in time than said beginning time; and
      
      ,said conclusion as to a status of said access being that said datum associated with said plurality of said stored times of access was not copied in its entirety during said finite time period.
  - 4. The apparatus according to claim 1 further comprising said processing machine further performing operations including comparing each of said datum associated with said plurality of said stored times of access to a set of predetermined criteria and removing all datum from said data which match at least one of said predetermined criteria.
  - 5. The apparatus according to claim 4 wherein said set of predetermined criteria includes at least one criteria selected from the group of criteria including a type, a name, a creation date and an access right required for accessing said datum.
  - 6. The apparatus according to claim 5 further comprising said processing machine further performing a determination of how many of said datum associated with said plurality of said stored times of access do not match said at least one predetermined predicate and storing said do not match determination as another value;
    - comparing said another value to another threshold value; and
      
      ;
      
      wherein said conclusion as to said form of access that has occurred also being based at least in part on a result of said comparison between said another value and said another threshold.
  - 7. The apparatus according to claim 1 wherein said determination is said determining for each of said stored times of access whether said stored time of access falls within said finite period of time;
    - wherein a plurality of said stored times of access are determined to fall within said finite period of time;
      
      said processing machine further performs;
      
      a comparison between said datum associated with said plurality of said stored times of access and at least one predetermined predicate;
      
      a determination of how many of said datum associated with said plurality of said stored times of access match said at least one predetermined predicate and storing said match determination as a value;
      
      comparing said value to a threshold value; and
      
      ,wherein said conclusion as to said form of access that has occurred being based at least in part on a result of said comparison between said value and said threshold.
  - 8. The apparatus according to claim 7 wherein said threshold value and said another threshold value are the same value.
  - 9. The apparatus according to claim 7 wherein said at least one predetermined predicate includes at least one predicate from the group of predicates consisting of is the datum a directory, is the datum an executable file, is the datum a predetermined type of file, does the name of the datum match a particular regular expression, does the name of the datum begin with a predetermined special character, and does a predetermined user have access rights to access the datum.
  - 10. The apparatus according to claim 7 further comprising said processing machine comparing said value to another threshold value;
    - and, when said comparison results in said value being greater than said another threshold value said conclusion being that copying of said datum that match said at least one predetermined predicate likely occurred during the finite time period.
  - 11. The apparatus according to claim 10 wherein said threshold value and another threshold value are the same threshold value.
  - 12. The apparatus according to claim 1, wherein said processing machine further performs sorting, in order of access time, said times of access for said at least two of said plurality of said datum.
  - 13. The apparatus according to claim 1 wherein said at least one predetermined invariant includes at least one invariant from the group of invariants consisting of files are accessed only after their parent directory is accessed and files are accessed in a temporally continuous manner, without pauses beyond a certain length.
  - 14. The apparatus according to claim 1 wherein said processing machine further performs a comparison between said times of access of said at least two of said plurality of said datum and at least one predetermined method of order;
    - wherein said conclusion as to said form of access that has occurred being based on a result of said comparison between said times of access of said at least two of said plurality of said datum and said at least one predetermined method of order.
  - 15. The apparatus according to claim 14 wherein said at least one predetermined method of order includes at least one method of order from the group of methods of order consisting of alphabetical order, storage order, hierarchical breadth first order and hierarchical depth first order.
  - 16. The apparatus according to claim 1 wherein said processing machine further performs a determination of time lapses between a plurality of consecutive stored times of access and determines an average rate of access based on said determined time lapses;
    - wherein said conclusion as to said form of access that has occurred being based on said average rate of access.
  - 17. The apparatus according to claim 16 wherein said plurality of consecutive times of access includes all of said consecutive times of access.

18. A method for differentiating among various forms of accessing data which is stored in an information system based on a time of access for said data during a finite time period, said finite time period having a beginning time and an ending time, wherein said data includes a plurality of datum, the method comprising:
- a processor obtaining and storing in an array a time of access for a plurality of said datum during said finite time period;
  
  said processor iterating through said array and making at least one determination selected from the group of determinations consisting of determining an earliest of said stored times of access and determining for each of said stored times of access whether said time of access falls within said finite time period;
  
  when the selected determination includes determining for each of said stored times of access whether said time of access falls within said finite time period performing a comparison between said stored times of access and at least one predetermined invariant;
  
  transforming said stored time periods into a conclusion as to said form of access that has occurred based at least in part on a result of said comparison between said times of access and said at least one predetermined invariant; and
  
  ,when the selected determination includes determining an earliest of said stored times of access based at least in part on said determination said processor transforming said stored time periods into a conclusion as to which of said various forms of access to said data has occurred during said finite time period.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 19. The method according to claim 18 wherein said determination is said determining an earliest of said stored times of access and said processor further performs a comparison between said earliest of said stored times of access and said beginning time;
    - said comparison resulting in said earliest of said stored times of access being earlier in time than said beginning time; and
      
      ,said conclusion as to said form of access to said data that has occurred being that said data was not copied in its entirety during said finite time period.
  - 20. The method according to claim 18 further comprising said processor comparing each of said datum associated with said stored times of access to a set of predetermined criteria and removing all datum which matches at least one of said predetermined criteria.
  - 21. The method according to claim 20 wherein said set of predetermined criteria includes at least one criteria selected from the group of criteria including a type, a name, a creation date and an access right required for accessing said datum.
  - 22. The method according to claim 20 wherein said threshold value and said another threshold value are the same value.
  - 23. The method according to claim 18 wherein said determination is said determining for each of said stored times of access whether said time of access falls within said finite time period;
    - wherein a plurality of said times of access are determined to fall within said finite time period;
      
      said processor comparing said datum associated with said plurality of said stored times of access with at least one predetermined predicate;
      
      determining how many of said datum associated with said plurality of said stored times of access match said at least one predetermined predicate and causing said match determination to be stored as a value;
      
      said processor comparing said value to a threshold value; and
      
      ,wherein said conclusion as to said form of access to said data that has occurred being based at least in part on a result of said comparison between said value and said threshold.
  - 24. The method according to claim 23 further comprising said processor determining how many of said datum associated with said plurality of said stored times of access do not match said at least one predetermined predicate and causing said do not match determination to be stored as another value;
    - said processor comparing said another value to another threshold; and
      
      ,wherein said conclusion as to said form of access to said data that has occurred also being based at least in part on a result of said comparison between said another value and said another threshold.
  - 25. The method according to claim 23 wherein said at least one predetermined predicate includes at least one predicate from the group of predicates consisting of is the datum a directory, is the datum an executable file, is the datum a predetermined type of file, does the name of the datum match a particular regular expression, does the name of the datum begin with a predetermined special character, and does a predetermined user have access rights to access the datum.
  - 26. The method according to claim 23 further comprising said processor comparing said value to another threshold value;
    - and, when said comparison results in said value being greater than said another threshold value said conclusion being that copying of said datum that match said at least one predetermined predicate likely occurred during said finite time period.
  - 27. The method according to claim 26 wherein said threshold value and said another threshold value are the same threshold value.
  - 28. The method according to claim 25, further comprising said processor sorting, in order of access time, said times of access for said at least two of said plurality of said datum.
  - 29. The method according to claim 18 wherein said at least one predetermined invariant includes at least one invariant from the group of invariants consisting of files are accessed only after their parent directory is accessed and files are accessed in a temporally continuous manner, without pauses beyond a certain length.
  - 30. The method according to claim 18 further comprising said processor comparing said times of access of said at least two of said plurality of said datum and at least one predetermined method of order;
    - wherein said conclusion as to a form of access to said data that has occurred being based on a result of said comparison between said times of access of said at least two of said plurality of said datum and said at least one predetermined method of order.
  - 31. The method according to claim 30 wherein said at least one predetermined method of order includes at least one method of order from the group of methods of order consisting of alphabetical order, storage order, hierarchical breadth first order and hierarchical depth first order.
  - 32. The method according to claim 18 further comprising said processor determining time lapses between a plurality of consecutive times of access in said stored times of access and determining an average rate of access based on said determined time lapses;
    - wherein said conclusion as to said form of access to said data that has occurred being based on said average rate of access.
  - 33. The method according to claim 32 wherein said plurality of consecutive stored times of access includes all of said consecutive stored times of access.

34. A method for differentiating among various possible forms of accessing an electronically accessed folder, wherein said folder is stored in an information system, said folder includes at least one subfolder stored in said information system, at least one of said folder and said subfolder includes an associated file stored therein, and wherein said folder and said subfolder are each implemented as a directory file in said information system, the method comprising:
- a processor reviewing a characteristic of said electronic access to said folder and determining from said review whether said access is nonselective;
  
  said processor concluding, when a result of said determination is that said electronic access to said folder is nonselective and when said access to said folder or to said subfolder does not have an access timestamp that is earlier than a time associated with a cutoff time of the nonselective access, that said form of accessing is that said folder has been copied.
- View Dependent Claims (35, 36, 37)
- - 35. The method according to claim 34 further comprising said processor further determining that said access is temporally continuous.
  - 36. The method according to claim 35 further comprising said processor further determining that said access is recursively ordered and said directory files are accessed prior to their associated file.
  - 37. The method according to claim 34 further comprising said processor concluding, when a result of said determination is that said electronic access to said folder is selective, that said form of accessing is that said folder has not been copied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Jonathan Grier
Original Assignee
Jonathan Grier
Inventors
Grier, Jonathan
Primary Examiner(s)
Chen, Susan

Application Number

US13/073,978
Time in Patent Office

2,108 Days
Field of Search

707/706, 707/1, 707/202, 709/217, 709/204, 709/219, 717/124, 726/26, 726/23, 340/441, 370/235, 725/19, 379/265.09
US Class Current

1/1
CPC Class Codes

G06F 16/951 Indexing; Web crawling tech...

G06F 21/577 Assessing vulnerabilities a...

Method and system for forensic investigation of data access

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for forensic investigation of data access

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links