Methods for evidencing illicit use of a computer system or device

US 6,549,638 B2
Filed: 11/03/1998
Issued: 04/15/2003
Est. Priority Date: 11/03/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:

receiving a signal indicating possible use of a system component for an illicit activity;

in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;

the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;

wherein the obfuscating includes appending the forensic tracer data to an existing file having other contents not related to forensic tracer data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer is provided with software that looks for certain activities that may be illicit (e.g. processing of a graphic file corresponding to a banknote). If such an activity is detected, tracer data detailing the activity is generated and secretly stored. in the computer. If the computer is later searched or seized, the tracer data can be recovered and employed as evidence of the computer'"'"'s use, e.g. in counterfeiting.

121 Citations

View as Search Results

24 Claims

1. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes appending the forensic tracer data to an existing file having other contents not related to forensic tracer data.
- View Dependent Claims (2)
- - 2. The method of claim 1 wherein the obfuscating includes appending by inserting the forensic tracer data in a file'"'"'s “
    - properties”
      
      rather than file'"'"'s contents.

3. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the storing includes storing without use of a file system normally employed by said computer system for file storage, wherein the forensic tracer data storage is not listed in a file listing produced by said file system.

4. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes queuing the forensic tracer data in RAM for later storage, and later storing the data in said non-volatile store, wherein program tracing tools will not note an immediate write of said forensic tracer data to the non-volatile store.

5. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes converting a deadwood file to use as a storage repository for said forensic tracer data.

6. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes converting a duplicate file to use as a storage repository for said forensic tracer data.

7. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes converting a long-unused file to use as a storage repository for said forensic tracer data.

8. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes append the forensic tracer data to an application “
  
  help”
  
  file.

9. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult, later performing an integrity check of the obfuscated forensic tracer data, and repairing any damage found.

10. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult, and replicating obfuscated storage of said forensic tracer data at several storage locations.

11. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the computer system has an operating system including a registry database, and the method includes storing the forensic tracer data in said registry database.

12. A method for robustly evidencing illicit use of a computer system, the system having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of a system component for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein-the obfuscating comprises steganographically encoding the forensic tracer data amidst other data.

13. A method for robustly evidencing illicit use of a device, the device having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of the device for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating includes queuing the forensic tracer data in RAM for later storage, and later storing the data in said non-volatile store, wherein program tracing tools will note an immediate write of said forensic tracer data to the non-volatile store.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13 wherein said device is a scanner.
  - 15. The method of claim 13 wherein said device is a printer.

16. A method for robustly evidencing illicit use of a device, the device having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of the device for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult, later performing an integrity check of the obfuscated forensic tracer data, and repairing any damage found.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16 wherein said device is a scanner.
  - 18. The method of claim 16 wherein said device is a printer.

19. A method for robustly evidencing illicit use of a device, the device having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of the device for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult, and replicating obsfuscated storage of said forensic tracer data at several storage locations.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19 wherein said device is a scanner.
  - 21. The method of claim 19 wherein said device is a printer.

22. A method for robustly evidencing illicit use of a device, the device having associated therewith at least one data processor and at least one non-volatile data store, the method comprising:
- receiving a signal indicating possible use of the device for an illicit activity;
  
  in response to receipt of said signal, storing forensic tracer data in at least one of said non-volatile data stores;
  
  the method further including obfuscating said storage of said forensic tracer data so as to make detection thereof more difficult;
  
  wherein the obfuscating comprises steganographically encoding the forensic tracer data amidst other data.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22 wherein said device is a scanner.
  - 24. The method of claim 22 wherein said device is a printer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digimarc Corporation
Original Assignee
Digimarc Corporation
Inventors
Carr, J. Scott, Davis, Bruce L., Perry, Burt
Primary Examiner(s)
Johns, Andrew W.

Application Number

US09/185,380
Publication Number

US 20020136426A1
Time in Patent Office

1,624 Days
Field of Search

382/100, 382/135, 382/232, 283/902, 399/366, 380/210, 380/252, 380/287, 380/54, 700/79, 705/51, 705/57, 710/18, 711/161, 713/176, 713/179, 713/189, 714/45
US Class Current

382/100
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 2221/2101   Auditing as a secondary aspect

G06V 10/40   Extraction of image or vide...

G07D 7/0034   using watermarks

G07D 7/20   Testing patterns thereon G0...

H04N 1/00843   based on recognising a copy...

H04N 1/00877   Recording information, e.g....

Methods for evidencing illicit use of a computer system or device

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for evidencing illicit use of a computer system or device

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links