Systems and methods for file clustering, multi-drive forensic analysis and data protection

US 9,792,289 B2
Filed: 11/07/2014
Issued: 10/17/2017
Est. Priority Date: 11/07/2014
Status: Active Grant

First Claim

Patent Images

1. A multi-drive forensic data analysis system comprising:

a plurality of memory devices having files stored thereon;

at least one module configured to receive the files stored on the plurality of memory devices and extract characteristics of the files stored on the plurality of memory devices;

a clustering module configured to;

receive the extracted characteristics;

identify similarities between the files stored on the plurality of memory devices, based on the extracted characteristics, using a two-stage algorithm wherein at least one stage of the two-stage algorithm includes content-based hashing;

generate file clusters based on the identified similarities among the files stored on the plurality of memory devices; and

generate a visual representation of the memory devices and connections therebetween based on the identified similarities among the files stored on the plurality of memory devices, the visual representation comprising;

nodes that correspond to the memory devices; and

lines connecting the nodes, each of the lines having a thickness representing the identified similarities; and

a user interface module for displaying the visual representation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for file clustering, multi-drive forensic analysis and protection of sensitive data. Multiple memory devices can store files. A module can extract characteristics from the stored files, identify similarities between the files based on the extracted characteristics and generate file clusters based on the identified similarities. A visual representation of the file clusters, which can be generated to show the identified similarities among the files, can be displayed by a user interface module.

29 Citations

View as Search Results

23 Claims

1. A multi-drive forensic data analysis system comprising:
- a plurality of memory devices having files stored thereon;
  
  at least one module configured to receive the files stored on the plurality of memory devices and extract characteristics of the files stored on the plurality of memory devices;
  
  a clustering module configured to;
  
  receive the extracted characteristics;
  
  identify similarities between the files stored on the plurality of memory devices, based on the extracted characteristics, using a two-stage algorithm wherein at least one stage of the two-stage algorithm includes content-based hashing;
  
  generate file clusters based on the identified similarities among the files stored on the plurality of memory devices; and
  
  generate a visual representation of the memory devices and connections therebetween based on the identified similarities among the files stored on the plurality of memory devices, the visual representation comprising;
  
  nodes that correspond to the memory devices; and
  
  lines connecting the nodes, each of the lines having a thickness representing the identified similarities; and
  
  a user interface module for displaying the visual representation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1 further including a tagging module configured to tag files based on the identified similar characteristics and further configured to tag clusters based on the file tags.
  - 3. The system of claim 2 wherein the user interface module is configured to allow users to filter the visual representation of the file clusters based on at least one of the file tags and cluster tags.
  - 4. The system of claim 1 wherein the characteristics include one or more of the following:
    - content hashes, keywords, regular expressions, and metadata.
  - 5. The system of claim 1, wherein the identified similarities corresponds to the respective numbers of similar files.
  - 6. The system of claim 1 wherein the extracted characteristics comprise at least one content hash and wherein the clustering module is further configured to perform hashing functions iteratively on the files to identify a set of possible similar files thereby reducing the number of false positives.
  - 7. The system of claim 6, wherein the clustering module is configured to perform hashing functions iteratively on the files to identify a set of possible similar files is further configured to generate a term vector for each one of the set of possible similar files, wherein the term vector includes an array of terms within a file and a corresponding frequency of each term in the array in the file.
  - 8. The system of claim 7, wherein the clustering module is further configured to perform a pairwise comparison of the term vectors for each one of the set of possible similar files.
  - 9. The system of claim 1 wherein the number of extracted characteristics is adjustable.
  - 10. The system of claim 1, wherein the files comprise at least one of text, images or video.
  - 11. The system of claim 1 wherein the clustering module is further configured to identify similarities among files stored on the plurality of memory devices.
  - 12. The system of claim 1 wherein the clustering module is further configured to identify similarities among the plurality of memory devices by identifying similarities among the files stored on the plurality of memory devices.
  - 13. The system of claim 1 wherein the clustering module is further configured to identify similarities among files stored on one of the plurality of memory devices and a remainder of the plurality of memory devices.
  - 14. The system of claim 1 wherein the clustering module is further configured to rank file clusters based on one or more of a score assigned to the files or at least one attribute of the files of the file clusters.
  - 15. The system of claim 1, further comprising a master processor and a plurality of worker processors, wherein the module extracting characteristics and the clustering module are distributed on the plurality of worker processors, wherein the master processor allocates processing tasks to the plurality of worker processors.
  - 16. The system of claim 1, wherein one of the extracted characteristics is a geo-reference, and wherein the clustering module is further configured to generate file clusters based on the geo-reference.
  - 17. The system of claim 1, wherein the content-based hashing includes at least one of a Minhash algorithm and a BRISK algorithm.

18. A multi-drive forensic data analysis system comprising:
- a plurality of memory devices having files stored thereon;
  
  a memory storing a reference set of files including one or more sensitivity designations based on one or more characteristics of the reference set of files;
  
  a processor configured to;
  
  identify and cluster the plurality of files stored on the plurality of memory devices based on the one or more characteristics between the plurality of files and one or more files from the reference set of files using a two-stage algorithm wherein at least one stage of the two-stage algorithm includes content-based hashing;
  
  tag the plurality of files stored on the plurality of memory devices with the same sensitivity designation as one or more of the files from the reference set; and
  
  generate a visual representation of the memory devices and connections therebetween based on the sensitivity designations of the files and which one of the plurality of memory devices the files are stored on, the visual representation comprising;
  
  nodes that correspond to the memory devices; and
  
  lines connecting the nodes, each of the lines having a thickness representing the identified similarities, anda user interface module for displaying the visual representation.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18, wherein each file in a cluster inherits the tag of the cluster.
  - 20. The system of claim 18 wherein sensitivity designations are based on at least one of sensitive keyword lists, regular expressions, file similarity, and content analytics.
  - 21. The system of claim 18, wherein the processor is further configured to tag based on clustering against a reference dataset of documents with assigned sensitivity tags.
  - 22. The system of claim 18, wherein the processor is further configured to update the visual representation when new files are added.
  - 23. The system of claim 18, wherein the content-based hashing includes at least one of a Minhash algorithm and a BRISK algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Semandex Networks, Inc.
Original Assignee
Semandex Networks, Inc.
Inventors
Reininger, Daniel J., Makwana, Dhananjay D., Kulberda, Raymond William, Larson, Eric Heath, Hearn, Timothy P.
Primary Examiner(s)
Truong, Dennis

Application Number

US14/536,030
Publication Number

US 20160132521A1
Time in Patent Office

1,075 Days
Field of Search

707737, 707738, 707754, 382225
US Class Current
CPC Class Codes

G06F 16/152   using file content signatur...

G06F 16/156   Query results presentation

G06T 11/206   Drawing of charts or graphs

Systems and methods for file clustering, multi-drive forensic analysis and data protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for file clustering, multi-drive forensic analysis and data protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links