[go: up one dir, main page]

US20080098219A1 - Method and apparatus for controlling digital evidence - Google Patents

Method and apparatus for controlling digital evidence Download PDF

Info

Publication number
US20080098219A1
US20080098219A1 US11/784,794 US78479407A US2008098219A1 US 20080098219 A1 US20080098219 A1 US 20080098219A1 US 78479407 A US78479407 A US 78479407A US 2008098219 A1 US2008098219 A1 US 2008098219A1
Authority
US
United States
Prior art keywords
evidence
operator
information
piece
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/784,794
Inventor
Dario V. Forte
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sumo Logic Italy SpA
Sumo Logic Inc
Original Assignee
DF Labs SpA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DF Labs SpA filed Critical DF Labs SpA
Priority to US11/784,794 priority Critical patent/US20080098219A1/en
Assigned to DF LABS reassignment DF LABS ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FORTE, DARIO V.
Publication of US20080098219A1 publication Critical patent/US20080098219A1/en
Priority to US14/479,262 priority patent/US10614535B2/en
Priority to US16/840,977 priority patent/US11423497B2/en
Assigned to DFLABS S.P.A. reassignment DFLABS S.P.A. CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE'S NAME PREVIOUSLY RECORDED AT REEL: 019213 FRAME: 0547. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: FORTE, DARIO V.
Assigned to SUMO LOGIC ITALY S.P.A reassignment SUMO LOGIC ITALY S.P.A CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: DF LABS S.P.A.
Priority to US17/813,374 priority patent/US11676230B2/en
Assigned to Sumo Logic, Inc. reassignment Sumo Logic, Inc. CORRECTIVE ASSIGNMENT TO CORRECT THE RECEIVING PARTY NAME PREVIOUSLY RECORDED AT REEL: 057428 FRAME: 0316. ASSIGNOR(S) HEREBY CONFIRMS THE CHANGE OF NAME. Assignors: DF LABS S.P.A.
Priority to US18/138,456 priority patent/US12045903B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2255Hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Definitions

  • Embodiments of the present invention generally relate to a method and apparatus for controlling evidence and, more particularly, a method and apparatus for storing, retrieving, maintaining, deleting and tracking the chain of custody of digital evidence.
  • evidence In today's legal system, evidence is an essential aspect of litigation. Evidence must be carefully accumulated, stored under state or federal rules, and tracked throughout its existence. For a document or an object to be useable as evidence in a court room, such document or object must comply with all the laws applicable to evidence retrieval, maintenance, and tracking. In other words, evidence must remain authentic and its chain of custody must be maintained.
  • evidence is handled or viewed by many individuals. For example, evidence is handled or viewed by investigators, police officers, attorneys, witnesses, or an evidence keeper. Such individuals may co-exist at the same location, in different buildings, even in different cities, states, or countries. Thus, with numerous people interacting with the evidence, it becomes challenging to maintain the authenticity and the chain of custody of evidence.
  • the present invention is a method and apparatus for controlling digital evidence.
  • the method and apparatus comprises creating a case record comprising information about an investigative case, electronically storing at least one piece of digital evidence into memory, and associating the stored at least one piece of evidence with the case record.
  • FIG. 1 is a schematic diagram of the hardware forming an exemplary embodiment of a computer system that operates in accordance with the present invention
  • FIG. 2 is a flow diagram depicting an exemplary embodiment of a method for starting a new case in a digital evidence system
  • FIG. 3 is a flow diagram depicting an exemplary embodiment of a method for entering case information into a digital evidence system
  • FIG. 4 is an illustration of an exemplary case information interface screen of a digital evidence system
  • FIG. 5 is an illustration of an exemplary case information interface screen of a digital evidence system
  • FIG. 6 is an illustration of an exemplary host interface screen of a digital evidence system
  • FIG. 7 is a flow diagram depicting an exemplary embodiment of a method for viewing case and evidence information of a digital evidence system
  • FIG. 8 is an illustration of an exemplary evidence information interface screen of a digital evidence system
  • FIG. 9 is a flow diagram depicting an exemplary embodiment of a method for entering photo and/or photo information into a digital evidence system
  • FIG. 10 is an illustration of an exemplary photo gallery interface screen of a digital evidence system
  • FIG. 11 is a flow diagram depicting an exemplary embodiment of a method for entering timeline and/or timeline information into a digital evidence system
  • FIG. 12 is an illustration of an exemplary timeline interface screen of a digital evidence system
  • FIG. 13 is a flow diagram depicting an exemplary embodiment of a method for entering chain of custody and/or chain of custody information into a digital evidence system
  • FIG. 14 is an illustration of an exemplary chain of custody interface screen of a digital evidence system
  • FIG. 15 is a flow diagram depicting an exemplary embodiment of a method for entering cost and/or cost information into a digital evidence system
  • FIG. 16 is an illustration of an exemplary cost involved interface screen of a digital evidence system
  • FIG. 17 is a flow diagram depicting an exemplary embodiment of a method for displaying and/or generating reports from a digital evidence system
  • FIG. 18 is an illustration of an exemplary automatic report generation interface screen of a digital evidence system
  • FIG. 19 is a flow diagram depicting an exemplary embodiment of a method for entering deliverables into a digital evidence system
  • FIG. 20 is an illustration of an exemplary deliverable interface screen of a digital evidence system
  • FIG. 21 is a flow diagram depicting an exemplary embodiment of a method for entering MSD (Mass Storage Device) as evidence into a digital evidence system;
  • FIG. 22 is an illustration of an exemplary MSD entry interface screen of a digital evidence system
  • FIG. 23 is a flow diagram depicting an exemplary embodiment of a method for entering a cloning log into digital evidence system
  • FIG. 24 is an illustration of an exemplary cloning log entry interface screen of a digital evidence system
  • FIG. 25 is an illustration of an exemplary operator management interface screen of a digital evidence system
  • FIG. 26 is a flow diagram depicting an exemplary embodiment of a method for entering operator information into a digital evidence system
  • FIG. 27 is an illustration of an exemplary operator interfaces screen of a digital evidence system
  • FIG. 28 is a flow diagram depicting an exemplary embodiment of a method for entering a host or an evidence collector into a digital evidence system
  • FIG. 29 is an illustration of an exemplary host input information interface screen of a digital evidence system
  • FIG. 30 is an illustration of an exemplary evidence collector input information interface screen of a digital evidence system
  • FIG. 31 is a flow diagram depicting an exemplary embodiment of a method for deleting a host or an evidence collector into a digital evidence system
  • FIG. 32 is a flow diagram depicting an exemplary embodiment of a method for entering event log into a digital evidence system
  • FIG. 33 is an exemplary log file of a digital evidence system
  • FIG. 34 is an illustration of an exemplary evidence information screen of a digital evidence system.
  • Embodiments of the present invention are utilized to control digital evidence.
  • a plurality of system operators may open and/or update “cases” involving one or more pieces of digital evidence.
  • Digital evidence may reside upon any form of digital media, such as, disk drives, compact disks (CD), digital video disk (DVD), floppy disk, and the like.
  • the operator enters information uniquely identifying the evidence, captures an image (or clone) of the content of the digital media, and stores the image (or clone) in a database in association with the identifying information.
  • the case Once the case is established, other evidence can be added to the database, access to the evidence is tracked, Chain of title is controlled, reports regarding the case and/or the evidence can be generated, and so on. In this manner, control over digital evidence is established and maintained.
  • FIG. 1 is a schematic diagram of the hardware forming an exemplary embodiment of a computer system 100 that operates in accordance with the present invention. This figure only portrays one variation of the myriad of possible network configurations.
  • the present invention can function in a variety of computing environments; such as, a distributed computer system, a centralized computer system, a stand alone computer system, or the like.
  • computing system 100 may or may not contain all the components listed below.
  • the computer system 100 comprises a plurality of client computers 102 1 , 102 2 . . . 102 n , which may connect to one another through a conventional data communications network 104 .
  • a host server 106 is coupled to the communication network 104 to supply application and data services as well as other resource services to the clients 102 1 , 102 2 . . . 102 n .
  • the computer system 100 is coupled to host server 106 via communication link 108 1 .
  • systems 110 1 , 110 2 . . . 110 n are coupled to the communication network 104 via communication links 108 1 , 108 2 . . . 108 n .
  • the communication link 108 1 , 108 2 . . . 108 n may be a physical link, a wireless link, a combination there of, or the like.
  • Systems 110 1 , 110 2 . . . 110 n may be another computer system, another communication network, a wireless device, or the like.
  • the host server 106 comprises at least one central processing unit (CPU) 112 , support circuits 114 , and memory 116 .
  • the CPU 112 may comprise one or more conventionally available microprocessors.
  • the microprocessor may be an application specific integrated circuit (ASIC).
  • the support circuits 114 are well known circuits used to promote functionality of the CPU 112 . Such circuits include, but are not limited to, a cache, power supplies, clock circuits, input/output (I/O) circuits and the like.
  • the memory 116 contained within the host server 106 may comprise random access memory, read only memory, removable disk memory, flash memory, and various combinations of these types of memory.
  • the memory 116 is sometimes referred to main memory and may, in part, be used as cache memory or buffer memory.
  • the memory 116 generally stores the operating system 118 of the host server 106 .
  • the memory 116 stores database software 108 , various forms of application software 120 , such as evidence control evidence software 122 , and database software 124 .
  • the operating system may be one of a number of commercially available operating systems such as, but not limited to, SOLARIS from SUN Microsystems, Inc., AIX from IBM Inc., HP-UX from Hewlett Packard Corporation, LINUX from Red Hat Software, Windows 2000 from Microsoft Corporation, and the like.
  • the database software 124 may comprise a relational database, for example, SQL from Oracle Corporation.
  • the communications network 106 may be coupled to the input/output (I/O) ports 126 of the host server 106 .
  • the I/O ports 126 are coupled of the storage volume 128 .
  • the storage volume 128 generally comprises one or more disk drives, or disk drive arrays, that may be used as a mass storage device for the host server 106 or systems 110 1 , 110 2 . . . 110 n .
  • the storage volume 124 may support a plurality of host servers 106 (only one of which is depicted).
  • the memory 116 may be partially used as cache memory to temporarily store cached information.
  • the evidence control software may utilize the memory 116 for evidence control functions, such as, storing, viewing, editing, and the like.
  • the host server 106 supports application programs 120 , such as, the evidence control software 122 .
  • the digital evidence control software 122 allows for digital evidence manipulation on the host server 106 .
  • the evidence control software 122 enables a plurality of client computers 102 1 , 102 2 . . . 102 n , in different locations, to view evidence without tampering with it, while maintaining chain of custody and evidence authenticity.
  • the evidence control system may allow for more than one mode of access, such as an administrator access mode and a user access mode. For example, an evidence control system administrator may be able to store, view, maintain, delete records of evidence, or control users' accounts. On the other hand, a user may be able to request an account, access such account, and view evidence designated to the specific user account.
  • the digital evidence control system may allow for more than one mode of access with different operator functions, such as an administrator access mode and a user access mode.
  • a digital evidence control system administrator may be able to store, view, maintain, delete records of evidence, or control users' accounts.
  • a user may be able to request an account, access such account, and view evidence designated to the specific user account.
  • the digital evidence control system may allow for one or more operators, administrators, and/or users, where each person has a different assigned role offering varied levels of access to the evidence database.
  • FIG. 2 is a flow diagram depicting an exemplary embodiment of a method 200 for entering case information into a digital evidence system.
  • the method 200 starts at step 202 and proceeds to step 204 , wherein the operator, or in many cases an administrator enters information regarding a case.
  • the method determines a case already exists in the evidence system having the same name. If the case name already exists, the method 200 proceeds to step 204 , wherein the operator or the administrator must change the case name.
  • the method 200 associates the information entered with the record.
  • the method 200 creates a record of digital evidence, including, for example, at least one of a TimeLine, expenditures incurred, deliverables, a chain of custody, a host, a media, a log, a network dump, a file/folder, a clone or a CloneLog, and the like.
  • the method 200 associates the information entered with the record.
  • the method queries whether there is more information to be entered. If the query is positively answered, the method 200 proceeds to step 210 . Otherwise, the method 200 ends at step 212 .
  • FIG. 3 is a flow diagram depicting an exemplary embodiment of a method 300 for entering case information into a digital evidence system.
  • the method 300 starts at step 302 and proceeds to query step 304 . If there is a new case, the method 300 proceeds from step 304 to step 306 .
  • the method 300 selects a database to use for storing information related to the case. This may be a manual or automated selection process. If there is not a new case, the method 300 continues to the step 308 .
  • the method 300 selects the relevant case. Both step 306 and 308 continue to step 310 .
  • the method 300 selects or updates operators that are working in the case.
  • the method 300 assigns or updates the role of each operator, i.e., the function does each operator perform in the operator process.
  • the roles are used to define level of access the operator has to the system.
  • the method 300 enters or updates a case description.
  • the method 300 enters or updates host information. The method 300 ends at step 318 .
  • FIG. 4 is an illustration of an exemplary case information interface screen 400 of a digital evidence system.
  • the case interface screen 400 may be used by an operator and/or an administrator to create a new case.
  • the administrator enters a new case information into the fields in the new case window 400 .
  • the new case window 400 may have fields, such as but not limited to, database selection fields 402 , investigators' information field 404 , and case description fields 406 .
  • the case description fields include, but are not limited to, name of police officers, addresses (street, city, state, zip code), date time, and the like.
  • the administrator saves and/or updates the information entered by selecting an “Update case” button 408 .
  • FIG. 5 is an illustration of an exemplary case information interface screen 500 of digital evidence. Once a case is created, case information can be displayed in connection with the general tab 502 .
  • the general interface screen 500 includes the case information windows 504 , the client information windows 506 , the operator information 508 , and data information 510 .
  • the case information window 504 includes the case name, location, type, notes, and the like.
  • the client information window 506 includes client's name, client's business name, street, city, state, zip and phone, and the like.
  • the operator information window 508 includes operator's name, id, title and the like.
  • the data information window 510 includes the data's type, date, and so on.
  • the case interface screen 500 contains a plurality of tabs, such as, general tab 502 , photo tab 512 hidden, timeline tab 514 , chain of custody tab 516 , deliverables 518 , expenditures tab 520 , and a report tab 522 ; the screen related to each tab is show in FIGS. 6 , 8 , 10 , 14 , 16 , respectively.
  • the case information interface screen 500 may also display case statistics information 524 , such as, total hosts, total photos, and total evidence information.
  • FIG. 6 is an illustration of an exemplary host information interface screen 600 of digital evidence.
  • host information can be displayed in the host information interface screen 600 .
  • the host information interface 600 includes a host information window 602 , and an evidence list window 604 .
  • the host information window 602 includes the host name, type of host, model, serial number, user, and the like.
  • the evidence list window 604 includes the evidences that are been associated to the host selected.
  • the host interface screen contains the same tabs shown in screen 500 but in this case the photo tab 512 is displayed and shows the host's photo and the chain of custody tab 516 shows the movements of the host.
  • the operator can select an edit button 606 .
  • FIG. 7 is a flow diagram depicting an exemplary embodiment of a method 700 for viewing case and evidence information if a digital evidence control system.
  • the method 700 starts at step 702 and continues to step 704 , wherein an operator selects an evidence type, i.e., selects media, log, network dump or file/folder. If the evidence type is media, then the method 700 proceeds to step 706 .
  • the method 700 copies the digital content of the media in a file-by-file manner and stores the clone in memory.
  • the method 700 creates a snapshot of the contents of the media and stores the image as a single file in memory.
  • the method 700 creates a hash for original evidence and clone.
  • the hash for example, an MD5 hash, is used to ensure that the evidence is not tampered with or otherwise altered. Any change in the content of the clone would alter the hash. If the method 700 does not create a clone, the query at step 708 is negatively answered and the method 700 continues to step 712 , in which an operator enters a media description. Then, at step 714 , the method creates a unique identifier for the evidence such that the evidence is tagged for tracking purposes. At 716 , the operator saves the clone or image identifier and information that the operator entered in previous step. Finally, at step 748 , the method 700 ends.
  • the query at step 708 is negatively answered and the method 700 continues to step 712 , in which an operator enters a media description. Then, at step 714 , the method creates a unique identifier for the evidence such that the evidence is tagged for tracking purposes. At 716 , the operator saves the clone or image identifier and information that
  • step 704 the method 700 proceeds to step 720 .
  • step 720 the method 700 copies the log file.
  • step 722 and 724 respectively, the method 700 enters log file description and creates a unique identifier for the log file entered as digital evidence. Then, at step 726 , the operator saves the log copy identifier and information. Finally at step 748 , the method ends.
  • the method 700 proceeds from step 704 to 728 .
  • the method 700 copies the network dump as a single file onto the digital evidence system.
  • the operator enters a network dump description and creates a unique identifier for tracking the evidence.
  • the operator saves the network dump copy identifier and information.
  • the method 700 ends.
  • step 704 the method 700 proceeds from step 704 to 736 .
  • step 736 the method 700 copies the file/folder in a folder onto the digital evidence system.
  • steps 738 the operator enters a file/folder description.
  • the method 700 proceeds to query step 740 . If there is a file to attach, the method 700 proceeds from step 740 to step 742 , wherein the method 700 selects a file to attach to the file/folder evidence.
  • step 744 the operator creates a unique identifier for tracking the evidence.
  • step 746 the operator saves the file/folder copy identifier and information.
  • step 748 the method 700 ends.
  • FIG. 8 is an illustration of an exemplary evidence information interface screen 800 of a digital evidence system.
  • the evidence information interface screen 800 contains evidence information, such as, media information 802 , media detail 804 , and the clone list 806 than are associated to the media selected.
  • the media information window 802 may include operator's name, evidence label and type, and the like.
  • the media detail window 804 may contain media details, such as, media size, media sector, and the like. Such information may be available to a user.
  • the administrator enters evidence information in the enter evidence information interface screen 808 .
  • the assigned roles of the users, operators and administrators define the level of system access for each person. Thus, the assigned role may be defined by the persons that enter the evidence information.
  • FIG. 9 is a flow diagram depicting an exemplary embodiment of a method 900 for entering a digital photograph and/or photograph description into a digital evidence system.
  • the method 900 starts with step 902 , when the operator select the host or media to which inserting photographs.
  • the operator selects the photos tab 512 , which causes the photo screen interface (see FIG. 10 ) to display on a computer screen.
  • the method 900 proceeds to the query at step 908 . If the operator wants to edit any information about a photograph that is been stored into the digital evidence system, the method 900 proceeds from step 908 to step 910 .
  • the operator selects the photograph that is to be edited.
  • the method 900 saves the new information and the method 900 ends at step 928 .
  • the method 900 proceeds to step 918 .
  • the operator uploads at least one photograph.
  • a description of the uploaded photograph may be entered.
  • the operator saves the photograph and the description as a portion of the case.
  • the method 900 proceeds to query at step 924 , if the operator wants to insert a new photograph, the method 900 proceeds to step 918 ; otherwise, the method 900 ends at step 928 .
  • FIG. 10 is an illustration of an exemplary photo gallery interface screen 1000 of a digital evidence system.
  • the invention displays a photo gallery interface screen 1000 , as show in FIG. 10 .
  • the gallery interface screen 1000 may include one or more digital photographs 1002 , which can be used as evidence, photographs of actual evidence, supporting documentation of evidence, a view of the environment in which the evidence was found, and the like.
  • the photographs 1002 may include evidence photograph 1002 a , photos/screen shot of database documentation 1002 b , photograph 1002 c of the location from which the evidence was extracted (computer system, a memory tower, etc.), and the like.
  • the photo information section 1004 contains information, such as, the photo creation date and time, identification tags, descriptive text and the like.
  • FIG. 11 is a flow diagram depicting an exemplary embodiment of a method 1100 for entering/updating timeline and/or timeline information into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 1100 begins at step 1102 , whereupon the timeline screen (see FIG. 12 ) display on a computer monitor.
  • the operator selects the timeline tab.
  • the method 1100 proceeds to the query at step 1106 . If the operator wants to edit any information about a timeline event that has been stored into the digital evidence system, the method 1100 proceeds from step 1106 to step 1108 .
  • the operator selects the timeline event to edit.
  • the method 1100 proceeds at step 1110 .
  • the operator creates a new timeline.
  • the method 1100 proceeds to step 1112 .
  • the operator inserts the timeline information that delineate various task (events) performed during the investigations.
  • the method 1100 saves timeline information. The method ends at the step 1116 .
  • FIG. 12 is an illustration of an exemplary timeline interface screen 1200 of a digital evidence control system in accordance with one or more embodiments of the investigation.
  • the timeline interface screen 1200 is displayed upon selecting the timeline tab 514 (see FIG. 5 ).
  • the timeline interface screen 1200 comprises an event list area 1210 that includes the date and time of the event 1202 , the operator's name 1204 , and the event type 1206 .
  • the event and information pertaining thereto is entered in the event window 1208 .
  • the event list area 1210 the information pertaining to the selected event appears in window 1208 .
  • FIG. 13 is a flow diagram depicting an exemplary embodiment of a method 1300 for entering/updating a chain of custody event related to particular evidence into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 1300 starts with step 1302 , upon which the operator selecting the chain of custody tab 516 (see FIG. 5 ). Then, the method 1300 proceeds to a query at step 1306 . If the operator wants to edit any information about a chain of custody event that has been stored into the digital evidence system, the method 1300 proceeds from step 1306 to step 1308 . At step 1308 , the operator selects the chain of custody event to edit. If the operator, instead, wants to insert a new chain of custody event, the method 1300 proceeds at step 1310 .
  • step 1310 the operator creates a new chain of custody event. From step 1308 and step 1310 , the method 1300 proceeds to step 1312 .
  • step 1312 if the operator wants to add a new file related to chain of custody event, the method 1300 proceeds to step 1316 , wherein the operator creates a file related to chain of custody. If the operator wants to select an existing file related to the chain of custody, the method 1300 proceeds to step 1314 , wherein the operator selects a file to attach. From step 1314 and step 1316 , the method 1300 proceeds to step 1318 .
  • step 1318 the operator inserts the chain of custody information that delineates the movements performed during the investigations by the evidence.
  • step 1320 the method 1300 saves chain of custody information.
  • FIG. 14 is an illustration of an exemplary chain of custody interface 1400 of a digital evidence control system.
  • FIG. 14 shows the chain of custody interface screen 1400 is displayed upon the operator selecting the chain of custody tab 516 .
  • the chain of custody interface screen 1400 includes evidence data, such as, host whom has been associated 1402 , date time information 1404 , consignor information 1406 , receiver information 1408 , note information 1410 , place information 1412 and attachment filename information 1414 .
  • the information defines who provided the evidence, who received the evidence and what evidence was used after being received.
  • a new event section 1416 is available for an administrator to enter chain of custody information.
  • FIG. 15 is a flow diagram depicting an exemplary embodiment of a method 1500 for entering information pertaining to expenditures in the case into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 1500 starts at step 1502 , upon an operator selecting the expenditures tab 520 at step 1504 (see FIG. 5 ). Then, the method 1500 proceeds to query at step 1506 . If the operator wants to edit any information about an expenditure that has been stored into the digital evidence system, the method 1500 proceeds from step 1506 to step 1508 . At step 1508 , the operator selects the expenditure to edit. If the operator, instead, wants to insert a new expenditure, the method 1500 proceeds to step 1510 .
  • the method 1500 proceeds to query at step 1512 , wherein the operator chooses the type of expenditure. If the operator wants to add human effort expenditure the method 1500 proceeds to step 1514 and the operator inserts the information about the hours. Instead, if the operator wants to insert a monetary expenditure the method 1500 proceeds to step 1516 and the operator adds money information about the expenditure. At step 1520 , the method 1500 saves expenditure information. The method ends at step 1522 .
  • FIG. 16 is an illustration of an exemplary expenditures interface screen 1600 of a digital evidence system in accordance with one or more embodiments of the invention.
  • the invention displays the expenditures interface screen 1600 .
  • the expenditures interface screen 1600 includes activity information, such as activity data field 1602 , investigator's name field 1604 , a description field 1606 , a cost/hour field 1608 , a currency field 1610 and a method of payment field 1612 .
  • This information provides a cumulative record of the expenditures to acquire and handle evidence in particular case.
  • the expenditures are classified into two categories: money expenditures and human effort.
  • the expenditures interface screen 1600 include a expenditures section 1614 that are divided into two section, the first 1616 where are shown money expenditures and the second 1618 where are shown the human effort expenditures; on other hand, a user may be able to only view the expenditures information. Some roles may be defined to block any view of the expenditures of a case, or only the investigators personal expenditures may be displayed to a particular investigator.
  • FIG. 17 is a flow diagram depicting an exemplary embodiment of a method 1700 for displaying and/or generating reports from a digital evidence system.
  • the method 1700 starts with step 1702 , upon the operator selecting the report tab 522 (see FIG. 5 ). Selecting the report tab 522 causes the report interface screen (see FIG. 18 ) to display on a computer monitor.
  • the operator utilized the report interface screen to select a report type.
  • the method 1700 proceeds to a query at step 1706 .
  • the operator selects the report to generate.
  • the operator can choose the general report (incoming items, timeline, deliverables, expenditures or chain of custody) at step 1708 .
  • step 1710 the operator must select the evidence, step 1710 .
  • step 1712 the operator selects the type of detailed report.
  • the operator can select to print label and selects the type of label, at step 1716 .
  • the operator selects the report, it will be displayed on the interface, step 1714 of method 1700 .
  • step 1718 the operator selects how to print report. If the operator wants to generate a PDF, the method 1700 proceeds to step 1720 and allow the operator to selects the PDF's filename. Else, if the operator wants to print the report, the method 1700 proceeds to step 1722 , wherein the operator may choose the printer option. From step 1720 and step 1722 , the method 1700 proceeds to step 1724 , wherein the selected item is printed. The method ends at the step 1726 .
  • FIG. 18 is an illustration of an exemplary automatic report generation interface screen 1800 of a digital evidence system in accordance with one or more embodiments of the invention.
  • the automatic report generation interface screen 1800 comprises a general report section 1802 , a detail report section 1804 and a label report section 1806 .
  • the general report section 1802 generates reports by selecting a respective button, such as, the incoming items 1802 a , the timeline button 1802 b , the deliverable button 1802 c , the expenditures button 1802 d and the chain of custody button 1802 e .
  • the detail report section 1804 generates and displays the detailed report corresponding to the selected button.
  • the label report section 1806 generates and displays the label report corresponding to the selected button, such as, the label button 1806 a , the label hash button 1806 b and the original label button 1806 c .
  • the label button 1806 a the label button 1806 a
  • the label hash button 1806 b the original label button 1806 c .
  • a detailed technical report is generated and displayed by selecting a “technical” button 1804 a
  • a chain of custody is generated by selecting the “chain of custody” button 1804 b
  • a report corresponding to a selected button is displayed to the operator.
  • FIG. 19 is a flow diagram depicting an exemplary embodiment of a method 1900 for entering/updating a deliverable into a digital evidence system in accordance with one or more embodiments of the invention.
  • the flow diagram 1900 starts with step 1902 , upon the operator selecting the deliverables tab 518 (see FIG. 5 ). The, the method 1900 proceeds to query at step 1906 . If the operator wants to edit any information about a deliverables that is stored into the digital evidence system, the method 1900 proceeds from step 1906 to step 1908 . At step 1908 , the operator selects the deliverable that the operator wants to edit. If the operator, instead, wants to insert a new deliverable, the method 1900 proceeds to step 1910 , wherein the operator creates a new deliverable.
  • step 1912 the operator inserts the deliverable information.
  • step 1914 if the operator wants to attach a file related to deliverable, the method 1900 proceeds to step 1916 and the operator selects the file for attachment.
  • step 1920 the method 1900 saves deliverable information. The method 1900 ends at the step 1922 .
  • FIG. 20 is an illustration of an exemplary deliverables interface 2000 of a digital evidence control system.
  • FIG. 20 shows the deliverables interface screen 2000 is displayed upon the operator selecting the deliverables tab 518 .
  • the deliverables interface screen 2000 includes evidence data field, such as, filename information field 2002 , the evidence whom is related field 2004 , consignor information field 2006 , receiver information field 2008 and note information field 2010 .
  • the information defines who provided the evidence, who received the evidence and what evidence was used for once received.
  • a new event section 2012 is available for an administrator to deliverable information.
  • FIG. 21 is a flow diagram depicting an exemplary embodiment of a method 2100 for entering/updating a MSD (Mass Storage Device) as a piece of evidence into a digital evidence system in accordance with one or more embodiments of the invention.
  • the flow diagram 2100 starts with step 2102 , upon the operator selecting the MSD button (METTERE RIFERIMENTO) (see FIG. 5 ). Then, the method 2100 proceeds to query at step 2106 . If the operator wants to edit any information about a MSD that is stored in the digital evidence system, the method 2100 proceeds from step 2106 to step 2108 . At step 2108 , the operator selects the MSD to edit.
  • MSD Mass Storage Device
  • the method 2100 proceeds to step 2110 , wherein the operator creates a new MSD. Then, in step 2112 , the operator inserts the MSD information. At step 2114 , the method 2100 saves MSD information. The method 2100 ends at the step 2116 .
  • FIG. 22 is an illustration of an exemplary MSD interface 2200 of a digital evidence control system.
  • FIG. 22 shows the MSD interface screen 2200 is displayed upon the operator selecting the MSD button 528 .
  • the MSD interface screen 2200 includes two parts, in the left part 2202 is displayed a list of MSD that were associated with the case, and in the right part 2204 , is displayed the information about the selected MSD, such as, type field 2206 , brand field 2208 , model field 2210 , serial number field 2212 and size field 2214 .
  • FIG. 23 is a flow diagram depicting an exemplary embodiment of a method 2300 for entering/updating a CloningLog into a digital evidence system in accordance with one or more embodiments of the invention.
  • the flow diagram 2300 starts with step 2302 , upon which the operator selecting the CloningLog button (METTERE RIFERIMENTO) (see FIG. 5 ).
  • the operator must select a clone of evidence.
  • the method 2300 proceeds to query at step 2306 . If the operator wants to edit any information about a CloningLog that is stored in the digital evidence system, the method 2300 proceeds from step 2306 to step 2308 .
  • the operator selects the CloningLog to edit.
  • the method 2300 proceeds to step 2310 , wherein the operator creates a new CloningLog. Then, in step 2312 , the operator inserts the CloningLog information. At step 2314 , the method 2300 saves CloningLog information. The method 2300 ends at the step 2316 .
  • FIG. 24 is an illustration of an exemplary CloningLog interface 2400 of a digital evidence control system.
  • FIG. 24 shows the CloningLog interface screen 2400 is displayed upon the operator selecting the CloningLog button (METTERE RIFERIMENTO).
  • the CloningLog interface screen 2400 display fields, such as, tool type field 2402 , tool description field 2404 , tool serial number field 2406 , log field 2408 , and the like.
  • FIG. 25 is an illustration of an exemplary Operator Management interface 2500 of a digital evidence control system.
  • FIG. 25 shows the Operator Management interface screen 2500 that is displayed upon the operator selecting the Operator Management button menu (METTERE RIFERIMENTO).
  • the Operator Management interface screen 2500 display the button that allow the operator to add a new operator 2502 , edit an operator 2504 , delete an operator 2506 and disable an operator 2508 .
  • In the bottom of Operator Management interface screen 2500 is displayed the list of operators 2510 that is been store into the digital evidence system.
  • FIG. 26 is a flow diagram depicting an exemplary embodiment of a method 2600 for entering/updating an operator into a digital evidence system in accordance with one or more embodiments of the invention.
  • the flow diagram 2600 starts with step 2602 , upon the operator selecting the Operator Manager button 2604 (METTERE RIFERIMENTO) (see FIG. 26 ). Then, the method 2600 proceeds to query at step 2606 . If the operator wants to edit any information about an operator that is stored in the digital evidence system, the method 2600 proceeds from step 2606 to step 2608 . At step 2608 , the operator selects the operator that wants to edit. If the operator, instead, wants to insert a new operator, the method 2600 proceeds at step 2610 , wherein the operator creates a new operator file. Then, in step 2612 , the operator inserts the operator information. At step 2614 , the method 2600 saves operator information. The method 2600 ends at the step 2616 .
  • FIG. 27 is an illustration of an exemplary Operator interface 2700 of a digital evidence control system.
  • FIG. 27 shows the operator interface screen 2700 is displayed upon the operator selecting the Operator button 2502 or double click on the operator button.
  • the operator interface screen 2700 display fields, such as, username field 2702 , surname field 2704 , name field 2706 , sex field 2708 , phone field 2710 , and the like.
  • FIG. 28 is a flow diagram depicting an exemplary embodiment of a method 2800 for entering/updating a host or an evidence collector into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 2800 begins at step 2802 and proceeds to query at step 2804 . If the operator wants to edit any information about an host or an evidence collector that is been store into the digital evidence system, the method 2800 proceeds from step 2804 to step 2806 . At step 2806 , the operator selects the host or the evidence collector that wants to edit. If the operator, instead, wants to insert a new host or evidence collector, the method 2800 proceeds at step 2808 . Then, in step 2810 , the operator inserts the host or evidence collector information. At step 2812 , the method 2800 saves operator information. The method 2800 ends at the step 2814 .
  • FIG. 29 is an illustration of an exemplary Host interface 2900 of a digital evidence control system.
  • FIG. 29 shows the host interface screen 2900 is displayed upon the operator selecting the new host button 532 or edit host information button 606 .
  • the host interface screen 2900 display fields, such as, operator that inserts the information 2902 , host name 2904 , type of host 2906 , Company ID 2908 , and the like.
  • FIG. 30 is an illustration of an exemplary Evidence Collector interface 3000 of a digital evidence control system.
  • FIG. 30 shows the evidence collector interface screen 3000 is displayed upon the operator selecting the new evidence collector button 534 or edit evidence collector information button 3406 .
  • the evidence collector interface screen 3000 display fields, such as, operator that inserts the information 3002 , evidence collector name 3004 , note 3006 and time zone 3008
  • FIG. 31 is a flow diagram depicting an exemplary embodiment of a method 3100 for deleting a host or an evidence collector into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 3100 start at step 3102 and, at step 3104 , the operator selected a host or an evidence collector that will be deleted. Then, the method 3100 proceeds to query at step 3106 . If the operator wants to delete any information about an host or an evidence collector that is stored into the digital evidence system, the method 3000 proceeds from step 3106 to step 3108 . At step 3108 , the method deletes the information about the host or evidence collector. If the operator, instead, doesn't want to delete a host or an evidence collector, the method 3100 proceeds to step 3110 , wherein the operator can view or exit the host or evidence collector. The method 3100 ends at the step 3112 .
  • FIG. 32 is a flow diagram depicting an exemplary embodiment of a method 3200 for entering event into log file into a digital evidence system in accordance with one or more embodiments of the invention.
  • the method 3200 start at step 3202 and, at step 3204 , the method waits the generation of a new log event.
  • the method 3200 write into log file the log event and return at step 3204 to wait another one. If there is not an event, at step 3206 , the operator can view or exit the host or evidence collector.
  • the method ends at step 3208 .
  • FIG. 33 is an exemplary log file created by the digital evidence system in accordance with one or more embodiments of the invention.
  • the first section display date information 3302 and the second section display a summary description of event 3304 .
  • FIG. 34 is an illustration of an exemplary evidence collector information interface screen 3400 of a digital evidence control system. Once a case is created and evidence collector is inserted, evidence collector information can be displayed in the evidence collector information interface screen 3400 .
  • the evidence collector information window 3402 includes the evidence collector name 3404 , note 3406 , and the like. For editing evidence collector information the operator can use edit button 3408 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Tourism & Hospitality (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Strategic Management (AREA)
  • Primary Health Care (AREA)
  • Economics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Bioethics (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

A method and apparatus for controlling digital evidence comprising creating a case record comprising information about an investigative case, electronically storing at least one piece of digital evidence into memory, and associating the stored at least one piece of evidence with the case record.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims benefit of U.S. provisional patent application Ser. No. 60/852,859, filed Oct. 19, 2006, which is herein incorporated by reference.
    • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • Embodiments of the present invention generally relate to a method and apparatus for controlling evidence and, more particularly, a method and apparatus for storing, retrieving, maintaining, deleting and tracking the chain of custody of digital evidence.
  • 2. Description of the Related Art
  • In today's legal system, evidence is an essential aspect of litigation. Evidence must be carefully accumulated, stored under state or federal rules, and tracked throughout its existence. For a document or an object to be useable as evidence in a court room, such document or object must comply with all the laws applicable to evidence retrieval, maintenance, and tracking. In other words, evidence must remain authentic and its chain of custody must be maintained.
  • From the point of its retrieval, evidence is handled or viewed by many individuals. For example, evidence is handled or viewed by investigators, police officers, attorneys, witnesses, or an evidence keeper. Such individuals may co-exist at the same location, in different buildings, even in different cities, states, or countries. Thus, with numerous people interacting with the evidence, it becomes challenging to maintain the authenticity and the chain of custody of evidence.
  • It authenticity or chain of custody of a piece of evidence is challenged, the court may disallow the use of such evidence in a court room. In some cases, such as criminal cases, the cost of improper space handling of evidence maybe someone's freedom or life.
  • The challenges of handling evidence are exacerbated when the evidence is digital evidence, i.e., information stored upon a disk drive, compact disk (CD), or other digital media. Such digital evidence, if not properly handled, can be easily corrupted or destroyed. Furthermore, due to the intangible nature of digital evidence, tracking the chain of custody of digital evidence is difficult.
  • Therefore, there is a need for a system that would allow individuals, in different locations to access evidence without interfering with the authenticity of evidence, while simultaneously, providing a simple process for maintaining the chain of custody of a piece of evidence.
    • SUMMARY OF THE INVENTION
  • The present invention is a method and apparatus for controlling digital evidence. The method and apparatus comprises creating a case record comprising information about an investigative case, electronically storing at least one piece of digital evidence into memory, and associating the stored at least one piece of evidence with the case record.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments.
  • FIG. 1 is a schematic diagram of the hardware forming an exemplary embodiment of a computer system that operates in accordance with the present invention;
  • FIG. 2 is a flow diagram depicting an exemplary embodiment of a method for starting a new case in a digital evidence system;
  • FIG. 3 is a flow diagram depicting an exemplary embodiment of a method for entering case information into a digital evidence system;
  • FIG. 4 is an illustration of an exemplary case information interface screen of a digital evidence system;
  • FIG. 5 is an illustration of an exemplary case information interface screen of a digital evidence system;
  • FIG. 6 is an illustration of an exemplary host interface screen of a digital evidence system;
  • FIG. 7 is a flow diagram depicting an exemplary embodiment of a method for viewing case and evidence information of a digital evidence system;
  • FIG. 8 is an illustration of an exemplary evidence information interface screen of a digital evidence system;
  • FIG. 9 is a flow diagram depicting an exemplary embodiment of a method for entering photo and/or photo information into a digital evidence system;
  • FIG. 10 is an illustration of an exemplary photo gallery interface screen of a digital evidence system;
  • FIG. 11 is a flow diagram depicting an exemplary embodiment of a method for entering timeline and/or timeline information into a digital evidence system;
  • FIG. 12 is an illustration of an exemplary timeline interface screen of a digital evidence system;
  • FIG. 13 is a flow diagram depicting an exemplary embodiment of a method for entering chain of custody and/or chain of custody information into a digital evidence system;
  • FIG. 14 is an illustration of an exemplary chain of custody interface screen of a digital evidence system;
  • FIG. 15 is a flow diagram depicting an exemplary embodiment of a method for entering cost and/or cost information into a digital evidence system;
  • FIG. 16 is an illustration of an exemplary cost involved interface screen of a digital evidence system;
  • FIG. 17 is a flow diagram depicting an exemplary embodiment of a method for displaying and/or generating reports from a digital evidence system;
  • FIG. 18 is an illustration of an exemplary automatic report generation interface screen of a digital evidence system;
  • FIG. 19 is a flow diagram depicting an exemplary embodiment of a method for entering deliverables into a digital evidence system;
  • FIG. 20 is an illustration of an exemplary deliverable interface screen of a digital evidence system;
  • FIG. 21 is a flow diagram depicting an exemplary embodiment of a method for entering MSD (Mass Storage Device) as evidence into a digital evidence system;
  • FIG. 22 is an illustration of an exemplary MSD entry interface screen of a digital evidence system;
  • FIG. 23 is a flow diagram depicting an exemplary embodiment of a method for entering a cloning log into digital evidence system;
  • FIG. 24 is an illustration of an exemplary cloning log entry interface screen of a digital evidence system;
  • FIG. 25 is an illustration of an exemplary operator management interface screen of a digital evidence system;
  • FIG. 26 is a flow diagram depicting an exemplary embodiment of a method for entering operator information into a digital evidence system;
  • FIG. 27 is an illustration of an exemplary operator interfaces screen of a digital evidence system;
  • FIG. 28 is a flow diagram depicting an exemplary embodiment of a method for entering a host or an evidence collector into a digital evidence system;
  • FIG. 29 is an illustration of an exemplary host input information interface screen of a digital evidence system;
  • FIG. 30 is an illustration of an exemplary evidence collector input information interface screen of a digital evidence system;
  • FIG. 31 is a flow diagram depicting an exemplary embodiment of a method for deleting a host or an evidence collector into a digital evidence system;
  • FIG. 32 is a flow diagram depicting an exemplary embodiment of a method for entering event log into a digital evidence system;
  • FIG. 33 is an exemplary log file of a digital evidence system; and
  • FIG. 34 is an illustration of an exemplary evidence information screen of a digital evidence system.
    •  DETAILED DESCRIPTION
  • Embodiments of the present invention are utilized to control digital evidence. A plurality of system operators may open and/or update “cases” involving one or more pieces of digital evidence. Digital evidence may reside upon any form of digital media, such as, disk drives, compact disks (CD), digital video disk (DVD), floppy disk, and the like. In accordance with one embodiment of the invention, the operator enters information uniquely identifying the evidence, captures an image (or clone) of the content of the digital media, and stores the image (or clone) in a database in association with the identifying information. Once the case is established, other evidence can be added to the database, access to the evidence is tracked, Chain of title is controlled, reports regarding the case and/or the evidence can be generated, and so on. In this manner, control over digital evidence is established and maintained.
  • FIG. 1 is a schematic diagram of the hardware forming an exemplary embodiment of a computer system 100 that operates in accordance with the present invention. This figure only portrays one variation of the myriad of possible network configurations. The present invention can function in a variety of computing environments; such as, a distributed computer system, a centralized computer system, a stand alone computer system, or the like. One skilled in the art will appreciate that computing system 100 may or may not contain all the components listed below.
  • The computer system 100 comprises a plurality of client computers 102 1, 102 2 . . . 102 n, which may connect to one another through a conventional data communications network 104. A host server 106 is coupled to the communication network 104 to supply application and data services as well as other resource services to the clients 102 1, 102 2 . . . 102 n. The computer system 100 is coupled to host server 106 via communication link 108 1. Similarly, systems 110 1, 110 2 . . . 110 n are coupled to the communication network 104 via communication links 108 1, 108 2 . . . 108 n. The communication link 108 1, 108 2 . . . 108 n may be a physical link, a wireless link, a combination there of, or the like. Systems 110 1, 110 2 . . . 110 n may be another computer system, another communication network, a wireless device, or the like.
  • The host server 106 comprises at least one central processing unit (CPU) 112, support circuits 114, and memory 116. The CPU 112 may comprise one or more conventionally available microprocessors. The microprocessor may be an application specific integrated circuit (ASIC). The support circuits 114 are well known circuits used to promote functionality of the CPU 112. Such circuits include, but are not limited to, a cache, power supplies, clock circuits, input/output (I/O) circuits and the like. The memory 116 contained within the host server 106 may comprise random access memory, read only memory, removable disk memory, flash memory, and various combinations of these types of memory. The memory 116 is sometimes referred to main memory and may, in part, be used as cache memory or buffer memory. The memory 116 generally stores the operating system 118 of the host server 106. In addition, the memory 116 stores database software 108, various forms of application software 120, such as evidence control evidence software 122, and database software 124. The operating system may be one of a number of commercially available operating systems such as, but not limited to, SOLARIS from SUN Microsystems, Inc., AIX from IBM Inc., HP-UX from Hewlett Packard Corporation, LINUX from Red Hat Software, Windows 2000 from Microsoft Corporation, and the like. The database software 124 may comprise a relational database, for example, SQL from Oracle Corporation.
  • The communications network 106 may be coupled to the input/output (I/O) ports 126 of the host server 106. The I/O ports 126 are coupled of the storage volume 128. The storage volume 128 generally comprises one or more disk drives, or disk drive arrays, that may be used as a mass storage device for the host server 106 or systems 110 1, 110 2 . . . 110 n. The storage volume 124 may support a plurality of host servers 106 (only one of which is depicted).
  • To support the operation and functionality of the present invention, the memory 116 may be partially used as cache memory to temporarily store cached information. The evidence control software may utilize the memory 116 for evidence control functions, such as, storing, viewing, editing, and the like.
  • Under normal operation, the host server 106 supports application programs 120, such as, the evidence control software 122. In one embodiment, the digital evidence control software 122 allows for digital evidence manipulation on the host server 106. In addition, the evidence control software 122 enables a plurality of client computers 102 1, 102 2 . . . 102 n, in different locations, to view evidence without tampering with it, while maintaining chain of custody and evidence authenticity. The evidence control system may allow for more than one mode of access, such as an administrator access mode and a user access mode. For example, an evidence control system administrator may be able to store, view, maintain, delete records of evidence, or control users' accounts. On the other hand, a user may be able to request an account, access such account, and view evidence designated to the specific user account.
  • It should be noted that an operator is a person utilizing the digital evidence control system. The digital evidence control system may allow for more than one mode of access with different operator functions, such as an administrator access mode and a user access mode. For example, a digital evidence control system administrator may be able to store, view, maintain, delete records of evidence, or control users' accounts. On the other hand, a user may be able to request an account, access such account, and view evidence designated to the specific user account. In one embodiment, the digital evidence control system may allow for one or more operators, administrators, and/or users, where each person has a different assigned role offering varied levels of access to the evidence database.
  • FIG. 2 is a flow diagram depicting an exemplary embodiment of a method 200 for entering case information into a digital evidence system. The method 200 starts at step 202 and proceeds to step 204, wherein the operator, or in many cases an administrator enters information regarding a case. At step 206, the method determines a case already exists in the evidence system having the same name. If the case name already exists, the method 200 proceeds to step 204, wherein the operator or the administrator must change the case name. At step 208, the method 200 associates the information entered with the record. At step 210, the method 200 creates a record of digital evidence, including, for example, at least one of a TimeLine, expenditures incurred, deliverables, a chain of custody, a host, a media, a log, a network dump, a file/folder, a clone or a CloneLog, and the like. At step 212, the method 200 associates the information entered with the record. At step 214, the method queries whether there is more information to be entered. If the query is positively answered, the method 200 proceeds to step 210. Otherwise, the method 200 ends at step 212.
  • FIG. 3 is a flow diagram depicting an exemplary embodiment of a method 300 for entering case information into a digital evidence system. The method 300 starts at step 302 and proceeds to query step 304. If there is a new case, the method 300 proceeds from step 304 to step 306. At step 306, the method 300 selects a database to use for storing information related to the case. This may be a manual or automated selection process. If there is not a new case, the method 300 continues to the step 308. At step 308, the method 300 selects the relevant case. Both step 306 and 308 continue to step 310. At step 310, the method 300 selects or updates operators that are working in the case. Then, at step 312, the method 300 assigns or updates the role of each operator, i.e., the function does each operator perform in the operator process. The roles are used to define level of access the operator has to the system. At step 314, the method 300 enters or updates a case description. At step 316, the method 300 enters or updates host information. The method 300 ends at step 318.
  • FIG. 4 is an illustration of an exemplary case information interface screen 400 of a digital evidence system. The case interface screen 400 may be used by an operator and/or an administrator to create a new case. The administrator enters a new case information into the fields in the new case window 400. The new case window 400 may have fields, such as but not limited to, database selection fields 402, investigators' information field 404, and case description fields 406. The case description fields include, but are not limited to, name of police officers, addresses (street, city, state, zip code), date time, and the like. After entering the information, the administrator saves and/or updates the information entered by selecting an “Update case” button 408.
  • FIG. 5 is an illustration of an exemplary case information interface screen 500 of digital evidence. Once a case is created, case information can be displayed in connection with the general tab 502. The general interface screen 500 includes the case information windows 504, the client information windows 506, the operator information 508, and data information 510. The case information window 504 includes the case name, location, type, notes, and the like. The client information window 506 includes client's name, client's business name, street, city, state, zip and phone, and the like. The operator information window 508 includes operator's name, id, title and the like. Whereas the data information window 510 includes the data's type, date, and so on. The case interface screen 500 contains a plurality of tabs, such as, general tab 502, photo tab 512 hidden, timeline tab 514, chain of custody tab 516, deliverables 518, expenditures tab 520, and a report tab 522; the screen related to each tab is show in FIGS. 6, 8, 10, 14, 16, respectively. The case information interface screen 500 may also display case statistics information 524, such as, total hosts, total photos, and total evidence information.
  • FIG. 6 is an illustration of an exemplary host information interface screen 600 of digital evidence. Once a case is created and host is inserted, host information can be displayed in the host information interface screen 600. The host information interface 600 includes a host information window 602, and an evidence list window 604. The host information window 602 includes the host name, type of host, model, serial number, user, and the like. The evidence list window 604 includes the evidences that are been associated to the host selected. The host interface screen contains the same tabs shown in screen 500 but in this case the photo tab 512 is displayed and shows the host's photo and the chain of custody tab 516 shows the movements of the host. For editing host information the operator can select an edit button 606.
  • FIG. 7 is a flow diagram depicting an exemplary embodiment of a method 700 for viewing case and evidence information if a digital evidence control system. The method 700 starts at step 702 and continues to step 704, wherein an operator selects an evidence type, i.e., selects media, log, network dump or file/folder. If the evidence type is media, then the method 700 proceeds to step 706. At step 706, the method 700 copies the digital content of the media in a file-by-file manner and stores the clone in memory. When an image is created, the method 700 creates a snapshot of the contents of the media and stores the image as a single file in memory. The method 700 creates a hash for original evidence and clone. The hash, for example, an MD5 hash, is used to ensure that the evidence is not tampered with or otherwise altered. Any change in the content of the clone would alter the hash. If the method 700 does not create a clone, the query at step 708 is negatively answered and the method 700 continues to step 712, in which an operator enters a media description. Then, at step 714, the method creates a unique identifier for the evidence such that the evidence is tagged for tracking purposes. At 716, the operator saves the clone or image identifier and information that the operator entered in previous step. Finally, at step 748, the method 700 ends.
  • On the other hand, if the evidence is contained in a log file type, then from step 704, the method 700 proceeds to step 720. At step 720, the method 700 copies the log file. At step 722 and 724 respectively, the method 700 enters log file description and creates a unique identifier for the log file entered as digital evidence. Then, at step 726, the operator saves the log copy identifier and information. Finally at step 748, the method ends.
  • If the evidence is contained in a network dump (i.e., a stream of data from a network feed), then the method 700 proceeds from step 704 to 728. At step 728, the method 700 copies the network dump as a single file onto the digital evidence system. At steps 730 and 732, respectively, the operator enters a network dump description and creates a unique identifier for tracking the evidence. Next, in step 734, the operator saves the network dump copy identifier and information. Finally, at step 748, the method 700 ends.
  • If the evidence is contained in a file/folder dump, then the method 700 proceeds from step 704 to 736. At step 736, the method 700 copies the file/folder in a folder onto the digital evidence system. At steps 738, the operator enters a file/folder description. The method 700 proceeds to query step 740. If there is a file to attach, the method 700 proceeds from step 740 to step 742, wherein the method 700 selects a file to attach to the file/folder evidence. The method 700 proceeds to step 744. At step 744, the operator creates a unique identifier for tracking the evidence. Next, in step 746, the operator saves the file/folder copy identifier and information. Finally, at step 748, the method 700 ends.
  • FIG. 8 is an illustration of an exemplary evidence information interface screen 800 of a digital evidence system. The evidence information interface screen 800 contains evidence information, such as, media information 802, media detail 804, and the clone list 806 than are associated to the media selected. The media information window 802 may include operator's name, evidence label and type, and the like. The media detail window 804 may contain media details, such as, media size, media sector, and the like. Such information may be available to a user. In one embodiment, the administrator enters evidence information in the enter evidence information interface screen 808. In various other embodiments, the assigned roles of the users, operators and administrators define the level of system access for each person. Thus, the assigned role may be defined by the persons that enter the evidence information.
  • FIG. 9 is a flow diagram depicting an exemplary embodiment of a method 900 for entering a digital photograph and/or photograph description into a digital evidence system. The method 900 starts with step 902, when the operator select the host or media to which inserting photographs. At step 906, the operator selects the photos tab 512, which causes the photo screen interface (see FIG. 10) to display on a computer screen. The method 900 proceeds to the query at step 908. If the operator wants to edit any information about a photograph that is been stored into the digital evidence system, the method 900 proceeds from step 908 to step 910. At step 910, the operator selects the photograph that is to be edited. At step 914, the method 900 saves the new information and the method 900 ends at step 928. Instead, if the operator wants to insert new photographs, the method 900 proceeds to step 918. At step 918, the operator uploads at least one photograph. At step 920, a description of the uploaded photograph may be entered. Finally, at step 922, the operator saves the photograph and the description as a portion of the case. The method 900 proceeds to query at step 924, if the operator wants to insert a new photograph, the method 900 proceeds to step 918; otherwise, the method 900 ends at step 928.
  • FIG. 10 is an illustration of an exemplary photo gallery interface screen 1000 of a digital evidence system. Upon selecting the photos tab 512 (see FIG. 5), the invention displays a photo gallery interface screen 1000, as show in FIG. 10. The gallery interface screen 1000 may include one or more digital photographs 1002, which can be used as evidence, photographs of actual evidence, supporting documentation of evidence, a view of the environment in which the evidence was found, and the like. The photographs 1002 may include evidence photograph 1002 a, photos/screen shot of database documentation 1002 b, photograph 1002 c of the location from which the evidence was extracted (computer system, a memory tower, etc.), and the like. The photo information section 1004 contains information, such as, the photo creation date and time, identification tags, descriptive text and the like.
  • FIG. 11 is a flow diagram depicting an exemplary embodiment of a method 1100 for entering/updating timeline and/or timeline information into a digital evidence system in accordance with one or more embodiments of the invention. Upon the operator selecting timeline tab 514, (see FIG. 5), the method 1100 begins at step 1102, whereupon the timeline screen (see FIG. 12) display on a computer monitor. At step 1104, the operator selects the timeline tab. The method 1100 proceeds to the query at step 1106. If the operator wants to edit any information about a timeline event that has been stored into the digital evidence system, the method 1100 proceeds from step 1106 to step 1108. At step 1108, the operator selects the timeline event to edit. If the operator, instead, wants to insert a new timeline event, the method 1100 proceeds at step 1110. At step 1110, the operator creates a new timeline. From step 1108 and step 1110, the method 1100 proceeds to step 1112. At step 1112, the operator inserts the timeline information that delineate various task (events) performed during the investigations. At step 1114, the method 1100 saves timeline information. The method ends at the step 1116.
  • FIG. 12 is an illustration of an exemplary timeline interface screen 1200 of a digital evidence control system in accordance with one or more embodiments of the investigation. The timeline interface screen 1200 is displayed upon selecting the timeline tab 514 (see FIG. 5). The timeline interface screen 1200 comprises an event list area 1210 that includes the date and time of the event 1202, the operator's name 1204, and the event type 1206. The event and information pertaining thereto is entered in the event window 1208. When a particular event is selected, the event list area 1210, the information pertaining to the selected event appears in window 1208.
  • FIG. 13 is a flow diagram depicting an exemplary embodiment of a method 1300 for entering/updating a chain of custody event related to particular evidence into a digital evidence system in accordance with one or more embodiments of the invention. The method 1300 starts with step 1302, upon which the operator selecting the chain of custody tab 516 (see FIG. 5). Then, the method 1300 proceeds to a query at step 1306. If the operator wants to edit any information about a chain of custody event that has been stored into the digital evidence system, the method 1300 proceeds from step 1306 to step 1308. At step 1308, the operator selects the chain of custody event to edit. If the operator, instead, wants to insert a new chain of custody event, the method 1300 proceeds at step 1310. At step 1310, the operator creates a new chain of custody event. From step 1308 and step 1310, the method 1300 proceeds to step 1312. At step 1312, if the operator wants to add a new file related to chain of custody event, the method 1300 proceeds to step 1316, wherein the operator creates a file related to chain of custody. If the operator wants to select an existing file related to the chain of custody, the method 1300 proceeds to step 1314, wherein the operator selects a file to attach. From step 1314 and step 1316, the method 1300 proceeds to step 1318. At step 1318, the operator inserts the chain of custody information that delineates the movements performed during the investigations by the evidence. At step 1320, the method 1300 saves chain of custody information. The method 1300 ends at the step 1322.
  • FIG. 14 is an illustration of an exemplary chain of custody interface 1400 of a digital evidence control system. FIG. 14 shows the chain of custody interface screen 1400 is displayed upon the operator selecting the chain of custody tab 516. The chain of custody interface screen 1400 includes evidence data, such as, host whom has been associated 1402, date time information 1404, consignor information 1406, receiver information 1408, note information 1410, place information 1412 and attachment filename information 1414. The information defines who provided the evidence, who received the evidence and what evidence was used after being received. In addition, a new event section 1416 is available for an administrator to enter chain of custody information.
  • FIG. 15 is a flow diagram depicting an exemplary embodiment of a method 1500 for entering information pertaining to expenditures in the case into a digital evidence system in accordance with one or more embodiments of the invention. The method 1500 starts at step 1502, upon an operator selecting the expenditures tab 520 at step 1504 (see FIG. 5). Then, the method 1500 proceeds to query at step 1506. If the operator wants to edit any information about an expenditure that has been stored into the digital evidence system, the method 1500 proceeds from step 1506 to step 1508. At step 1508, the operator selects the expenditure to edit. If the operator, instead, wants to insert a new expenditure, the method 1500 proceeds to step 1510. Next, the method 1500 proceeds to query at step 1512, wherein the operator chooses the type of expenditure. If the operator wants to add human effort expenditure the method 1500 proceeds to step 1514 and the operator inserts the information about the hours. Instead, if the operator wants to insert a monetary expenditure the method 1500 proceeds to step 1516 and the operator adds money information about the expenditure. At step 1520, the method 1500 saves expenditure information. The method ends at step 1522.
  • FIG. 16 is an illustration of an exemplary expenditures interface screen 1600 of a digital evidence system in accordance with one or more embodiments of the invention. Upon an operator selecting the expenditures tab 520 (see FIG. 5), the invention displays the expenditures interface screen 1600. The expenditures interface screen 1600 includes activity information, such as activity data field 1602, investigator's name field 1604, a description field 1606, a cost/hour field 1608, a currency field 1610 and a method of payment field 1612. This information provides a cumulative record of the expenditures to acquire and handle evidence in particular case. The expenditures are classified into two categories: money expenditures and human effort. In addition, the expenditures interface screen 1600 include a expenditures section 1614 that are divided into two section, the first 1616 where are shown money expenditures and the second 1618 where are shown the human effort expenditures; on other hand, a user may be able to only view the expenditures information. Some roles may be defined to block any view of the expenditures of a case, or only the investigators personal expenditures may be displayed to a particular investigator.
  • FIG. 17 is a flow diagram depicting an exemplary embodiment of a method 1700 for displaying and/or generating reports from a digital evidence system. The method 1700 starts with step 1702, upon the operator selecting the report tab 522 (see FIG. 5). Selecting the report tab 522 causes the report interface screen (see FIG. 18) to display on a computer monitor. At step 1704, the operator utilized the report interface screen to select a report type. Then, the method 1700 proceeds to a query at step 1706. The operator selects the report to generate. The operator can choose the general report (incoming items, timeline, deliverables, expenditures or chain of custody) at step 1708. Instead, if the operator selects the detailed report, before selecting the type report, the operator must select the evidence, step 1710. Next, at step 1712, the operator selects the type of detailed report. At last, the operator can select to print label and selects the type of label, at step 1716. When the operator selects the report, it will be displayed on the interface, step 1714 of method 1700. At step 1718, the operator selects how to print report. If the operator wants to generate a PDF, the method 1700 proceeds to step 1720 and allow the operator to selects the PDF's filename. Else, if the operator wants to print the report, the method 1700 proceeds to step 1722, wherein the operator may choose the printer option. From step 1720 and step 1722, the method 1700 proceeds to step 1724, wherein the selected item is printed. The method ends at the step 1726.
  • FIG. 18 is an illustration of an exemplary automatic report generation interface screen 1800 of a digital evidence system in accordance with one or more embodiments of the invention. The automatic report generation interface screen 1800 comprises a general report section 1802, a detail report section 1804 and a label report section 1806. The general report section 1802 generates reports by selecting a respective button, such as, the incoming items 1802 a, the timeline button 1802 b, the deliverable button 1802 c, the expenditures button 1802 d and the chain of custody button 1802 e. The detail report section 1804 generates and displays the detailed report corresponding to the selected button. The label report section 1806 generates and displays the label report corresponding to the selected button, such as, the label button 1806 a, the label hash button 1806 b and the original label button 1806 c. For example, a detailed technical report is generated and displayed by selecting a “technical” button 1804 a, a chain of custody is generated by selecting the “chain of custody” button 1804 b, and the like. In window 1808, a report corresponding to a selected button is displayed to the operator.
  • FIG. 19 is a flow diagram depicting an exemplary embodiment of a method 1900 for entering/updating a deliverable into a digital evidence system in accordance with one or more embodiments of the invention. The flow diagram 1900 starts with step 1902, upon the operator selecting the deliverables tab 518 (see FIG. 5). The, the method 1900 proceeds to query at step 1906. If the operator wants to edit any information about a deliverables that is stored into the digital evidence system, the method 1900 proceeds from step 1906 to step 1908. At step 1908, the operator selects the deliverable that the operator wants to edit. If the operator, instead, wants to insert a new deliverable, the method 1900 proceeds to step 1910, wherein the operator creates a new deliverable. In step 1912, the operator inserts the deliverable information. At step 1914, if the operator wants to attach a file related to deliverable, the method 1900 proceeds to step 1916 and the operator selects the file for attachment. At step 1920, the method 1900 saves deliverable information. The method 1900 ends at the step 1922.
  • FIG. 20 is an illustration of an exemplary deliverables interface 2000 of a digital evidence control system. FIG. 20 shows the deliverables interface screen 2000 is displayed upon the operator selecting the deliverables tab 518. The deliverables interface screen 2000 includes evidence data field, such as, filename information field 2002, the evidence whom is related field 2004, consignor information field 2006, receiver information field 2008 and note information field 2010. The information defines who provided the evidence, who received the evidence and what evidence was used for once received. In addition, a new event section 2012 is available for an administrator to deliverable information.
  • FIG. 21 is a flow diagram depicting an exemplary embodiment of a method 2100 for entering/updating a MSD (Mass Storage Device) as a piece of evidence into a digital evidence system in accordance with one or more embodiments of the invention. The flow diagram 2100 starts with step 2102, upon the operator selecting the MSD button (METTERE RIFERIMENTO) (see FIG. 5). Then, the method 2100 proceeds to query at step 2106. If the operator wants to edit any information about a MSD that is stored in the digital evidence system, the method 2100 proceeds from step 2106 to step 2108. At step 2108, the operator selects the MSD to edit. If the operator, instead, wants to insert a new MSD, the method 2100 proceeds to step 2110, wherein the operator creates a new MSD. Then, in step 2112, the operator inserts the MSD information. At step 2114, the method 2100 saves MSD information. The method 2100 ends at the step 2116.
  • FIG. 22 is an illustration of an exemplary MSD interface 2200 of a digital evidence control system. FIG. 22 shows the MSD interface screen 2200 is displayed upon the operator selecting the MSD button 528. The MSD interface screen 2200 includes two parts, in the left part 2202 is displayed a list of MSD that were associated with the case, and in the right part 2204, is displayed the information about the selected MSD, such as, type field 2206, brand field 2208, model field 2210, serial number field 2212 and size field 2214.
  • FIG. 23 is a flow diagram depicting an exemplary embodiment of a method 2300 for entering/updating a CloningLog into a digital evidence system in accordance with one or more embodiments of the invention. The flow diagram 2300 starts with step 2302, upon which the operator selecting the CloningLog button (METTERE RIFERIMENTO) (see FIG. 5). Next, at step 2304, the operator must select a clone of evidence. Then, the method 2300 proceeds to query at step 2306. If the operator wants to edit any information about a CloningLog that is stored in the digital evidence system, the method 2300 proceeds from step 2306 to step 2308. At step 2308, the operator selects the CloningLog to edit. If the operator, instead, wants to insert a new CloningLog, the method 2300 proceeds to step 2310, wherein the operator creates a new CloningLog. Then, in step 2312, the operator inserts the CloningLog information. At step 2314, the method 2300 saves CloningLog information. The method 2300 ends at the step 2316.
  • FIG. 24 is an illustration of an exemplary CloningLog interface 2400 of a digital evidence control system. FIG. 24 shows the CloningLog interface screen 2400 is displayed upon the operator selecting the CloningLog button (METTERE RIFERIMENTO). The CloningLog interface screen 2400 display fields, such as, tool type field 2402, tool description field 2404, tool serial number field 2406, log field 2408, and the like.
  • FIG. 25 is an illustration of an exemplary Operator Management interface 2500 of a digital evidence control system. FIG. 25 shows the Operator Management interface screen 2500 that is displayed upon the operator selecting the Operator Management button menu (METTERE RIFERIMENTO). The Operator Management interface screen 2500 display the button that allow the operator to add a new operator 2502, edit an operator 2504, delete an operator 2506 and disable an operator 2508. In the bottom of Operator Management interface screen 2500 is displayed the list of operators 2510 that is been store into the digital evidence system.
  • FIG. 26 is a flow diagram depicting an exemplary embodiment of a method 2600 for entering/updating an operator into a digital evidence system in accordance with one or more embodiments of the invention. The flow diagram 2600 starts with step 2602, upon the operator selecting the Operator Manager button 2604 (METTERE RIFERIMENTO) (see FIG. 26). Then, the method 2600 proceeds to query at step 2606. If the operator wants to edit any information about an operator that is stored in the digital evidence system, the method 2600 proceeds from step 2606 to step 2608. At step 2608, the operator selects the operator that wants to edit. If the operator, instead, wants to insert a new operator, the method 2600 proceeds at step 2610, wherein the operator creates a new operator file. Then, in step 2612, the operator inserts the operator information. At step 2614, the method 2600 saves operator information. The method 2600 ends at the step 2616.
  • FIG. 27 is an illustration of an exemplary Operator interface 2700 of a digital evidence control system. FIG. 27 shows the operator interface screen 2700 is displayed upon the operator selecting the Operator button 2502 or double click on the operator button. The operator interface screen 2700 display fields, such as, username field 2702, surname field 2704, name field 2706, sex field 2708, phone field 2710, and the like.
  • FIG. 28 is a flow diagram depicting an exemplary embodiment of a method 2800 for entering/updating a host or an evidence collector into a digital evidence system in accordance with one or more embodiments of the invention. The method 2800 begins at step 2802 and proceeds to query at step 2804. If the operator wants to edit any information about an host or an evidence collector that is been store into the digital evidence system, the method 2800 proceeds from step 2804 to step 2806. At step 2806, the operator selects the host or the evidence collector that wants to edit. If the operator, instead, wants to insert a new host or evidence collector, the method 2800 proceeds at step 2808. Then, in step 2810, the operator inserts the host or evidence collector information. At step 2812, the method 2800 saves operator information. The method 2800 ends at the step 2814.
  • FIG. 29 is an illustration of an exemplary Host interface 2900 of a digital evidence control system. FIG. 29 shows the host interface screen 2900 is displayed upon the operator selecting the new host button 532 or edit host information button 606. The host interface screen 2900 display fields, such as, operator that inserts the information 2902, host name 2904, type of host 2906, Company ID 2908, and the like.
  • FIG. 30 is an illustration of an exemplary Evidence Collector interface 3000 of a digital evidence control system. FIG. 30 shows the evidence collector interface screen 3000 is displayed upon the operator selecting the new evidence collector button 534 or edit evidence collector information button 3406. The evidence collector interface screen 3000 display fields, such as, operator that inserts the information 3002, evidence collector name 3004, note 3006 and time zone 3008
  • FIG. 31 is a flow diagram depicting an exemplary embodiment of a method 3100 for deleting a host or an evidence collector into a digital evidence system in accordance with one or more embodiments of the invention. The method 3100 start at step 3102 and, at step 3104, the operator selected a host or an evidence collector that will be deleted. Then, the method 3100 proceeds to query at step 3106. If the operator wants to delete any information about an host or an evidence collector that is stored into the digital evidence system, the method 3000 proceeds from step 3106 to step 3108. At step 3108, the method deletes the information about the host or evidence collector. If the operator, instead, doesn't want to delete a host or an evidence collector, the method 3100 proceeds to step 3110, wherein the operator can view or exit the host or evidence collector. The method 3100 ends at the step 3112.
  • FIG. 32 is a flow diagram depicting an exemplary embodiment of a method 3200 for entering event into log file into a digital evidence system in accordance with one or more embodiments of the invention. The method 3200 start at step 3202 and, at step 3204, the method waits the generation of a new log event. Next, at step 3206, the method 3200 write into log file the log event and return at step 3204 to wait another one. If there is not an event, at step 3206, the operator can view or exit the host or evidence collector. The method ends at step 3208.
  • FIG. 33 is an exemplary log file created by the digital evidence system in accordance with one or more embodiments of the invention. The first section display date information 3302 and the second section display a summary description of event 3304.
  • FIG. 34 is an illustration of an exemplary evidence collector information interface screen 3400 of a digital evidence control system. Once a case is created and evidence collector is inserted, evidence collector information can be displayed in the evidence collector information interface screen 3400. The evidence collector information window 3402 includes the evidence collector name 3404, note 3406, and the like. For editing evidence collector information the operator can use edit button 3408.
  • While the foregoing is directed to embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.

Claims (20)

1. A method for controlling digital evidence, comprising:
creating a case record comprising information about an investigative case;
electronically storing at least one piece of digital evidence in memory; and
associating the stored at least one piece of evidence with the case record.
2. The method of claim 1 wherein the electronically storing the at least one piece of evidence further comprises creating a clone of the at least one piece of evidence.
3. The method of claim 2 wherein the creating a clone step further comprises generating a hash of the clone and the at least one piece of evidence.
4. The method of claim 3 wherein the hash is an MD5 hash.
5. The method of claim 1 wherein the case record is created in a relational database.
6. The method of claim 1 wherein the electronically storing the at least one piece of evidence further comprises creating an image of the at least one piece of evidence.
7. The method of claim 1 further comprising establishing roles for each person in a plurality of persons that are able to access the case record, where each role defines a level of access.
8. The method of claim 1 further comprising creating a unique identifier for the at least one piece of evidence.
9. The method of claim 1 wherein the at least one piece of evidence is at least one of contents of a digital media, a log file and a network dump.
10. The method of claim 1 further comprising uploading photographic evidence to the case record.
11. The method of claim 1 further comprising creating a timeline within the case record comprising a sequence of events that occurred during an investigation involving the at least one piece of evidence.
12. The method of claim 1 further comprising creating a chain of custody within the case record comprising identification of persons that have accessed the case record and interacted with the at least one piece of evidence.
13. The method of claim 1 further comprising storing cost information in the case record.
14. The method of claim 1 further comprising selectably creating at least one report regarding the case record.
15. Apparatus for controlling at least one piece of digital evidence, comprising:
a computer for establishing a case record within a database, where the case record comprises at least one piece of digital evidence and case information;
a memory, coupled to the computer, for storing the case record; and
at least one client workstation, coupled to the computer, for allowing the case record to be accessed during an investigation.
16. The apparatus of claim 15 wherein the computer creates a clone or image of the at least one piece of digital evidence.
17. The apparatus of claim 15 wherein the at least one piece of digital evidence is at least one of contents of a digital media, a log file and a network dump.
18. A computer readable medium comprising software that, when executed by a processor, causes the processor to perform a method comprising:
creating a case record comprising information about an investigative case;
electronically storing at least one piece of digital evidence on a digital media; and
associating the stored at least one piece of evidence with the case record.
19. The computer readable medium of claim 18 wherein the electronically storing step further comprises creating either a clone or an image of the at least one piece of digital evidence.
20. The computer readable medium of claim 18 further comprising tracking access to the case record.
US11/784,794 2006-10-19 2007-04-10 Method and apparatus for controlling digital evidence Abandoned US20080098219A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US11/784,794 US20080098219A1 (en) 2006-10-19 2007-04-10 Method and apparatus for controlling digital evidence
US14/479,262 US10614535B2 (en) 2006-10-19 2014-09-05 Method and apparatus for controlling digital evidence
US16/840,977 US11423497B2 (en) 2006-10-19 2020-04-06 Method and apparatus for controlling digital evidence
US17/813,374 US11676230B2 (en) 2006-10-19 2022-07-19 Method and apparatus for controlling digital evidence
US18/138,456 US12045903B2 (en) 2006-10-19 2023-04-24 Method and apparatus for controlling digital evidence

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US85285906P 2006-10-19 2006-10-19
US11/784,794 US20080098219A1 (en) 2006-10-19 2007-04-10 Method and apparatus for controlling digital evidence

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/479,262 Continuation US10614535B2 (en) 2006-10-19 2014-09-05 Method and apparatus for controlling digital evidence

Publications (1)

Publication Number Publication Date
US20080098219A1 true US20080098219A1 (en) 2008-04-24

Family

ID=39319445

Family Applications (5)

Application Number Title Priority Date Filing Date
US11/784,794 Abandoned US20080098219A1 (en) 2006-10-19 2007-04-10 Method and apparatus for controlling digital evidence
US14/479,262 Active 2030-01-10 US10614535B2 (en) 2006-10-19 2014-09-05 Method and apparatus for controlling digital evidence
US16/840,977 Active 2027-12-22 US11423497B2 (en) 2006-10-19 2020-04-06 Method and apparatus for controlling digital evidence
US17/813,374 Active US11676230B2 (en) 2006-10-19 2022-07-19 Method and apparatus for controlling digital evidence
US18/138,456 Active US12045903B2 (en) 2006-10-19 2023-04-24 Method and apparatus for controlling digital evidence

Family Applications After (4)

Application Number Title Priority Date Filing Date
US14/479,262 Active 2030-01-10 US10614535B2 (en) 2006-10-19 2014-09-05 Method and apparatus for controlling digital evidence
US16/840,977 Active 2027-12-22 US11423497B2 (en) 2006-10-19 2020-04-06 Method and apparatus for controlling digital evidence
US17/813,374 Active US11676230B2 (en) 2006-10-19 2022-07-19 Method and apparatus for controlling digital evidence
US18/138,456 Active US12045903B2 (en) 2006-10-19 2023-04-24 Method and apparatus for controlling digital evidence

Country Status (1)

Country Link
US (5) US20080098219A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080065811A1 (en) * 2007-11-12 2008-03-13 Ali Jahangiri Tool and method for forensic examination of a computer
US20100030786A1 (en) * 2008-07-29 2010-02-04 Verizon Corporate Services Group Inc. System and method for collecting data and evidence
US20100115417A1 (en) * 2008-11-06 2010-05-06 Absolute Software Corporation Conditional window capture
US8576283B1 (en) 2010-01-05 2013-11-05 Target Brands, Inc. Hash-based chain of custody preservation
US10412117B2 (en) 2014-08-05 2019-09-10 Dflabs S.P.A. Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams
US10439884B1 (en) 2017-04-27 2019-10-08 Dflabs S.P.A. Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
CN111832078A (en) * 2020-06-14 2020-10-27 北京联合信任技术服务有限公司 Data acquisition verification system, data acquisition verification method, storage medium, and program product
US10951662B1 (en) 2019-11-06 2021-03-16 Dflabs S.P.A. Open integration framework for cybersecurity incident management software platform
US11074512B1 (en) 2020-05-07 2021-07-27 Dflabs S.P.A. Cybersecurity incident response and security operation system employing playbook generation and parent matching through custom machine learning
US11423497B2 (en) 2006-10-19 2022-08-23 Sumo Logic Italy S.P.A Method and apparatus for controlling digital evidence

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2587584B2 (en) * 2015-10-22 2017-10-18 Universidad De Málaga Digital witness: Procedure and devices for the secure management of electronic evidence with binding credentials
US10810325B2 (en) * 2017-08-18 2020-10-20 Jpmorgan Chase Bank, N.A. Method for custody and provenance of digital documentation
CN110096639B (en) * 2019-01-25 2021-04-06 重庆易保全网络科技有限公司 Method and device for monitoring and obtaining evidence of infringement and terminal equipment
US11610277B2 (en) * 2019-01-25 2023-03-21 Open Text Holdings, Inc. Seamless electronic discovery system with an enterprise data portal
US20220051357A1 (en) * 2020-08-11 2022-02-17 Rocket Lawyer Incorporated System and method for attorney-client privileged digital evidence capture, analysis and collaboration

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260876A1 (en) * 2003-04-08 2004-12-23 Sanjiv N. Singh, A Professional Law Corporation System and method for a multiple user interface real time chronology generation/data processing mechanism to conduct litigation, pre-litigation, and related investigational activities
US6948066B2 (en) * 2001-01-17 2005-09-20 International Business Machines Corporation Technique for establishing provable chain of evidence
US7134020B2 (en) * 2002-01-31 2006-11-07 Peraogulne Corp. System and method for securely duplicating digital documents
US7181560B1 (en) * 2001-12-21 2007-02-20 Joseph Grand Method and apparatus for preserving computer memory using expansion card
US7509683B2 (en) * 2002-08-26 2009-03-24 Hewlett-Packard Development Company, L.P. System and method for authenticating digital content

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080098219A1 (en) 2006-10-19 2008-04-24 Df Labs Method and apparatus for controlling digital evidence

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6948066B2 (en) * 2001-01-17 2005-09-20 International Business Machines Corporation Technique for establishing provable chain of evidence
US7181560B1 (en) * 2001-12-21 2007-02-20 Joseph Grand Method and apparatus for preserving computer memory using expansion card
US7134020B2 (en) * 2002-01-31 2006-11-07 Peraogulne Corp. System and method for securely duplicating digital documents
US7509683B2 (en) * 2002-08-26 2009-03-24 Hewlett-Packard Development Company, L.P. System and method for authenticating digital content
US20040260876A1 (en) * 2003-04-08 2004-12-23 Sanjiv N. Singh, A Professional Law Corporation System and method for a multiple user interface real time chronology generation/data processing mechanism to conduct litigation, pre-litigation, and related investigational activities

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12045903B2 (en) 2006-10-19 2024-07-23 Sumo Logic, Inc. Method and apparatus for controlling digital evidence
US11676230B2 (en) 2006-10-19 2023-06-13 Sumo Logic, Inc. Method and apparatus for controlling digital evidence
US11423497B2 (en) 2006-10-19 2022-08-23 Sumo Logic Italy S.P.A Method and apparatus for controlling digital evidence
US20080065811A1 (en) * 2007-11-12 2008-03-13 Ali Jahangiri Tool and method for forensic examination of a computer
US20100030786A1 (en) * 2008-07-29 2010-02-04 Verizon Corporate Services Group Inc. System and method for collecting data and evidence
US20140182002A1 (en) * 2008-11-06 2014-06-26 Absolute Software Corporation Process for capturing and transmitting window screen display data
US9245156B2 (en) * 2008-11-06 2016-01-26 Absolute Software Corporation Process for capturing and transmitting window screen display data
US20100115417A1 (en) * 2008-11-06 2010-05-06 Absolute Software Corporation Conditional window capture
US8701013B2 (en) * 2008-11-06 2014-04-15 Absolute Software Corporation Conditional window capture
US8576283B1 (en) 2010-01-05 2013-11-05 Target Brands, Inc. Hash-based chain of custody preservation
US11089063B2 (en) 2014-08-05 2021-08-10 Dflabs S.P.A. Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams
US10412117B2 (en) 2014-08-05 2019-09-10 Dflabs S.P.A. Method and system for automated cybersecurity incident and artifact visualization and correlation for security operation centers and computer emergency response teams
US11469963B2 (en) 2017-04-27 2022-10-11 Sumo Logic Italy S.P.A Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
US10439884B1 (en) 2017-04-27 2019-10-08 Dflabs S.P.A. Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
US11706095B2 (en) 2017-04-27 2023-07-18 Sumo Logic, Inc. Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
US12149413B2 (en) 2017-04-27 2024-11-19 Sumo Logic, Inc. Cybersecurity incident response and security operation system employing playbook generation through custom machine learning
US10951662B1 (en) 2019-11-06 2021-03-16 Dflabs S.P.A. Open integration framework for cybersecurity incident management software platform
US11074512B1 (en) 2020-05-07 2021-07-27 Dflabs S.P.A. Cybersecurity incident response and security operation system employing playbook generation and parent matching through custom machine learning
US11695798B2 (en) 2020-05-07 2023-07-04 Sumo Logic, Inc. Cybersecurity incident response and security operation system employing playbook generation and parent matching through custom machine learning
CN111832078A (en) * 2020-06-14 2020-10-27 北京联合信任技术服务有限公司 Data acquisition verification system, data acquisition verification method, storage medium, and program product

Also Published As

Publication number Publication date
US10614535B2 (en) 2020-04-07
US20200294163A1 (en) 2020-09-17
US20150066785A1 (en) 2015-03-05
US11676230B2 (en) 2023-06-13
US20220351315A1 (en) 2022-11-03
US11423497B2 (en) 2022-08-23
US12045903B2 (en) 2024-07-23
US20230260063A1 (en) 2023-08-17

Similar Documents

Publication Publication Date Title
US12045903B2 (en) Method and apparatus for controlling digital evidence
US7805439B2 (en) Method and apparatus for selecting data records from versioned data
US8838530B2 (en) Method and system for directory management
US6728733B2 (en) System, method, and program product for administrating document file in computerized network system
CA2416237C (en) A system and method for providing integrated management of electronic information
JP4477689B2 (en) Annotating documents in collaborative applications with data from different information systems
US20030088582A1 (en) Visual history multi-media database software
US20070083487A1 (en) Document preservation
JP5702555B2 (en) Digital asset management, targeted search, and desktop search using digital watermark
US20030167264A1 (en) Method, apparatus and program for image search
US20060282342A1 (en) Image-based inventory tracking and reports
US20020107829A1 (en) System, method and computer program product for catching, marking, managing and searching content
CN102165444B (en) Access control to content published by a host
US8117210B2 (en) Sampling image records from a collection based on a change metric
WO1998012616A2 (en) Defining a uniform subject classification system incorporating document management/records retention functions
KR101182478B1 (en) Methods and apparatuses for synchronizing and tracking content
AU2001220184A1 (en) A system and method for providing integrated management of electronic information
WO2008014408A1 (en) Method and system for displaying multimedia content
WO2010085428A1 (en) A system and method for managing a business process and business process content
US7392484B1 (en) Method and system for capturing, storing, sharing, and managing notes taken during a computer based meeting
CN102165461B (en) Methods and systems for providing easy access to information and for sharing services
WO2006125271A1 (en) A digital asset management system
US20030023594A1 (en) System and method for organizing, preserving, sharing and updating voluminous personal memoirs and for dynamic accounting of assets
CA2509092A1 (en) Method and system for creating, tracking, casting and reporting on moving image projects
US20090089845A1 (en) Video storage and retrieval system

Legal Events

Date Code Title Description
AS Assignment

Owner name: DF LABS, ITALY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FORTE, DARIO V.;REEL/FRAME:019213/0547

Effective date: 20070330

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION

AS Assignment

Owner name: DFLABS S.P.A., ITALY

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE'S NAME PREVIOUSLY RECORDED AT REEL: 019213 FRAME: 0547. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:FORTE, DARIO V.;REEL/FRAME:056324/0163

Effective date: 20070330

AS Assignment

Owner name: SUMO LOGIC ITALY S.P.A, ITALY

Free format text: CHANGE OF NAME;ASSIGNOR:DF LABS S.P.A.;REEL/FRAME:057428/0316

Effective date: 20210524

AS Assignment

Owner name: SUMO LOGIC, INC., CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE RECEIVING PARTY NAME PREVIOUSLY RECORDED AT REEL: 057428 FRAME: 0316. ASSIGNOR(S) HEREBY CONFIRMS THE CHANGE OF NAME;ASSIGNOR:DF LABS S.P.A.;REEL/FRAME:062991/0746

Effective date: 20210524