Abstract: A system and method for data deduplication includes a first computer device that determines duplicacy of a data item. If the data item is not a duplicate, the first computer device transmits a request to add an entry for the data item in a deduplication table of a deduplication database. The database adds the entry for the data item while enforcing uniqueness of data across one or more data fields of the deduplication table, where, in enforcing the uniqueness, the database denies an attempt by the second device to add an entry in the deduplication table for the same data item.

Abstract: A system and method for processing data stored in data storage devices is described. A computing processor acquires blocks of data from a target machine and computes an entropy value associated with each block of the acquired data. The computing processor checks the entropy values of each block to determine whether or not the particular block is deemed to contain useful data, before that block is analyzed.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A system and method for data deduplication includes a first computer device that determines duplicacy of a data item. If the data item is not a duplicate, the first computer device transmits a request to add an entry for the data item in a deduplication table of a deduplication database. The database adds the entry for the data item while enforcing uniqueness of data across one or more data fields of the deduplication table, where, in enforcing the uniqueness, the database denies an attempt by the second device to add an entry in the deduplication table for the same data item.

Abstract: A system for conducting forensic investigations is provided which includes a target device, an examining device, and a server. The target device includes a phone home servlet which is configured to periodically transmit to the server a request for connection. The server grants the request for connection if there is an investigation request pending from the examining device for the requesting target device. If no such request is pending, the request is denied. The servlet is programmed with various phone home parameters for determining whether the target device should transmit the request for connection.

Abstract: A system and method for processing data stored in data storage devices is described. A computing processor acquires blocks of data from a target machine and computes an entropy value associated with each block of the acquired data. The computing processor checks the entropy values of each block to determine whether or not the particular block is deemed to contain useful data, before that block is analyzed.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A method for processing a plurality of electronic items includes: for each item of the electronic items, each item being associated with an item identifier, segmenting, on a processing device, each item into a plurality of segments, for each segment of the plurality of segments: hashing the segment to produce a segment hash value; updating a first table with the segment and the segment hash value; and adding an entry to a second table, the entry including the item identifier and the segment hash value; and outputting, from the processing device, the first table and the second table.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A password-based key derivation function includes a sub-function that gets executed multiple times based on an iteration count. A key derivation module computes the iteration count dynamically with each entered password. The iteration count is computed as a function of the password strength. Specifically, the weaker the password, the higher the iteration count; but the stronger the password, the smaller the interaction count. This helps strengthen weaker passwords without penalizing stronger passwords.

Abstract: A system and method for an entropy-based near-match analysis identifies target files that are almost, but not identical, to a reference file. A computing processor computes entropies of the reference and target files, and determines the likeness of the target files to the references file based on the computed entropies. The computing processor determines a near match between the target file and the reference file if the likeness of the two files is within a user-defined tolerance level. According to one embodiment of the invention, the information entropy is a weighted value that takes into account the size of the file.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A computer investigation system and method that conducts electronic discovery of desired files across a live network in a forensically sound manner. The investigation entails an examining machine electronically identifying, collecting, and preserving evidence from target machines that is responsive to a set of investigation criteria. The set of investigation criteria is associated with an investigation subject that is identified by a global unique identifier (GUID). As the investigation subject is applied to the various files, the responsive files are stamped with the GUID and preserved in a container file referred to as a logical evidence file (LEF). The GUID allows the results of an investigation to be easily and reliably traced to the particular investigation subject that was applied.

Abstract: An indexing engine generates a full text index of English and non-English files provided to the indexing engine. The indexing engine receives an input file for indexing, and normalizes the unique words contained in the input file. The normalizing includes stripping the words of any diacritical marks, taking into account different multilingual issues, case folding the words into lowercase, and the like. The normalized words are stored in a dictionary, and a word record is generated for each stored word. Each word record includes a flag that indicates whether one or more variations exist in the input file for the normalized word. One or more tables store information on the variations for the normalized words. When a query engine is invoked to search for an input query word, the variations are searched only if the user has set an option to consider such variations.

Abstract: A system and method for concurrent investigations of static data stored in one or more secondary storage devices of one or more target machines in a data communications network. The network includes an examining machine, a secure server, and various target machines. The examining machine transmits to the target machines a search request including a search key. The examining machine also streams to each target machine metadata information and file extents of the files to be searched. The target machines concurrently search the indicated file extents for the search key. The target machines then stream the search results to the examining machine.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: An examining machine automatically reconnecting to a target machine and resuming acquisition of data stored in a device coupled to the target machine. The examining machine establishes connection with the target machine and initiates data acquisition of the device coupled to the target machine. Periodically during the data acquisition, the examining machine receives from the target machine an intermediary hash state of the data that has been acquired so far. When connection is lost during the acquisition, the examining machine is able to automatically attempt reconnection to the target machine. Once the connection is automatically reestablished, the examining machine transmits the hash state that is currently saved for the acquisition to the target machine. The target machine may then continue the hash process from this intermediate state.

Abstract: An examining machine automatically reconnecting to a target machine and resuming acquisition of data stored in a device coupled to the target machine. The examining machine establishes connection with the target machine and initiates data acquisition of the device coupled to the target machine. Periodically during the data acquisition, the examining machine receives from the target machine an intermediary hash state of the data that has been acquired so far. When connection is lost during the acquisition, the examining machine is able to automatically attempt reconnection to the target machine. Once the connection is automatically reestablished, the examining machine transmits the hash state that is currently saved for the acquisition to the target machine. The target machine may then continue the hash process from this intermediate state.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.