Abstract: Systems and methods for presenting forensic data in a forensic data review user interface and for generating reference hash sets are provided. The method includes receiving a selection via the forensic data review user interface to display a forensic data collection; in response to receiving the selection, hashing at least one forensic data item in the forensic data collection to generate a hash value; determining that the hash value matches a reference hash value in at least one reference hash set; varying a default display property of the at least one forensic data item according to a presentation rule encoded in the reference hash set and associated with the reference hash value to obtain a varied display property; and displaying the forensic data collection in the forensic data review user interface including the at least one forensic data item according to the varied display property.

Abstract: A system and method for selectively acquiring forensic data from at least one electronic storage medium of a target device to comply with a search authorization is provided. The method includes: configuring a set of search criteria based on at least one authorized search parameter extracted from a search authorization; configuring a forensic data acquisition module based on the set of search criteria; scanning a target dataset stored in the at least one electronic storage medium of the target device using the forensic data acquisition module to identify data items that are compliant with the set of search criteria; acquiring the compliant data items from the target device to an external data storage medium; and generating a log comprising a record for each scanned data item in the target dataset specifying whether the scanned data item met the search criteria and whether the scanned data item was acquired.

Abstract: Provided are a system and method for evaluating integrity of a parsed file system. The system includes a processor and a memory communicatively connected to the processor and storing computer-executable instructions that cause the system to read an allocation tracker, create an allocated blocks collection of each block identifier within the allocation tracker indicated to be currently allocated, create an initially empty reference anomaly blocks collection, for each block of each file system object referenced by the file system object, determine that the associated block identifier is present in the allocated blocks collection or not, respectively remove the block identifier from the allocated blocks collection or add the block identifier to the reference anomaly blocks collection, determine that the allocated blocks collection and the reference anomaly blocks collection are empty or not empty and respectively indicate a successful evaluation or an unsuccessful evaluation.

Abstract: Computer systems and computer-implemented methods for forensically investigating a target dataset including a target file by comparing the target file to a source file are provided. The method includes performing a preliminary matching operation. The preliminary matching operation includes performing at least one of a file size matching operation, in which a target file size is compared to a source file size, and a sub-hash matching operation, in which a target file sub-hash is compared to a source file sub-hash. A sub-hash is a hash value calculated using a subset of data from the file. The method further includes performing a full hash matching operation if the preliminary matching operation identifies a preliminary match. The full hash matching operation includes generating a target file full hash value and comparing the target file full hash value to a source file full hash value.

Abstract: What is provided is a method of generating a minimal forensic image of a target dataset to reduce upload demand. The method includes storing a set of criteria in an investigator device, wherein the set of criteria determines target data files of the target dataset which are to be included in the minimal forensic image, and wherein the set of criteria includes a plurality of file types and at least a first upload format for each file type in the plurality of file types, locating the target data files of the plurality of file types in the target dataset using the set of criteria, storing a representation of each target data file in the minimal forensic image in an MFI upload format determined according to the set of criteria, and transferring the minimal forensic image to a cloud server.

Abstract: Systems and methods for conducting a cloud-based forensic investigation of electronically-stored information are provided. The system includes an investigation requestor device configured to request a forensic investigation including selecting search criteria for the investigation, at least one remote system of the target, wherein the at least one remote system comprises electronically-stored information; a cloud server for storing forensic artifacts collected from the at least one remote system, wherein the forensic artifacts are collected based on the search criteria; and a cloud-based evidence-processing service configured to analyze the forensic artifacts and generate an initial report.

Abstract: Systems and methods for cloud-based management of digital forensic evidence and, in particular, to systems and methods for enabling cloud-based digital forensic investigations.

Abstract: A system and associated method for intelligence gathering is provided. The system includes a forensic data source, an investigation module, and a report generation module. The investigation module is configured to collect subject data of a subject from the forensic data source and transmit subject data to the report generation module. The report generation module is configured to receive the subject data from the investigation module and analyze subject data to generate an investigation report output.

Abstract: Systems and methods for cloud-based management of digital forensic evidence and, in particular, to systems and methods for enabling cloud-based digital forensic investigations.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. A relation graph presentation format is provided for visual exploration of data relationships.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. The display types and presentation formats also enable the user to easily switch between a source location view and a related artifacts view.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. The display types and presentation formats also enable the user to easily switch between a source location view and a related artifacts view.

Abstract: A system and a method for locating populations of content-specific data portions. The method includes determining a current population of data portions to be searched based on at least one prioritization criterion; accessing the current population of data portions; examining at least one data portion of the current population of data portions and extracting content-specific data; comparing the content-specific data to at least one suspect criterion; determining whether the current population meets at least one population criterion by analyzing the content-specific data; determining at least one next population of data portions to be searched based on proximity to the current population; and determining the at least one next population of data portions to be searched based on the at least one prioritization criterion.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: A system and a method for locating application-specific data that has been previously deleted and located in an address of the data storage device marked as being available for storing new data. The method includes accessing unidentified data from at least one data storage device; examining the unidentified data to detect at least one application-specific data pattern associated with at least one application; for each detected application-specific data pattern, executing an application-specific validation process to determine whether the unidentified data includes valid data associated with a corresponding application; and if it is determined that the unidentified data includes valid data associated with the corresponding application, then recovering the valid data.

Abstract: A system and a method for locating application-specific data that has been previously deleted and located in an address of the data storage device marked as being available for storing new data. The method includes accessing unidentified data from at least one data storage device; examining the unidentified data to detect at least one application-specific data pattern associated with at least one application; for each detected application-specific data pattern, executing an application-specific validation process to determine whether the unidentified data includes valid data associated with a corresponding application; and if it is determined that the unidentified data includes valid data associated with the corresponding application, then recovering the valid data.