Abstract: Systems and methods for cloud-based management of digital forensic evidence and, in particular, to systems and methods for enabling cloud-based digital forensic investigations.

Abstract: A system and associated method for intelligence gathering is provided. The system includes a forensic data source, an investigation module, and a report generation module. The investigation module is configured to collect subject data of a subject from the forensic data source and transmit subject data to the report generation module. The report generation module is configured to receive the subject data from the investigation module and analyze subject data to generate an investigation report output.

Abstract: Systems and methods for cloud-based management of digital forensic evidence and, in particular, to systems and methods for enabling cloud-based digital forensic investigations.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. A relation graph presentation format is provided for visual exploration of data relationships.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. A relation graph presentation format is provided for visual exploration of data relationships.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. The display types and presentation formats also enable the user to easily switch between a source location view and a related artifacts view.

Abstract: Methods and apparatus for examining digital forensic data using a viewer computer. Forensic data collections are provided to the viewer computer, which can format the data artifacts according to a variety of display types and presentation formats, to facilitate review and reporting by a user. The display types and presentation formats also enable the user to easily switch between a source location view and a related artifacts view.

Abstract: A system and a method for locating populations of content-specific data portions. The method includes determining a current population of data portions to be searched based on at least one prioritization criterion; accessing the current population of data portions; examining at least one data portion of the current population of data portions and extracting content-specific data; comparing the content-specific data to at least one suspect criterion; determining whether the current population meets at least one population criterion by analyzing the content-specific data; determining at least one next population of data portions to be searched based on proximity to the current population; and determining the at least one next population of data portions to be searched based on the at least one prioritization criterion.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: According to one aspect, a system for locating application-specific data that includes a server, a broker, and an agent. An operator may define a command using the server, and this command may be sent to the broker. The broker may then send the command to the agent operating on an end-point system. The agent may then conduct an application-specific data search on the end-point system in respect of the user command. Search results may then be sent to the broker. The broker may then sent the search results to the server.

Abstract: A system and a method for locating application-specific data that has been previously deleted and located in an address of the data storage device marked as being available for storing new data. The method includes accessing unidentified data from at least one data storage device; examining the unidentified data to detect at least one application-specific data pattern associated with at least one application; for each detected application-specific data pattern, executing an application-specific validation process to determine whether the unidentified data includes valid data associated with a corresponding application; and if it is determined that the unidentified data includes valid data associated with the corresponding application, then recovering the valid data.

Abstract: A system and a method for locating application-specific data that has been previously deleted and located in an address of the data storage device marked as being available for storing new data. The method includes accessing unidentified data from at least one data storage device; examining the unidentified data to detect at least one application-specific data pattern associated with at least one application; for each detected application-specific data pattern, executing an application-specific validation process to determine whether the unidentified data includes valid data associated with a corresponding application; and if it is determined that the unidentified data includes valid data associated with the corresponding application, then recovering the valid data.