JP2012022722A - Forensic system, and forensic program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce a workload of preparing evidentiary material for an legal action by extracting only digital document information relating to specific persons.SOLUTION: Recorded digital information is displayed, user-specific information is set which indicates whether or not each of multiple document files relates to any one of users included in user information, and the set user-specific information is set to be recorded in a storage unit. At least one or more users are specified, and document files set with the user-specific information corresponding to the specified users are searched. Additional information is set which indicates whether or not the retrieved document files are related to an legal action via a display unit, and on the basis of the additional information, the document files relating to the legal action are output.

Description

  The present invention relates to a forensic system, a forensic method, and a forensic program, and more particularly, to a forensic system, a forensic method, and a forensic program for collecting digital document information related to a lawsuit.

  Conventionally, when a computer crime or legal dispute such as forensic unauthorized access or leakage of confidential information occurs, the equipment, data, and electronic records necessary for investigating the cause and investigation are collected and analyzed. Means and techniques to clarify this have been proposed.

  In particular, US civil lawsuits require eDiscovery (eDiscovery), etc. Since both plaintiffs and defendants in such lawsuits are responsible for submitting all relevant digital information as evidence, The recorded digital information must be submitted as evidence.

  On the other hand, with the rapid development and spread of IT, since most information is created by computers in today's business world, a lot of digital information is flooded even within the same company.

  Therefore, in the process of preparing for submission of evidence to the court, it is easy to make mistakes that include confidential digital information not necessarily related to the lawsuit as evidence, and confidential digital information not related to the lawsuit. It became a problem to submit.

  In recent years, technologies relating to forensic systems have been proposed in Patent Literature 1 and Patent Literature 2. Patent Document 1 discloses a forensic system in which a fraudulent person can be efficiently identified by a method capable of proving evidence retention, and the specific reliability is hardly affected by human factors.

  Patent Document 2 discloses a forensic information insurance system that pays insurance money for damages caused by leakage of personal information, and includes forensics that perform subsequent actions such as identification of criminals and legal measures. A system is disclosed.

JP 2006-178521 A

JP 2007-148731 A

  However, for example, forensic systems such as Patent Document 1 and Patent Document 2 collect a great deal of digital document information of users using a plurality of computers and servers.

  All collected digital document information is valid as legal evidence in the situation where the operator cannot accurately grasp the digital document information used (created / edited / viewed) by which user. However, there is a problem that it takes a great deal of labor and expense to determine whether or not it is.

  Therefore, in view of the above circumstances, the present invention provides a forensic system, a forensic method, and a forensic method capable of setting which user is associated with the digital document information after collecting the digital document information, and It is intended to provide a forensic program.

  A forensic system of the present invention acquires digital information recorded in a plurality of computers or servers, and analyzes the acquired digital information. In the forensic system that analyzes the acquired digital information, A digital information acquisition unit that acquires digital information including user information about a user who uses a computer or a server, a recording unit that records the digital information acquired by the digital information acquisition unit, and displays the recorded digital information And a user specifying information indicating which user among the users included in the user information is related to each of the plurality of document files via the display unit, A user identification information setting unit configured to record the set user identification information in the storage unit, and a display Via a user designation unit for designating at least one user, a search unit for retrieving a document file in which user identification information corresponding to the designated user is set, and a display unit, A supplementary information setting unit for setting supplementary information indicating whether the retrieved and extracted document file is related to a lawsuit; an output unit for outputting a document file related to a lawsuit based on the supplementary information; It is characterized by comprising.

  The “user identification information setting unit” displays, via the display unit, user identification information indicating which of the users included in the user information is related to each of the plurality of document files. And the set user identification information is recorded in the storage unit. For each document file, which user is used is set.

  Note that the “user identification information setting unit” may not necessarily cover users related to lawsuits with user information recorded in a plurality of computers and servers. Additional users may be set manually. For example, the “user specifying information setting unit” may set user specifying information indicating that a plurality of users are related to a document file. One document file may be set to be related to one user, or one document file may be set to be used by a plurality of users. In addition, the “user identification information setting unit” is a ranking that indicates that the plurality of users are related to the document file and the degree of the degree of the relation with the relative lawsuit of each of the plurality of users. The attached information may be set as user information. While setting a plurality of users in one document file, it is possible to set an order indicating which users are highly relevant in a lawsuit among the set users. In addition, the “user specifying information setting unit” further specifies the rank of the ranking information, and the search unit sets the user specifying information corresponding to the user having the specified rank. A document file may be searched.

  The “digital information acquisition unit” acquires digital information recorded in a plurality of computers or servers. For example, the digital information acquisition unit stores digital information recorded in the computer or server on an electronic medium. Copy and copy to the forensic system via the electronic medium, or connect the computer or server to the forensic system via a network line, and transfer the digital information recorded on the computer or server to the forensic system. Conserve and collect digital information by copying it. The “digital information acquisition unit” acquires second digital information recorded on a second server different from the server and including second digital document information and second user information. Thus, the forensic system may search not only the digital document information but also a plurality of document files constituting the second digital document information.

  The forensic system of the present invention further includes a text information extraction unit that extracts text information for each of a plurality of document files from the recorded digital document information, and a keyword specification unit that specifies a keyword. A document file including a specified keyword may be searched based on the text information thus set, and the incidental information setting unit may set incidental information for the retrieved document file.

  The forensic system of the present invention further includes a data conversion unit for converting a document file of digital document information recorded by the recording unit into a predetermined data format, and the document file converted by the data conversion unit is output by the output unit. Until the processing is performed, the processing may be performed in the same manner as the converted data format.

  The forensic system of the present invention further creates statistical data expressed from the data capacity for each data format of the acquired digital document information or statistical data expressed from the data capacity for each data format of the retrieved digital document information. A statistical data creation unit may be provided.

  The forensic system of the present invention further includes a timekeeping unit that measures the date and time when digital information is acquired again, and the digital information further includes folder information for storing digital document information. The information acquisition unit acquires digital document information and folder information created after the date and time previously measured by the timing unit, and acquires user information related to the acquired digital document information. Also good.

  The “server” is one or more servers, and may be configured by a plurality of servers, for example, and is characterized by at least any two or more of a mail server, a file server, and a document management server. It is what.

  The forensic system of the present invention includes a plurality of incidental information setting units, and is characterized in that incidental information can be set by different operators.

  “Display unit” refers to a display or the like that can display digital information. In addition, “display recorded digital information” may display all user information and digital document information, or may display at least one of those information, At least one of information attribute information (for example, a user's name, a file name of a document file, a document file, etc.) may be displayed.

  The “output unit” outputs digital document information as some kind of production, and may be any one of a printer and a digital document file creation device, for example.

  “User information” indicates a user recorded in the computer and / or server, and is a user ID indicating who is using the computer and / or server, or a document file. It may include information indicating the person who actually used any of editing, creation, or browsing, or access information indicating which digital document information the user accessed at which time. .

  The forensic method of the present invention is a forensic method for acquiring digital information recorded in a plurality of computers or servers, and analyzing the acquired digital information. Acquiring digital information including user information relating to a user who uses a computer or a server, recording digital information acquired by a digital information acquisition unit, displaying recorded digital information, For each of a plurality of document files, user identification information indicating which of the users included in the user information is related is set, and the set user identification information is recorded in the storage unit. A step of setting to perform, a step of specifying at least one user, A step of searching for a document file in which user identification information corresponding to a specified user is set, a step of setting incidental information indicating whether or not the searched document file is related to a lawsuit, The document file related to the lawsuit is output based on the incidental information.

  The forensic program of the present invention is a forensic program for acquiring digital information recorded in a plurality of computers or servers, and analyzing the acquired digital information. , A function of acquiring digital information including user information regarding users who use a plurality of computers or servers, a function of recording digital information acquired by the digital information acquisition unit, and displaying the recorded digital information For each of a plurality of document files, a function specifying user specifying information indicating which of the users included in the user information is related is set, and the set user specifying information is set. A function to set to record in the storage unit and specify at least one user A function to search for a document file in which user identification information corresponding to the specified user is set, and additional information indicating whether the searched document file is related to a lawsuit. A function to be set and a function to output a document file related to a lawsuit based on incidental information are realized.

  It should be noted that the above summary of the invention does not enumerate all the necessary features of the present invention. In addition, a sub-combination of these feature groups can also be an invention.

  According to the forensic system, the forensic method, and the forensic program of the present invention, for each of a plurality of document files, the user specifying information indicating which user among the users included in the user information is related. A document file in which the user identification information is set, the user identification information is set to be recorded in the storage unit, at least one user is specified, and the user identification information corresponding to the specified user is set , And through the display section, set incidental information indicating whether the retrieved document file is related to a lawsuit, and output a document file related to the lawsuit based on the supplementary information. Without extracting all the digital document information acquired, only the digital document information classified for each user related to the lawsuit is extracted and And make it possible to confirm.

  Thereby, only the digital document information related to a specific person can be extracted from the flooded digital document information, and the work load for preparing the evidence material for the lawsuit can be reduced.

  According to the forensic system, the forensic method, and the forensic program of the present invention, by setting user identification information indicating that the document file is related to each of a plurality of users, a single document file is set. On the other hand, it can be set that a plurality of users are related.

  According to the forensic system, the forensic method, and the forensic program of the present invention, the document file is related to each of a plurality of users, and the degree of the relevance to the relative lawsuit of each of the plurality of users. When setting the ranking information indicating the ranking in the user identification information, a single document file is related to a plurality of users, and which users are among the plurality of users, An order indicating whether the relevance is high in a lawsuit can be set in advance.

  According to the forensic system, the forensic method, and the forensic program of the present invention, when a search unit searches for a document file in which user information corresponding to a user having a specified order is set, a user related to a lawsuit is retrieved. Therefore, it is possible to search digital document information related to the user based on the ranking of the degree of relevance.

  According to the forensic system, the forensic method, and the forensic program of the present invention, second digital information including second digital document information and second user information recorded in a second server different from the server is acquired. When searching for not only digital document information but also a plurality of document files constituting the second digital document information, the digital document information recorded on a plurality of servers should be analyzed and confirmed without omission. Enable.

  According to the forensic system, the forensic method, and the forensic program of the present invention, the forensic system, the forensic method, and the forensic program further include a text information extraction unit, a keyword designating unit, and a search unit. When setting the information, only the digital document information recorded on the server that has been accessed by a specific person, and a predetermined search narrows down the population of digital document information that may be related to lawsuits. It becomes possible.

  According to the forensic system, the forensic method, and the forensic program of the present invention, the document file converted by the data conversion unit is processed in the same format as the converted data until it is output by the output unit. In addition, it is possible to reduce useless processes of data format conversion in the middle of the processing flow, and to eliminate the risk of quality deterioration of digital document information.

  According to the forensic system, the forensic method, and the forensic program of the present invention, when the statistical data creation unit is further provided, the statistical data can be visualized and provided to the operator, so that the effort required for preparing the lawsuit can be quickly grasped. Can do.

  According to the forensic system, the forensic method, and the forensic program of the present invention, the digital information acquisition unit further acquires digital document information and folder information created after the date and time previously measured by the time measurement unit. Difference collection of digital information can be performed, and the load of repeatedly acquiring the same digital information from a server or the like can be reduced.

  According to the forensic system, the forensic method, and the forensic program of the present invention, when the auxiliary information setting unit includes a plurality of auxiliary information setting units, the auxiliary information setting unit can set the auxiliary information by different operators. It is possible to perform preparatory work at an early stage by determining whether or not it is evidence material for multiple persons.

1 is a functional block diagram illustrating a configuration of a forensic system according to a first embodiment of the present invention. The figure showing the flow of the forensic system service of this invention The figure showing the processing flow of the forensic system of this invention The functional block diagram showing the structure of the forensic system in the 2nd Embodiment of this invention

1 Forensic system 2-5 Computer (PC)
DESCRIPTION OF SYMBOLS 10 Server 20 Digital information acquisition part 30 Recording part 40 Display part 45 Display control part 50 User designation part 60 Digital document information extraction part 70 Attached information setting part 80 Text information acquisition part 90 Keyword designation part 95 User specific information setting part 100 Search unit 110 Data conversion unit 120 Output unit 130 Statistical data creation unit 140 Timekeeping unit 150 CPU
160 Controller 170-172 Client PC

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a functional block diagram showing a configuration of a forensic system 1 according to an embodiment of the present invention.

  A forensic system 1 shown in FIG. 1 includes a plurality of document files in the forensic system 1 that acquires digital information recorded in a plurality of computers (PCs 2 to 5) and a server 10 and analyzes the acquired digital information. Digital information acquisition unit 20 for acquiring digital information including digital document information and user information regarding users who use a plurality of computers (PCs 2 to 5) or the server 10, and acquired by the digital information acquisition unit 20 A recording unit 30 that records digital information, a display unit 40 that displays the recorded digital information, and a user included in the user information for each of a plurality of document files by confirming (via) the display unit 40 The user identification information indicating which user is associated with the user is set, and the set interest rate is set. A user specifying information setting unit 95 that sets the user specifying information to be recorded in the storage unit 30, a user specifying unit 50 that specifies at least one user via the display unit 40, and a specified use The search unit 100 that searches for the document file in which the user identification information corresponding to the person is set, and the incidental information that indicates whether or not the searched document file is related to the lawsuit via the display unit 40. And an output unit 120 for outputting a document file related to a lawsuit based on the incidental information.

  The control unit 160 includes a display control unit 45, a digital document information extraction unit 60, a text information acquisition unit 80, a management unit 85, a search unit 100, a data conversion unit 110, a statistical data creation unit 130, a clock unit 140, and a CPU 150. It is.

  The forensic system 1 includes a data input device such as a touch panel when the keyboard, mouse, and display unit 4 have a touch panel function. As the data input device, a user specifying unit 50, an accompanying information setting unit 70, a keyword specifying unit 90 and a user identification information setting unit 95.

  The user information indicates the user recorded in the computer and / or server, and is the user ID indicating who used the computer or server, or the document file is actually edited. It may include information indicating a person who has used either creation or browsing, or access information indicating which digital document information the user has accessed at which time.

  The user specifying unit 50, the incidental information setting unit 70, the keyword specifying unit 90, and the user specifying information setting unit 95 may be different data input devices or the same data input device.

  The output unit 120 is a recording device or a printer that records data on an electronic medium.

  The configuration of the forensic system 1 as shown in FIG. 1 is realized by calculating and executing a forensic program read into an auxiliary storage device (not shown) by the CPU 150 on a computer. At this time, the forensic program is stored in a storage medium such as a CD-ROM or distributed via a network such as the Internet and installed in a computer.

  Hereinafter, in the first embodiment of the present invention, the forensic system 1 will be described as a personal computer. However, the forensic system 1 may be a server, a portable terminal type computer, or the like, and will be described in a second embodiment to be described later. It may be a network type system configuration.

  The user specifying information setting unit 95 provides user specifying information indicating which user among the users included in the user information is related to each of the plurality of document files via the display unit. Setting is performed, and the set user identification information is recorded in the storage unit 30. Note that the user information recorded on multiple computers and servers may not necessarily cover users related to lawsuits, so new users may be manually set manually according to operator instructions. Is possible.

  The user specifying information setting unit 95 sets which user is used for each document file. For example, the user specifying information setting unit 95 may set user information indicating that a plurality of users are related to a document file. One document file may be set to be related to one user, or one document file may be set to be used by a plurality of users. In addition, the user specifying information setting unit 95 is a ranking indicating the order of the degree of relevance to each of the plurality of users and the relative lawsuit of each of the plurality of users with respect to the document file. The attached information may be set as user specifying information. As a result, while setting a plurality of users in one document file, it is possible to set a ranking indicating which users are highly relevant in the lawsuit among the set users. Further, the user specifying information setting unit 95 further specifies the rank of the ranking information, and the search unit 100 sets the user specifying information corresponding to the user having the specified rank. A document file may be searched.

  The digital information acquisition unit 20 acquires digital information recorded in the PCs 2 to 5 or the server 10 used by the user.

  For example, the digital information acquisition unit 20 copies the digital information recorded in the PCs 2 to 5 or the server 10 to a certain electronic medium (for example, USB, CD, DVD, etc.), and digitally transmits the digital information to the forensic system via the electronic medium. Have the information copied.

  Further, when the PCs 2 to 5 or the server 10 and the forensic system 1 are connected via a network line, the digital information acquisition unit 20 stores the digital information recorded in the PCs 2 to 5 or the server 10 via the network. By receiving the transmission, the digital information is collected and collected.

  The digital information acquisition unit 20 acquires second digital information including second digital document information and second user information recorded in a server (referred to as a second server) different from the server 10. Thus, the forensic system 1 may search not only the digital document information but also a plurality of document files constituting the second digital document information.

  The digital information collecting unit 10 includes second digital document information, second user information, and second access history information recorded in a server (referred to as a second server) different from the server 10. Second digital information may be acquired.

  The forensic system 1 further includes a text information extracting unit 80 that extracts text information for each of a plurality of document files from a recorded digital document information, a keyword specifying unit 90 that specifies a keyword, and the extracted text information. And a search unit 100 for searching for a document file including a designated keyword.

  The supplementary information setting unit 70 sets supplementary information for the document file searched by the search unit 100.

  The forensic system 1 further includes a data conversion unit 110 that converts a document file of digital document information recorded by the recording unit 30 into a predetermined data format. The document file converted by the data conversion unit 110 is output by the output unit 120. In this case, the data is processed in the same manner as the converted data format until it is output by.

  The forensic system 1 further receives statistical data represented by the data capacity of each acquired digital document information data format, and statistical data represented by the data capacity of each digital document information data format retrieved by the retrieval unit 100. It is provided with 130 parts of statistical data creation to be created.

  The forensic system 1 further includes a timer 140 that measures the date and time when digital information is acquired again, and the digital information further includes folder information for storing digital document information. The acquisition unit 20 acquires digital document information and folder information created after the date and time previously measured by the timing unit 140, and obtains user information related to the acquired digital document information and folder information. get.

  The digital information may include digital document information, user information, and folder information for storing the digital document information.

  The timer unit 140 calculates the date and time when the digital information acquisition unit 20 acquires digital information.

  The display unit 40 displays the display content according to an instruction from the display control unit 45 configured in the control unit 160.

  When the digital information acquisition unit 20 acquires digital information at the nth time (n = 2, 3,...), The digital information acquisition unit 20 indicates the date and time counted by the time measuring unit 140 at the time when the digital information was acquired at the (n−1) th time. From the information, digital document information and folder information created in the PCs 2 to 5 or the server 10 after the date and time information are acquired. At this time, the acquired digital document information and folder information may be acquired, and user information related to the acquired digital document information may be further acquired. The server 10 is a single server or more, and may be constituted by a plurality of servers, for example, or may be at least any two or more of a mail server, a file server, and a document management server.

  The forensic system 1 may be one that can be used simultaneously by a plurality of operators.

  The incidental information setting unit 70 may be configured by a plurality of data input devices, and a plurality of display units 40 corresponding to the plurality of incidental information setting units 70 may be prepared.

  A plurality of operators can set the supplementary information via the plurality of supplementary information setting units 70 while simultaneously confirming the digital document information.

  The output unit 120 outputs digital document information as some kind of production, and may be, for example, a printer or a recording device that records digital information on an electronic medium.

  Hereinafter, a procedure for performing preparation work for submitting evidence materials to the court of the forensic system 1 will be briefly described with reference to the service flow of FIG.

  First, in the event of a computer crime or legal dispute, such as forensic unauthorized access or leakage of confidential information, we collect and analyze the equipment, data, and electronic records necessary for investigating the cause and investigating the legal evidence. It is necessary to clarify.

  In particular, US civil lawsuits require eDiscovery (eDiscovery), etc. Since both plaintiffs and defendants in such lawsuits are responsible for submitting all relevant digital information as evidence, The recorded digital information must be submitted as evidence.

  Therefore, the forensic system 1 selects and collects digital information related to the lawsuit and preserves and collects the digital information recorded in the PCs 2 to 5 and the server 10 in order to prepare for submission of evidence to the court (Preservation). To do.

  Thereafter, the forensic system 1 registers the collected and collected digital information in a database such as the recording unit 30, analyzes the digital information (Analysis), and subdivides it by keyword search and filter processing.

  The recording unit 30 may be included in the computer of the forensic system 1 or may be stored in a server as a separate body from the computer.

  The forensic system 1 reviews the subdivided digital information on the display unit 40, and the operator sets incidental information for the digital document information via the incidental information setting unit 70.

  The control unit 160 has a maintenance collection analysis function, a process analysis search function, a Review function, and a Production function.

  For example, the maintenance collection / analysis function of the control unit 160 is a case management function (function of the management unit 85) so that data management can be performed for each case, and analysis of the file type and possession amount for each target person / evidence. File analysis function (function of search unit 100) capable of analyzing search target files, file type selection extraction function (function of digital document information extraction unit 60) capable of selecting file types to be searched and viewed And a maintenance collection function (data conversion unit 110) that enables maintenance collection of the selected file as a separate file. The processing analysis search function of the control unit 160 has a full-text search function and a frequently used phrase top extraction function (function of the search unit 100). This full-text search function corresponds to multiple languages, enables AND OR NOT search by Boolean operation, enables search using parentheses by Grouping operation, highlights the searched phrase, and functions to make Meta Data Etc. In addition, the full text search function has an advanced search function, and can perform neighborhood search, regular expression search, and the like. The frequently used phrase top extracting function extracts a frequently used phrase within a certain digital document information.

  Further, the Review function of the control unit 160 is set with, for example, an E-mail Family browsing processing function (a function of the search unit 100) that can browse the E-mail Family collectively, or one evaluation or a plurality of evaluations as supplementary information. A free design Tag function (function of the search unit 100) that can be searched on the basis of the evaluation, a free design BookMark function (function of the search unit 100) that enables the search of a MarkMark that has been set with a hierarchical BookMark, and an arbitrary number of characters A free input comment field (function of the management unit 85) provided with an inputable comment field, a simultaneous browsing function for a plurality of operators to confirm digital document information, and a case for each viewer account when performing a ReView Each access right, administrator authority, view-only authority, etc. can be set Access right control function (function of the management unit 85), in-document write Memo function (function of the management unit 85) that enables writing in the document without changing the body of the digital document information, the number of review completed documents ( %) Case Management function (function of the management unit 85) that enables display, E-mail Threading function (function of the management unit 85) that collectively displays E-mail threads (reply, transfer, etc.), and graphical exchange of mail E-mail analysis display function (statistical data creation unit 130 function), similar document display function (function of management unit 85) that automatically classifies and displays similar documents such as Draft, old version, etc., difference between similar documents Similar document difference highlighting function that highlights only (function of management unit 85), search hit phrase The search hit part text display function (the function of the search unit 100) for displaying only the peripheral part of the search hit part.

  Also, the Production function of the control unit 160 is a function for outputting various XML files such as actual files, meta information, and tag information, CSV output, image output, and various load file outputs (by the instruction from the management unit 85, the output unit 120 And a Batch Printing function (a function that can be output by the output unit 120 according to an instruction from the management unit 85) for printing a plurality of selected digital document information.

  Finally, the forensic system 1 performs production so that the output unit 120 generates data on the electronic medium. For example, the data is recorded on the electronic medium in a predetermined format by a recording device that records the data on the electronic medium.

  Next, with reference to the flowchart of FIG. 3, a procedure for performing preparation work for submitting evidence materials to the court of the forensic system 1 will be described in detail.

  First, the digital information acquisition unit 20 uses, for example, digital document information formed of a document file in a general format such as Word format, PDF format, PPT format, Excel format, and usage related to a user who uses the PC 2 to 5 or the server 10. Digital information including person information is acquired (ST1).

  The PCs 2 to 5 used by the user are described as four as an example, but are not limited to four, and may be a plurality of PCs.

  Next, the digital information acquisition unit 20 records the acquired digital information in the recording unit 30 (ST2). The display unit 40 can display digital information (pointing to at least one of digital document information, user information, information indicating only the title of the digital information, etc.) via the control unit 160 (ST3).

  For example, the display unit 40 may display all user information and digital document information in response to an instruction from the display control unit 45, or may display at least one of those information. At least one of the attribute information (for example, the name of the user, the file name of the document file, etc.) may be displayed.

  For example, the operator logs in the forensic system 1 while confirming the screen of the display unit 40, and further creates Case (unit of the highest data group in the database of the forensic system 1). Further, the operator sets and manages a connection destination of a server or the like corresponding to the recording unit 30 in which the digital information is recorded while checking the screen of the display unit 40 (in this case, there are a plurality of recording units 30). . Further, the operator sets and manages the Customian (data holding target person or user) while checking the screen of the display unit 40. While checking the screen of the display unit 40, the operator creates and manages the status (target data group unit of the database of the forensic system 1) collected and maintained. As will be described later, while confirming the screen of the display unit 40, the operator relates the Customian to the collected information and the collected target. For example, while confirming the display unit 40, the operator presets which user is related to the lawsuit for a plurality of Targets configured from the digital document information acquired from the PCs 2 to 5 or the server. The control unit 160 can acquire the digital information recorded in the recording unit 30 and analyze the digital information by various functional units.

  The forensic system 1 includes statistical data represented by the data capacity for each data format of the digital document information recorded in the recording unit 30 or statistical data represented by the data capacity for each data format of the digital document information retrieved by the retrieval unit 100. A statistical data creation unit 110 for creating data is provided.

  For example, while confirming the screen of the display unit 40, the operator selects a given subject to be analyzed and a predetermined path (directory) from the target associated with the subject, and obtains the analysis result of the number of files and the capacity of each customian. A list can be displayed. The operator can display a list of the analysis results of the number of files and the capacity for each Path as a chart while checking the screen of the display unit 40. Further, the operator can display a list of analysis results of the number of files and the capacity for each Path (directory) while checking the screen of the display unit 40. The operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40. Further, the operator can display a list of the analysis results of the number of files and the capacity for each file type while checking the screen of the display unit 40.

  The operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40. Furthermore, the operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40 only for files that can be searched for text. This text searchable file is performed by the text information acquisition unit 80 on the text information that can be extracted from the digital document information recorded in the recording unit 30 in advance.

  Next, the operator relates to any user (Customian) among the users included in the user information for each of the plurality of document files via the display unit 40 by the user specifying information setting unit 95. Is set so that the set user specifying information is recorded in the storage unit 30 (ST4). Specifically, the operator confirms the screen of the display unit 40 and, for each document file that constitutes the collected information and the collected maintenance target, the user (with the user's computer ID) is included in the user information. In particular, the operator selects the user information while checking the display unit 40, associating which user is related to the lawsuit. The user ID (or user name) is set so that a valid user ID is assigned to each document file. Note that the user information recorded on multiple computers and servers may not necessarily cover users related to lawsuits, so new users may be manually set manually according to operator instructions. Is possible.

  The operator can also set user specifying information indicating that a plurality of users are related to the document file by the user specifying information setting unit 95. One document file may be set to be related to one user, or one document file may be set to be used by a plurality of users. In addition, the operator specifies, by the user specifying information setting unit 95, a document file that is related to each of a plurality of users and a degree of a degree related to a relative lawsuit of each of the plurality of users. It may be possible to set the ranking information indicating the user information. As a result, while setting a plurality of users in one document file, it is possible to set a ranking indicating which users are highly relevant in the lawsuit among the set users. The operator further designates the ranking of the ranking information by the user identification information setting unit 95, and the search unit 100 stores the user identification information corresponding to the users having the designated rank. It may search for a set document file.

  The operator designates at least one user (Customian) by the user designation unit 50 while confirming the display unit 40 (ST5). For example, the ID information or name information when using the computer or server of the user is recorded in advance in the storage unit 30 as user identification information, so that the ID of the user or the user is displayed on the display unit 40. A person can be selected.

  The operator can search for a document file by designating a specific user on the selection screen of the display unit 40.

  Search unit 100 searches for a document file in which user identification information corresponding to the designated user is set (ST6).

  For example, when the operator designates Mr. Ko who is a customian by the user designation unit 50, since the relationship between the document file and the user (custodian) is set by the user identification information setting unit 95, the target is set. It is also possible to extract only the document file related to the designated user from the document file inside.

  Although Mr. Ko has been described as an example, a plurality of Customians such as Mr. O can be specified in addition to Mr. Ko, and only document files related to Mr. Ko and Mr. O can be extracted. In addition, as described above, AND or NOT search of Mr. Ko and Mr. Oto can also be performed. Further, the operator can designate the rank of the ranking information in addition to at least one user by the user designation unit 50. Accordingly, the search unit 100 searches for a document file in which user identification information corresponding to a user having a designated order is set.

  Further, when the ranking information indicating the rank of the degree related to the relative lawsuit of each of the plurality of users is set in the user identification information, for example, the operator uses the user identification information setting unit 95 to The specific document file is set to “1” because Mr. K is most relevant, and “2” is set because Mr. O is related next.

  Then, when searching, for example, the operator can search for a case where the customian is Mr. Oto and the rank of Mr. Oto is “2”.

  Further, the operator can perform a search other than the narrowing down by the user while confirming the screen of the display unit 40 by the function of the search unit 100. Further, the operator can perform simple browsing while confirming the screen of the display unit 40 by the function of the display control unit 45. The operator can grasp the contents of the digital document information by this simple browsing.

  The operator sets incidental information indicating whether each document file of the extracted digital document information is related to a lawsuit (ST7).

  Specifically, if it is information related to a lawsuit, “Hot” is set, “Responsive” is set for those that may be related, and “Not Responsive” is set for those that are not related, and tags ( Accompanying information) is added. Specifically, a tag can be input by clicking a file line in the Batch list.

  Then, the operator instructs the output unit 120 to output a document file related to the lawsuit based on the incidental information. The CPU 150 that receives the operator's instruction controls the output unit 120 to output the instruction. For example, only the document file assigned with “Hot” may be output, or the document file assigned with “Hot” and “Responsive” may be output.

  Based on the instruction from CPU 150, output unit 120 outputs a document file related to the lawsuit based on the supplementary information (ST8).

  The forensic system 1 is composed of a plurality of forensic system servers, wherein the digital information extraction unit and the search unit are separated into the forensic system server, and further separated. The forensic system may be connected via a network.

  The second embodiment will be described with reference to FIG.

  The forensic system 1 may have a network type system configuration as shown in FIG. The forensic system 1 of the second embodiment is the same as each processing unit of the forensic system 1 described in the first embodiment, but the respective processing units are distributed and arranged in a plurality of servers. The servers are connected via a network. For this reason, the servers may be distributed in the country, or the servers may be distributed in any country.

  Further, according to the forensic system 1, the user specifying unit 50, the incidental information setting unit 70, the keyword specifying unit 90, and the user specifying information setting unit 95 correspond to data input devices provided in the respective client PCs 170 to 172.

  The display unit 40 corresponds to each of the client PCs 170 to 172. The display response can be improved by collecting the data transmission / reception in a virtual client server in a batch between the plurality of client PCs and the UI server.

  In this way, the forensic system 1 may be configured by a computer as in the first embodiment, or the forensic system 1 may be configured by a network type system as in the second embodiment.

  According to the forensic system 1, for each of a plurality of document files, user identification information indicating which of the users included in the user information is related is set, and the set usage is set. The user specifying information is set to be recorded in the storage unit 30, at least one user is specified, a document file in which the user specifying information corresponding to the specified user is set is searched, and the display unit 40 is searched. All the information obtained by setting the incidental information indicating whether the retrieved document file is related to the lawsuit and outputting the document file related to the lawsuit based on the incidental information. It is possible to extract, analyze and confirm only digital document information classified for each user related to a lawsuit without confirming the digital document information.

  Thereby, only the digital document information related to a specific person can be extracted from the flooded digital document information, and the work load for preparing the evidence material for the lawsuit can be reduced.

  According to the forensic system, the forensic method, and the forensic program of the present invention, by setting user identification information indicating that the document file is related to each of a plurality of users, a single document file is set. On the other hand, it can be set that a plurality of users are related.

  According to the forensic system 1, the document file is related to each of a plurality of users, and ranking information indicating a degree of a degree related to a relative lawsuit of each of the plurality of users. When setting user-specific information, it should be confirmed that multiple users are related to a single document file, and which users among the multiple users are highly relevant in the lawsuit. The order of indication can be set in advance.

  According to the forensic system 1, when the search unit 100 searches for a document file in which user identification information corresponding to a user having a specified order is set, the search unit 100 is a user related to a lawsuit, It is possible to search for digital document information related to a person who is in an order indicating the degree of the degree of.

  According to the forensic system 1, second digital information recorded on a second server different from the server 10 and including second digital document information and second user information is obtained. When searching a plurality of document files constituting not only the document information but also the second digital document information, the digital document information recorded in the plurality of servers can be analyzed and confirmed without omission.

  The forensic system 1 further includes a text information extraction unit 80, a keyword designation unit 90, and a search unit 100, and the supplementary information setting unit 70 sets supplementary information for the retrieved document file. In this case, it is possible to narrow down the population of digital document information that may be related to lawsuits by a predetermined search only for digital document information recorded on the server that has been accessed by a specific person. Become.

  According to the forensic system 1, the document file converted by the data conversion unit 110 is processed in the middle of the processing flow when it is processed in the same format as the converted data format until it is output by the output unit 120. This eliminates the wasteful process of data format conversion and eliminates the risk of quality degradation of digital document information.

  According to the forensic system 1, since the statistical data can be visualized and provided to the operator when the statistical data creation unit 130 is provided, it is possible to quickly grasp the labor required for preparing the lawsuit.

  According to the forensic system 1, the digital information acquisition unit 20 further collects differences in digital information when acquiring digital document information and folder information created after the date and time previously measured by the timing unit 140. It is possible to reduce the load of repeatedly acquiring the same digital information from a server or the like every time. According to the forensic system 1, when a plurality of incidental information setting units are provided, the incidental information setting unit 70 can set incidental information by different operators, so that it is evidence for the court. It is possible to perform preparatory work at an early stage by determining whether or not to determine by a plurality of persons.

  As mentioned above, although it demonstrated using embodiment in this invention, the technical scope of this invention is not limited to the range as described in the said embodiment. It is obvious that various modifications or improvements can be added to the above embodiment. It is apparent from the scope of the claims that the embodiments added with such changes or improvements can be included in the technical scope of the present invention.

  In addition, the forensic system 1 of the first embodiment and the second embodiment can be configured by combining the entire system or each processing unit.

Claims (12)

In a forensic system that acquires digital information recorded in a plurality of computers or servers and analyzes the acquired digital information,
A digital information acquisition unit for acquiring digital information including digital document information composed of a plurality of document files and user information relating to a user who uses the plurality of computers or servers;
A recording unit for recording the digital information acquired by the digital information acquisition unit;
A display unit for displaying the recorded digital information;
Via the display unit, for each of the plurality of document files, user identification information indicating which of the users included in the user information is related is set, and the set A user identification information setting unit configured to record the user identification information recorded in the storage unit;
A user designating unit for designating at least one user via the display unit;
A search unit for searching for a document file in which user identification information corresponding to the specified user is set;
A control unit having a highlight display function of words searched by the search unit;
A management unit with an access right control function that enables setting of various rights for each account of the viewer;
A forensic system comprising an output unit for outputting a document file related to a lawsuit.   2. The forensic according to claim 1, wherein the user specifying information setting unit sets user specifying information indicating that a plurality of users are related to the document file. system.   The user information setting unit ranks the document file so that the plurality of users are related to each other and the degree of the degree related to the relative lawsuit of each of the plurality of users. The forensic system according to claim 2, wherein the information can be set as user-specific information. The user designating unit further designates a ranking of the ranking information;
The forensic system according to claim 3, wherein the search unit searches for a document file in which user specifying information corresponding to the user having the specified order is set. The digital information acquisition unit acquires second digital information including second digital document information and second user information recorded in a second server different from the server,
5. The forensic system according to claim 1, wherein the forensic system searches not only the digital document information but also a plurality of document files constituting the second digital document information. 6. The forensic system further comprises:
A text information extraction unit that extracts text information for each of the plurality of document files from the recorded digital document information;
A keyword specification part for specifying a keyword,
6. The forensic system according to claim 1, wherein the search unit searches for a document file including the designated keyword based on the extracted text information. The forensic system further comprises:
A data conversion unit for converting a document file of digital document information recorded by the recording unit into a predetermined data format;
7. The document file converted by the data conversion unit is processed in the same format as the converted data format before being output by the output unit. The forensic system described. The forensic system further comprises:
A statistical data creation unit that creates statistical data represented by a data capacity for each data format of the acquired digital document information or a statistical data represented by a data capacity for each data format of the retrieved digital document information The forensic system according to claim 1, wherein The forensic system further comprises:
When digital information is acquired again, it is provided with a timekeeping unit that measures the date and time of acquisition, and the digital information further includes folder information for storing digital document information,
The digital information acquisition unit acquires digital document information and folder information created after the date and time previously measured by the timing unit, and acquires user information related to the acquired digital document information 9. The forensic system according to claim 1, wherein the forensic system is one.   The management unit has a function that enables writing in the document without changing the information body of the digital document, a function that collectively displays mail threads, and a function that highlights only a difference portion of similar documents. The forensic system according to claim 1, wherein the forensic system has any one of them.   The forensic system according to claim 1, wherein the output unit is a printer or a digital document file creation device. In a forensic program for acquiring digital information recorded in a plurality of computers or servers and analyzing the acquired digital information,
Computer
A function of acquiring digital information including digital document information composed of a plurality of document files and user information relating to a user who uses the plurality of computers or servers;
A function of recording the digital information acquired by the digital information acquisition unit;
A function of displaying the recorded digital information;
For each of the plurality of document files, user identification information indicating which of the users included in the user information is related is set, and the set user identification information is A function of setting to record in the storage unit;
The ability to specify at least one user,
A function for searching a document file in which user identification information corresponding to the designated user is set;
The ability to highlight searched terms,
A function to control access rights that allows setting of various rights for each viewer account,
A forensic program that realizes a function of outputting a document file related to a lawsuit.

Images