JP5087169B2 - Forensic system, forensic method, and forensic program - Google Patents

Description

The present invention relates to a forensic system, a forensic method, and a forensic program, and more particularly, to a forensic system, a forensic method, and a forensic program for collecting digital document information related to a lawsuit.

Conventionally, when a computer crime or legal dispute such as forensic unauthorized access or leakage of confidential information occurs, the equipment, data, and electronic records necessary for investigating the cause and investigation are collected and analyzed. Means and techniques to clarify this have been proposed.

In particular, US civil lawsuits require eDiscovery (eDiscovery), etc. Since both plaintiffs and defendants in such lawsuits are responsible for submitting all relevant digital information as evidence, The recorded digital information must be submitted as evidence.

On the other hand, with the rapid development and spread of IT, since most information is created by computers in today's business world, a lot of digital information is flooded even within the same company.

Therefore, in the process of preparing for submission of evidence to the court, it is easy to make mistakes that include confidential digital information not necessarily related to the lawsuit as evidence, and confidential digital information not related to the lawsuit. It became a problem to submit.

In recent years, technologies relating to forensic systems have been proposed in Patent Literature 1 and Patent Literature 2. Patent Document 1 discloses a forensic system in which a fraudulent person can be efficiently identified by a method capable of proving evidence retention, and the specific reliability is hardly affected by human factors.

Patent Document 2 discloses a forensic information insurance system that pays insurance money for damages caused by leakage of personal information, and includes forensics that perform subsequent actions such as identification of criminals and legal measures. A system is disclosed.

JP 2006-178521 A

JP 2007-148731 A

However, for example, in forensic systems such as Patent Document 1 and Patent Document 2, when collecting digital document information related to a specific person, the digital document information that the person can access is specified, Although all the information can be collected, the wider the access right setting of the person, the more information is collected as a result.

In addition, when collecting all the information for which the access right is set for the person, if the person has a higher position in the organization, the access right tends to be widely set. In fact, a large amount of electronic documents unrelated to the lawsuits that the person has never viewed will be collected.

Therefore, there is a problem that it takes a lot of labor and cost to analyze and confirm only the documents related to the person from the huge amount of information collected.

Therefore, in view of the above circumstances, the present invention does not analyze all digital information that a person involved in a lawsuit has access to, but a forensic system and a forensic method that analyze digital information accessed by the person concerned An object of the present invention is to provide a forensic program.

The forensic system of the present invention is a forensic system that acquires digital information recorded in a plurality of computers or servers, and analyzes the acquired digital information. The digital document information composed of a plurality of document files and the plurality of computers Alternatively, a digital information acquisition unit that acquires digital information including user information regarding a user who uses the server and access history information indicating that the user has accessed a document file recorded on the server, and a digital information acquisition unit A specific unit is designated from at least one user included in the user information via the recording unit that records the digital information acquired by the display unit, the display unit that displays the recorded digital information, and the display unit. Specified person to be specified and access history information related to the specified person Based on the digital document information extraction unit that extracts only the digital document information accessed by a specific person, and whether the document file of the digital document information extracted via the display unit is related to a lawsuit. And a supplementary information setting unit for setting supplementary information indicating the above, and an output unit for outputting a document file related to a lawsuit based on the supplementary information.

“Access history information” indicates that a user using one of a plurality of computers has accessed digital document information recorded on a server. For example, it includes a user ID indicating who the user is and access information indicating which digital document information the user has accessed at which time.

The “digital information acquisition unit” acquires digital information recorded in a plurality of computers or servers. For example, the digital information acquisition unit stores digital information recorded in the computer or server on an electronic medium. Copy and copy to the forensic system via the electronic medium, or connect the computer or server to the forensic system via a network line, and transfer the digital information recorded on the computer or server to the forensic system. Conserve and collect digital information by copying it. The “digital information acquisition unit” includes a second digital document information, a second user information, and a second access history information recorded on a second server different from the server. The forensic system according to the present invention can acquire not only the digital information but also the second digital information. The forensic system according to the present invention can obtain the digital information based on the second access history information. Second digital document information may be extracted.

The forensic system of the present invention is further based on a text information extracting unit that extracts text information for each of a plurality of document files from a recorded digital document information, a keyword specifying unit that specifies a keyword, and the extracted text information. A search unit that searches for a document file including the specified keyword, and the supplementary information setting unit sets supplementary information for the searched document file. .

The forensic system of the present invention further includes a data conversion unit for converting a document file of digital document information recorded by the recording unit into a predetermined data format, and the document file converted by the data conversion unit is output by the output unit. Until the processing is performed, the processing may be performed in the same manner as the converted data format.

The forensic system of the present invention further creates statistical data expressed from the data capacity for each data format of the acquired digital document information or statistical data expressed from the data capacity for each data format of the retrieved digital document information. A statistical data creation unit may be provided.

The forensic system of the present invention further includes a timekeeping unit that measures the date and time when digital information is acquired again, and the digital information further includes folder information for storing digital document information. The information acquisition unit acquires digital document information and folder information created after the date and time previously measured by the timing unit, and user information and access related to the acquired digital document information and folder information History information may be acquired.

The “server” is one or more servers, and may be constituted by a plurality of servers, for example. Further, for example, the “server” may be any one of two or more of a mail server, a file server, and a document management server.

The forensic system of the present invention is composed of a plurality of forensic system servers, wherein the digital information extraction unit and the search unit are each separated into the forensic system server, and further separated. The forensic system server may be connected via a network.

The forensic system of the present invention includes a plurality of incidental information setting units, and is characterized in that incidental information can be set by different operators.

“Display unit” refers to a display or the like that can display digital information. “Displaying recorded digital information” may display all user information, digital document information, and access history information, or may display at least one of these pieces of information. Then, at least one of the attribute information of the information (for example, the user's name, the file name of the document file, the person who accessed it, the time, the document file, etc.) may be displayed.

The “output unit” outputs digital document information as some kind of production, and may be any one of a printer and a digital document file creation device, for example.

The forensic method of the present invention is a forensic method for acquiring digital information recorded in a plurality of computers or servers, and analyzing the acquired digital information. Acquiring digital information including user information relating to a user who uses the computer or server, and access history information indicating that the user has accessed a document file recorded on the server; and the acquired digital information A step of displaying the recorded digital information, a step of specifying a specific person from the users included in the user information, and access history information regarding the specified specific person, Extracting only digital document information accessed by a specific person; A step of setting incidental information indicating whether each of the extracted digital document information document files is related to a lawsuit, and outputting a document file related to a lawsuit based on the incidental information. To do.

The forensic program of the present invention is a forensic program for acquiring digital information recorded in a plurality of computers or servers, and analyzing the acquired digital information. A digitally acquired function for acquiring digital information including user information relating to a user who uses a plurality of computers or servers and access history information indicating that the user has accessed a document file recorded on the server Based on the function to record information, the function to display the recorded digital information and the function to specify a specific person from the users included in the user information, and the access history information about the specified specific person, Function to extract only digital document information accessed by a specific person A function for setting incidental information indicating whether each extracted document file of digital document information is related to a lawsuit, and a function for outputting a document file related to a lawsuit based on the supplementary information. It is what is realized.

It should be noted that the above summary of the invention does not enumerate all the necessary features of the present invention. In addition, a sub-combination of these feature groups can also be an invention.

According to the forensic system, the forensic method, and the forensic program of the present invention, a specific person is specified, and only digital document information accessed by the specific person is extracted based on the access history information regarding the specified specific person. By setting incidental information indicating whether each extracted document file of digital document information is related to a lawsuit, and outputting a document file related to a lawsuit based on the incidental information, It is possible to extract, analyze and confirm only the digital document information accessed by a specific person without checking all the digital document information within the range of access rights that the specific person has. .

Thereby, only the digital document information related to a specific person can be extracted from the flooded digital document information, and the work load for preparing the evidence material for the lawsuit can be reduced.

According to the forensic system, the forensic method, and the forensic program of the present invention, the second digital information recorded in the second server can be used, and based on the second access history information, the second digital information can be used. When extracting the digital document information, the digital document information recorded on the second server is only accessed by a specific person without checking all the digital information recorded on the plurality of servers. Allows to extract, analyze and confirm.

According to the forensic system, the forensic method, and the forensic program of the present invention, the forensic system, the forensic method, and the forensic program further include a text information extraction unit, a keyword designating unit, and a search unit. When setting the information, only the digital document information recorded on the server that has been accessed by a specific person, and a predetermined search narrows down the population of digital document information that may be related to lawsuits. It becomes possible.

According to the forensic system, the forensic method, and the forensic program of the present invention, the document file converted by the data conversion unit is processed in the same format as the converted data until it is output by the output unit. In addition, it is possible to reduce useless processes of data format conversion in the middle of the processing flow, and to eliminate the risk of quality deterioration of digital document information.

According to the forensic system, the forensic method, and the forensic program of the present invention, when the statistical data creation unit is further provided, the statistical data can be visualized and provided to the operator, so that the effort required for preparing the lawsuit can be quickly grasped. Can do.

According to the forensic system, the forensic method, and the forensic program of the present invention, the digital information acquisition unit further acquires digital document information and folder information created after the date and time previously measured by the timing unit, When acquiring user information and access history information related to the acquired digital document information and folder information, it is possible to collect the difference of the digital information and load the same digital information from the server or the like every time. Can be reduced.

According to the forensic system, the forensic method, and the forensic program of the present invention, when each of the digital information extraction unit and the search unit is separated into a forensic system server, the calculation process of each processing unit is performed by each server. The processing capability of the entire system can be improved by distributing.

According to the forensic system, the forensic method, and the forensic program of the present invention, when the auxiliary information setting unit includes a plurality of auxiliary information setting units, the auxiliary information setting unit can set the auxiliary information by different operators. It is possible to perform preparatory work at an early stage by determining whether or not it is evidence material for multiple persons.

1 is a functional block diagram illustrating a configuration of a forensic system according to a first embodiment of the present invention. The figure showing the flow of the forensic system service of this invention The figure showing the processing flow of the forensic system of this invention The functional block diagram showing the structure of the forensic system in the 2nd Embodiment of this invention

DESCRIPTION OF SYMBOLS 1 Forensic system 2-5 PC10 Server 20 Digital information acquisition part 30 Recording part 40 Display part 45 Display control part 50 Specific person designation | designated part 60 Digital document information extraction part 70 Additional information setting part 80 Text information acquisition part 90 Keyword designation part 100 Search Unit 110 Data conversion unit 120 Output unit 130 Statistical data creation unit 140 Timekeeping unit 150 CPU 160 Control unit

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

FIG. 1 is a functional block diagram showing a configuration of a forensic system 1 according to an embodiment of the present invention.

A forensic system 1 shown in FIG. 1 includes a plurality of document files in the forensic system 1 that acquires digital information recorded in a plurality of computers (PCs 2 to 5) and a server 10 and analyzes the acquired digital information. Digital document information, user information regarding users who use a plurality of computers (PCs 2 to 5) or the server 10, and access history information indicating that the user has accessed a document file recorded on the server 10; A digital information acquisition unit 20 that acquires digital information including a recording unit 30 that records the digital information acquired by the digital information acquisition unit 20, a display unit 40 that displays the recorded digital information, and a display unit 40. Specify a specific person from the users included in the user information 50, a digital document information extracting unit 60 that extracts only digital document information accessed by a specific person based on access history information about the specified specific person, and a digital document extracted via the display unit 40 An incidental information setting unit 60 for setting incidental information indicating whether each information document file is related to a lawsuit, and an output unit 120 for outputting a document file related to a lawsuit based on the incidental information. It is provided.

The control unit 160 includes a display control unit 45, a digital document information extraction unit 60, a text information acquisition unit 80, a management unit 85, a search unit 100, a data conversion unit 110, a statistical data creation unit 130, a clock unit 140, and a CPU 150. It is.

In addition, the forensic system 1 includes a data input device such as a touch panel when the keyboard, mouse, or display unit 40 has a touch panel function. As this data input device, a specific person specifying unit 50, an accompanying information setting unit 70, and a keyword specifying unit There are 90.

The specific person specifying unit 50, the incidental information setting unit 70, and the keyword specifying unit 90 may be different data input devices or the same data input device.

The output unit 70 is a recording device or a printer that records data on an electronic medium.

The configuration of the forensic system 1 as shown in FIG. 1 is realized by calculating and executing a forensic program read into an auxiliary storage device (not shown) by the CPU 150 on a computer. At this time, the forensic program is stored in a storage medium such as a CD-ROM or distributed via a network such as the Internet and installed in a computer.

Hereinafter, in the first embodiment of the present invention, the forensic system 1 will be described as a personal computer. However, the forensic system 1 may be a server, a portable terminal type computer, or the like, and will be described in a second embodiment to be described later. It may be a network type system configuration.

The digital information acquisition unit 20 acquires digital information recorded in the PCs 2 to 5 or the server 10 used by the user.

For example, the digital information acquisition unit 20 copies the digital information recorded in the PCs 2 to 5 or the server 10 to a certain electronic medium (for example, USB, CD, DVD, etc.), and digitally transmits the digital information to the forensic system via the electronic medium. Have the information copied.

Further, when the PCs 2 to 5 or the server 10 and the forensic system 1 are connected via a network line, the digital information acquisition unit 20 stores the digital information recorded in the PCs 2 to 5 or the server 10 via the network. By receiving the transmission, the digital information is collected and collected.

The digital information acquisition unit 20 includes second digital document information, second user information, and second access history information recorded in a server (referred to as a second server) different from the server 10. Second digital information may be acquired.

In this case, the forensic system 1 can use not only the digital information of the server 10 but also the second digital information recorded in the second server, and based on the second access history information, The second digital document information may be extracted.

The forensic system 1 further includes a text information extracting unit 80 that extracts text information for each of a plurality of document files from a recorded digital document information, a keyword specifying unit 90 that specifies a keyword, and the extracted text information. And a search unit 100 for searching for a document file including a designated keyword.

The supplementary information setting unit 70 sets supplementary information for the document file searched by the search unit 100.

The forensic system 1 further includes a data conversion unit 110 that converts a document file of digital document information recorded by the recording unit 30 into a predetermined data format. The document file converted by the data conversion unit 110 is output by the output unit 120. In this case, the data is processed in the same manner as the converted data format until it is output by.

The forensic system 1 further receives statistical data represented by the data capacity of each acquired digital document information data format, and statistical data represented by the data capacity of each digital document information data format retrieved by the retrieval unit 100. It is provided with 130 parts of statistical data creation to be created.

The forensic system 1 further includes a timer 140 that measures the date and time when digital information is acquired again, and the digital information further includes folder information for storing digital document information. The acquisition unit 20 acquires only digital document information and folder information created after the date and time previously measured by the timing unit 140, and user information related to the acquired digital document information and folder information and Get access history information only.

The digital information may include digital document information, user information and access history information, and folder information for storing the digital document information.

The timer unit 140 calculates the date and time when the digital information acquisition unit 20 acquires digital information.

The display unit 40 displays the display content according to an instruction from the display control unit 45 configured in the control unit 160.

When the digital information acquisition unit 20 acquires digital information at the nth time (n = 2, 3,...), The digital information acquisition unit 20 indicates the date and time counted by the time measuring unit 140 at the time when the digital information was acquired at the (n−1) th time. From the information, only the digital document information and folder information created in the PCs 2 to 5 or the server 10 after that date / time information are acquired. At this time, user information and access history information related to the acquired digital document information and folder information may be further acquired. The server 10 is a single server or more, and may be constituted by a plurality of servers, for example, or may be at least any two or more of a mail server, a file server, and a document management server.

The forensic system 1 may be one that can be used simultaneously by a plurality of operators.

The incidental information setting unit 70 may be configured by a plurality of data input devices, and a plurality of display units 40 corresponding to the plurality of incidental information setting units 70 may be prepared.

A plurality of operators can set the supplementary information via the plurality of supplementary information setting units 70 while simultaneously confirming the digital document information.

The output unit 120 outputs digital document information as some kind of production, and may be, for example, a printer or a recording device that records digital information on an electronic medium.

Hereinafter, a procedure for performing preparation work for submitting evidence materials to the court of the forensic system 1 will be briefly described with reference to the service flow of FIG.

First, in the event of a computer crime or legal dispute, such as forensic unauthorized access or leakage of confidential information, we collect and analyze the equipment, data, and electronic records necessary for investigating the cause and investigating the legal evidence. It is necessary to clarify.

In particular, US civil lawsuits require eDiscovery (eDiscovery), etc. Since both plaintiffs and defendants in such lawsuits are responsible for submitting all relevant digital information as evidence, The recorded digital information must be submitted as evidence.

Therefore, the forensic system 1 selects and collects digital information related to the lawsuit and preserves and collects the digital information recorded in the PCs 2 to 5 and the server 10 in order to prepare for submission of evidence to the court (Preservation). To do.

Thereafter, the forensic system 1 registers the collected and collected digital information in a database such as the recording unit 30, analyzes the digital information (Analysis), and subdivides it by keyword search and filter processing.

The recording unit 30 may be included in the computer of the forensic system 1 or may be stored in a server as a separate body from the computer.

The forensic system 1 reviews the subdivided digital information on the display unit 40, and the operator sets incidental information for the digital document information via the incidental information setting unit 70.

The control unit 160 has a maintenance collection analysis function, a process analysis search function, a Review function, and a Production function.

For example, the maintenance collection / analysis function of the control unit 160 is a case management function (function of the management unit 85) so that data management can be performed for each case, and analysis of the file type and possession amount for each target person / evidence. File analysis function (function of search unit 100) capable of analyzing search target files, file type selection extraction function (function of digital document information extraction unit 60) capable of selecting file types to be searched and viewed And a maintenance collection function (data conversion unit 110) that enables maintenance collection of the selected file as a separate file. The processing analysis search function of the control unit 160 has a full-text search function and a frequently used phrase top extraction function (function of the search unit 100). This full-text search function corresponds to multiple languages, enables AND OR NOT search by Boolean operation, enables search using parentheses by Grouping operation, highlights the searched phrase, and functions to make Meta Data Etc. In addition, the full text search function has an advanced search function, and can perform neighborhood search, regular expression search, and the like. The frequently used phrase top extracting function extracts a frequently used phrase within a certain digital document information.

Further, the Review function of the control unit 160 is set with, for example, an E-mail Family browsing processing function (a function of the search unit 100) that can browse the E-mail Family collectively, or one evaluation or a plurality of evaluations as supplementary information. A free design Tag function (function of the search unit 100) that can be searched on the basis of the evaluation, a free design BookMark function (function of the search unit 100) that enables the search of a MarkMark that has been set with a hierarchical BookMark, and an arbitrary number of characters A free input comment field (function of the management unit 85) provided with an inputable comment field, a simultaneous browsing function for a plurality of operators to confirm digital document information, and a case for each viewer account when performing a ReView Each access right, administrator authority, view-only authority, etc. can be set Access right control function (function of the management unit 85), in-document write Memo function (function of the management unit 85) that enables writing in the document without changing the body of the digital document information, the number of review completed documents ( %) Case Management function (function of the management unit 85) that enables display, E-mail Threading function (function of the management unit 85) that collectively displays E-mail threads (reply, transfer, etc.), and graphical exchange of mail E-mail analysis display function (statistical data creation unit 130 function), similar document display function (function of management unit 85) that automatically classifies and displays similar documents such as Draft, old version, etc., difference between similar documents Similar document difference highlighting function that highlights only (function of management unit 85), search hit phrase The search hit part text display function (the function of the search unit 100) for displaying only the peripheral part of the search hit part.

Also, the Production function of the control unit 160 is a function for outputting various XML files such as actual files, meta information, and tag information, CSV output, image output, and various load file outputs (by the instruction from the management unit 85, the output unit 120 And a Batch Printing function (a function that can be output by the output unit 120 according to an instruction from the management unit 85) for printing a plurality of selected digital document information.

Finally, the forensic system 1 performs production so that the output unit 120 generates data on the electronic medium. For example, the data is recorded on the electronic medium in a predetermined format by a recording device that records the data on the electronic medium.

Next, with reference to the flowchart of FIG. 3, a procedure for performing preparation work for submitting evidence materials to the court of the forensic system 1 will be described in detail.

First, the digital information acquisition unit 20 uses, for example, digital document information formed of a document file in a general format such as Word format, PDF format, PPT format, Excel format, and usage related to a user who uses the PC 2 to 5 or the server 10. Digital information including user information and access history information indicating that the user has accessed the document file recorded on the server is acquired (ST1).

As shown in FIG. 1, the access history information indicates that the users using the PCs 2 to 5 have accessed the digital document information recorded in the server 10 via the network. For example, a user ID indicating who the user is and access information indicating which digital document information the user has accessed at which time.

The PCs 2 to 5 used by the user are described as four as an example, but are not limited to four, and may be a plurality of PCs.

Next, the digital information acquisition unit 20 records the acquired digital information in the recording unit 30 (ST2). The display unit 40 can display digital information (refers to at least one of digital document information, access history information, user information, information indicating only the title of the digital information, and the like) via the control unit 160 (see FIG. ST3).

For example, the display unit 40 may display all user information, digital document information, and access history information in response to an instruction from the display control unit 45, or display at least one of these pieces of information. Alternatively, at least one of the attribute information of the information (for example, the user's name, the file name of the document file, the person who accessed it, the time, the document file, etc.) may be displayed.

For example, the operator logs in the forensic system 1 while confirming the screen of the display unit 40, and further creates Case (unit of the highest data group in the database of the forensic system 1). Further, the operator sets and manages a connection destination of a server or the like corresponding to the recording unit 30 in which the digital information is recorded while checking the screen of the display unit 40 (in this case, there are a plurality of recording units 30). . Further, the operator sets and manages the Customian (data holding target person) while checking the screen of the display unit 40. While checking the screen of the display unit 40, the operator creates and manages the status (the middle data group unit of the database of the forensic system 1) composed of the digital document information collected and maintained. Next, while confirming the screen of the display unit 40, the operator relates the Customian to the collected information and the collected target.

For example, while confirming the display unit 40, the operator may preset which Customian is related to the lawsuit for a plurality of targets composed of digital document information acquired from the PCs 2 to 5 or the server. .

Finally, the operator selects plural or single targets to be analyzed while checking the screen of the display unit 40.

As described above, the control unit 160 can acquire the digital information recorded in the recording unit 30 and analyze the digital information by various functional units.

The forensic system 1 includes statistical data represented by the data capacity for each data format of the digital document information recorded in the recording unit 30 or statistical data represented by the data capacity for each data format of the digital document information retrieved by the retrieval unit 100. A statistical data creation unit 130 for creating data is provided.

For example, while confirming the screen of the display unit 40, the operator selects a given subject to be analyzed and a predetermined path (directory) from the target associated with the subject, and obtains the analysis result of the number of files and the capacity of each customian. A list can be displayed. The operator can display a list of the analysis results of the number of files and the capacity for each Path as a chart while checking the screen of the display unit 40. Further, the operator can display a list of analysis results of the number of files and the capacity for each Path (directory) while checking the screen of the display unit 40. The operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40. Further, the operator can display a list of the analysis results of the number of files and the capacity for each file type while checking the screen of the display unit 40.

The operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40. Furthermore, the operator can display a list of the analysis results of the number of files and the capacity for each file type as a chart while checking the screen of the display unit 40 only for files that can be searched for text. This text searchable file is performed by the text information acquisition unit 80 on the text information that can be extracted from the digital document information recorded in the recording unit 30 in advance.

Next, the operator designates a specific person (Customian) from the users included in the user information of the digital information recorded in the recording unit 30 by the specific person specifying unit 50 (ST4).

The operator selects Case, Customian, or Target while checking the screen of the display unit 40.

When reviewing (confirming) digital document information for which access rights have been set for the Canadian, the higher the person's position in the organization, the more often access rights are set. A large amount of documents unrelated to the lawsuit that the person has never viewed will be collected, and analysis is performed in order to find only the documents related to the person from the enormous amount of information collected. That takes a lot of labor and expense.

Therefore, the digital document information extraction unit 60 can extract only the digital document information accessed by the specific person based on the access history information related to the specified specific person (Custodian) (ST5). .

For example, when the operator designates Mr. Ko who is a customian, only the document file accessed by Mr. Ko is extracted from the digital document information in the selected Target. By using the access history information, it is possible to extract a document file that Mr. Ko actually accessed (for example, viewed, edited, created). The access history information indicates that a user using one of a plurality of computers has accessed the digital document information recorded on the server. For example, it includes a user ID indicating who the user is and access information indicating which digital document information the user has accessed at which time. The correspondence between the ID of Mr. Ko and the document file accessed by Mr. Ko is obtained by previously recording ID information and access history information when using his computer or server. Thus, extraction becomes possible.

Although Mr. Ko has been described as an example, when a plurality of Customians such as Mr. Otsu are designated in addition to Mr. Ko, the digital document information extraction unit 60 can extract document files related to a plurality of Customians.

In addition, as described above, when the operator has set the relationship between Target and Customian, it is determined that it is related as Customian in units of Target, and the specific person designation unit is actually included in the selected Target. Only the document file accessed by the Customian designated by 50 is extracted.

Further, the operator can perform a search while confirming the screen of the display unit 40 by the function of the search unit 100. Further, the operator can perform simple browsing while confirming the screen of the display unit 40 by the function of the display control unit 45. The operator can grasp the contents of the digital document information by this simple browsing.

The operator sets incidental information indicating whether each document file of the extracted digital document information is related to a lawsuit (ST6).

Specifically, if it is information related to a lawsuit, “Hot” is set, “Responsive” is set for those that may be related, and “Not Responsive” is set for those that are not related, and tags ( Accompanying information) is added. Specifically, a tag can be input by clicking a file line in the Batch list.

Then, the operator instructs the output unit 120 to output a document file related to the lawsuit based on the incidental information. For example, only the document file assigned with “Hot” may be output, or the document file assigned with “Hot” and “Responsive” may be output.

The output unit 120 outputs a document file related to the lawsuit based on the incidental information (ST7).

The forensic system 1 is composed of a plurality of forensic system servers, wherein the digital information extraction unit and the search unit are separated into the forensic system server, and further separated. The forensic system may be connected via a network.

The second embodiment will be described with reference to FIG.

The forensic system 1 may have a network type system configuration as shown in FIG. The forensic system 1 of the second embodiment is the same as each processing unit of the forensic system 1 described in the first embodiment, but the respective processing units are distributed and arranged in a plurality of servers. The servers are connected via a network. For this reason, the servers may be distributed in the country, or the servers may be distributed in any country.

The display unit 40 is provided in each of the client PCs 170 to 172. The display response can be improved by collecting the data transmission / reception in a virtual client server in a batch between the plurality of client PCs and the UI server.

In this way, the forensic system 1 may be configured by a computer as in the first embodiment, or the forensic system 1 may be configured by a network type system as in the second embodiment.

Further, according to the forensic system 1, the specific person specifying unit 50, the incidental information setting unit 70, and the keyword specifying unit 90 correspond to data input devices provided in the respective client PCs 170 to 172.

The forensic system 1 specifies a specific person, classifies only the digital document information accessed by the specific person based on the access history information about the specified specific person, extracts the divided digital document information, By setting incidental information indicating whether each extracted document file of digital document information is related to a lawsuit, and outputting a document file related to a lawsuit based on the incidental information, It is possible to extract and analyze only the digital document information accessed by the specific person without confirming all the digital document information within the range of the access authority that the specific person has.

Thereby, only the digital document information related to a specific person can be extracted from the flooded digital document information, and the work load for preparing the evidence material for the lawsuit can be reduced.

The forensic system 1 can use the second digital information recorded in the second server. When the second digital document information is extracted based on the second access history information, a plurality of forensic systems 1 can be used. It is possible to extract, analyze and confirm only the digital document information recorded on the second server that has been accessed by a specific person without checking all the digital information recorded on the server. To.

According to the forensic system 1, the text information extracting unit 80 and the search unit 100 are provided. When the supplementary information setting unit 70 sets supplementary information for the retrieved document file, the digital information recorded on the server is recorded. It is possible to narrow down a population of digital document information that may be related to a lawsuit by a predetermined search, which is only document information accessed by a specific person.

According to the forensic system 1, the document file converted by the data conversion unit 110 is processed in the middle of the processing flow when it is processed in the same format as the converted data format until it is output by the output unit 120. This eliminates the wasteful process of data format conversion and eliminates the risk of quality degradation of digital document information.

According to the forensic system 1, since the statistical data can be visualized and provided to the operator when the statistical data creation unit 130 is provided, it is possible to quickly grasp the labor required for preparing the lawsuit.

According to the forensic system, the forensic method, and the forensic program of the present invention, the digital information acquisition unit further acquires only digital document information and folder information created after the date and time previously measured by the timing unit, When acquiring only user information and access history information related to the acquired digital document information and folder information, it is possible to collect the difference of the digital information and load the same digital information repeatedly from the server or the like every time Can be reduced.

According to the forensic system 1, when each of the digital information extraction unit 60 and the search unit 100 is separated into a forensic system server, the calculation process of each processing unit is distributed by each server, The processing capacity of the entire system can be improved.

According to the forensic system 1, when a plurality of operators can be used at the same time, the incidental information setting unit 70 can set incidental information by different operators. It is possible to perform preparatory work at an early stage by determining whether such a determination is made by a plurality of persons.

As mentioned above, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the range as described in the said embodiment. It is apparent that various changes or improvements can be added to the above embodiment. It is apparent from the scope of the claims that the embodiments added with such changes or improvements can be included in the technical scope of the present invention.

In addition, the forensic system 1 of the first embodiment and the second embodiment can be configured by combining the entire system or each processing unit.

Claims (8)

In a forensic system that acquires digital information recorded in a plurality of computers or servers and analyzes the acquired digital information,
Digital document information composed of a plurality of document files, user information relating to a user who uses the plurality of computers or servers, and an access history indicating that the user has accessed a document file recorded on the server A digital information acquisition unit that acquires digital information including information;
A recording unit for recording the digital information acquired by the digital information acquisition unit;
A display unit for displaying the recorded digital information;
A specific person designating unit for designating a specific person from at least one user included in the user information via the display unit;
A digital document information extraction unit that extracts only the digital document information accessed by the specific person based on the access history information regarding the specified specific person;
A control unit having a full-text search function that supports multiple languages;
A forensic system comprising: an output unit that outputs a document file related to a lawsuit from the extracted digital document information. The forensic system further comprises:
The forensic system according to claim 1, further comprising: a management unit having an access right control function capable of setting various authorities for each account of the operator. The forensic system further comprises:
A text information extraction unit that extracts text information for each of the plurality of document files from the recorded digital document information;
A keyword specification part for specifying a keyword;
A search unit that searches for a document file including the specified keyword based on the extracted text information;
The forensic system according to claim 1, further comprising an incidental information setting unit that sets incidental information for the retrieved document file. The control unit further includes:
The forensic system according to any one of claims 1 to 3, further comprising an e-mail family browsing process function capable of browsing e-mail families collectively. The management unit further includes:
The forensic system according to claim 2, further comprising a function for collectively displaying e-mail threads. The management unit further includes:
The forensic system according to claim 2, wherein the forensic system has a function of displaying the number of review completed documents. The management unit further includes:
3. The forensic system according to claim 2, further comprising a similar document display function for automatically classifying and displaying similar documents. In a forensic program for acquiring digital information recorded in a plurality of computers or servers and analyzing the acquired digital information,
On the computer,
Digital document information composed of a plurality of document files, user information relating to a user who uses the plurality of computers or servers, and an access history indicating that the user has accessed a document file recorded on the server and the ability to acquire digital information including the information,
A function of recording the acquired digital information;
A function of displaying the recorded digital information;
A function of designating a specific person from at least one or more users included in the user information;
A function of extracting only digital document information accessed by the specific person based on access history information regarding the specified specific person;
Full-text search function that supports multiple languages,
A forensic program for realizing a function of outputting a document file related to a lawsuit from the extracted digital document information.