Associating network and storage activities for forensic analysis
US8683592B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Dec 30, 2011 |
| Grant date | Mar 25, 2014 |
| Priority date | — |
| Expiry date | Mar 28, 2032 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/2151
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
An improved technique for performing forensic investigations in an electronic system includes capturing and associating multiple streams of information. The streams include a network stream and a storage stream. The network stream includes a record of network activities. The storage stream includes a record of storage activities. In some examples, the storage stream includes both disk activities and memory activities, including both reads and writes. Records of the captured streams are stored in a data storage array and are associated by applying a common timing reference to the records. A comprehensive history is thus obtained, with both network and storage activities coordinated in time, to enable examination and tracing of suspect or malicious occurrences across network and storage domains. The improved technique can be used in both physical and virtual computing environments and affords particular advantages in virtual and cloud environments where forensic analysis has proven to be difficult.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.