Block-level forensics for distributed computing systems

US 10,148,675 B1
Filed: 03/30/2016
Issued: 12/04/2018
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request to perform forensic analysis of a logical volume attached to a customer virtual machine instance, the logical volume associated with a customer of a computing resource service provider that implements the logical volume on hardware of the computing resource service provider;

generating an image of the logical volume, where the image is generated by at least deferring writes to the logical volume while data contained in the logical volume is copied;

making the image accessible to a block-level forensics service;

causing the block-level forensics service to perform forensic analysis of the image, wherein the forensic analysis includes;

tracking file modification frequency of one or more files included in a logical volume of another customer;

generating a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer;

extracting timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; and

correlating the histogram with intrusion detection alert information obtained from an intrusion detection system; and

providing a result of forensics analysis of the image in response to the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing resource service provider may provide customers with a block-level forensics service. Volume images of computing resource associated with customer may be generated and provided to the block-level forensics service. The block-level forensics service or component thereof may generate a volume based at least in part on the volume image and may perform forensics analysis of the volume. A result of the forensic analysis may be provided to the customer.

118 Citations

View as Search Results

19 Claims

1. A computer-implemented method, comprising:
- receiving a request to perform forensic analysis of a logical volume attached to a customer virtual machine instance, the logical volume associated with a customer of a computing resource service provider that implements the logical volume on hardware of the computing resource service provider;
  
  generating an image of the logical volume, where the image is generated by at least deferring writes to the logical volume while data contained in the logical volume is copied;
  
  making the image accessible to a block-level forensics service;
  
  causing the block-level forensics service to perform forensic analysis of the image, wherein the forensic analysis includes;
  
  tracking file modification frequency of one or more files included in a logical volume of another customer;
  
  generating a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer;
  
  extracting timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; and
  
  correlating the histogram with intrusion detection alert information obtained from an intrusion detection system; and
  
  providing a result of forensics analysis of the image in response to the request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the computer-implemented method further comprises:
    - loading the image into a second logical volume attached to a virtual machine, the virtual machine being programmed to obtain forensics information from logical volumes; and
      
      wherein causing the virtual machine to perform forensic analysis further comprises performing forensic analysis of the second logical volume.
  - 3. The computer-implemented method of claim 2, wherein performing forensic analysis of the image further comprises detecting a set of modifications to the logical volume, where the set of modifications were performed over an interval of time, by at least comparing the image to a set of previously generated images associated with the logical volume.
  - 4. The computer-implemented method of claim 1, wherein the computer-implemented method further comprises:
    - determining a portion of the logical volume that has been modified since a last image of the logical volume was generated; and
      
      wherein generating the image of the logical volume further comprises generating the image based at least in part on the portion of the logical volume that has been modified since the last image of the logical volume was generated.
  - 5. The computer-implemented method of claim 1, wherein the forensic analysis further includes determining that files exist in slack space.
  - 6. The computer-implemented method of claim 1, wherein the forensic analysis further includes correlating the histogram with computer processes running against the image.

7. A system, comprising:
- one or more processors; and
  
  memory that includes instructions that, when executed by the one or more processors, cause the system to;
  
  receive a request to perform forensics analysis of a logical volume associated with a customer, the logical volume attached to one or more virtual machines associated with the customer;
  
  obtain access to a volume image of the logical volume associated with the customer, the volume image containing contents and structure of the logical volume;
  
  track file modification frequency of one or more files included in a logical volume of another customer;
  
  create a histogram based at least in part on the image, the histogram including information about the file modification frequency of the one or more files included in the logical volume of the other customer;
  
  extract timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer;
  
  correlate the histogram with intrusion detection alert information obtained from an intrusion detection system; and
  
  generate, based at least in part on the histogram, a result of forensics analysis of the volume image in response to the request.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the result of forensics analysis indicates potential malicious activity associated with the logical volume.
  - 9. The system of claim 8, wherein the result of forensics analysis further indicates a particular volume image associated with the logical volume where the potential malicious activity occurred, the particular volume image representing a snapshot version of a particular virtual machine of the one or more virtual machines associated with the customer.
  - 10. The system of claim 7, wherein obtaining access to the volume image of the logical volume associated with the customer further comprises obtaining read-only access to the logical volume while the customer maintains read and write access to the logical volume.
  - 11. The system of claim 7, wherein the memory further includes instructions that, when executed by one or more processors of the system, cause the system to correlate the result of forensics analysis of the volume image with information obtained from other sources of security information.
  - 12. The system of claim 11, wherein the information obtained from the other sources of security information further comprises network activity information associated with the logical volume.
  - 13. The system of claim 11, wherein the information obtained from the other sources of security information further comprises application process information associated with the logical volume.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- cause an image of a logical volume attached to one or more virtual machines associated with a customer to be generated, the logical volume used by the customer to instantiate one or more virtual machines utilizing computing resources of a computing resource service provider, where the computing resources are distributed across one or more service provider networks operated by the computing resource service provider;
  
  provide access to the image to the computer system, the computer system being operated by the computing resource service provider;
  
  track file modification frequency of one or more files included in a logical volume of another customer;
  
  analyze the image to create a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer;
  
  extract timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer;
  
  correlate the histogram with intrusion detection alert information obtained from an intrusion detection system; and
  
  determine, based at least in part on the histogram, a result of forensics analysis of the image.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to, as a result of receiving a request from the customer to perform forensic analysis of the logical volume, generate the image of the logical volume.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to perform the forensics analysis as a result of the customer generating an new image corresponding to the logical volume.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to correlate the result of forensics analysis of the image with at least one other result of forensics analysis associated with at least one other customer.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to obtain, from the customer, a cryptographic key to decrypt the image and decrypt the image prior to providing the computer system with access to the image.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions that cause the computer system to obtain the cryptographic key further include instructions that cause the computer system to obtain the cryptographic key from a hardware security module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Lucas, Alexander Robin Gordon, Fitzgerald, Robert Eric
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/085,585
Time in Patent Office

979 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Block-level forensics for distributed computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Block-level forensics for distributed computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links