Block-level forensics for distributed computing systems
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving a request to perform forensic analysis of a logical volume attached to a customer virtual machine instance, the logical volume associated with a customer of a computing resource service provider that implements the logical volume on hardware of the computing resource service provider;
generating an image of the logical volume, where the image is generated by at least deferring writes to the logical volume while data contained in the logical volume is copied;
making the image accessible to a block-level forensics service;
causing the block-level forensics service to perform forensic analysis of the image, wherein the forensic analysis includes;
tracking file modification frequency of one or more files included in a logical volume of another customer;
generating a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer;
extracting timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; and
correlating the histogram with intrusion detection alert information obtained from an intrusion detection system; and
providing a result of forensics analysis of the image in response to the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing resource service provider may provide customers with a block-level forensics service. Volume images of computing resource associated with customer may be generated and provided to the block-level forensics service. The block-level forensics service or component thereof may generate a volume based at least in part on the volume image and may perform forensics analysis of the volume. A result of the forensic analysis may be provided to the customer.
118 Citations
19 Claims
-
1. A computer-implemented method, comprising:
-
receiving a request to perform forensic analysis of a logical volume attached to a customer virtual machine instance, the logical volume associated with a customer of a computing resource service provider that implements the logical volume on hardware of the computing resource service provider; generating an image of the logical volume, where the image is generated by at least deferring writes to the logical volume while data contained in the logical volume is copied; making the image accessible to a block-level forensics service; causing the block-level forensics service to perform forensic analysis of the image, wherein the forensic analysis includes; tracking file modification frequency of one or more files included in a logical volume of another customer; generating a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer; extracting timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; and correlating the histogram with intrusion detection alert information obtained from an intrusion detection system; and providing a result of forensics analysis of the image in response to the request. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system, comprising:
-
one or more processors; and memory that includes instructions that, when executed by the one or more processors, cause the system to; receive a request to perform forensics analysis of a logical volume associated with a customer, the logical volume attached to one or more virtual machines associated with the customer; obtain access to a volume image of the logical volume associated with the customer, the volume image containing contents and structure of the logical volume; track file modification frequency of one or more files included in a logical volume of another customer; create a histogram based at least in part on the image, the histogram including information about the file modification frequency of the one or more files included in the logical volume of the other customer; extract timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; correlate the histogram with intrusion detection alert information obtained from an intrusion detection system; and generate, based at least in part on the histogram, a result of forensics analysis of the volume image in response to the request. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
cause an image of a logical volume attached to one or more virtual machines associated with a customer to be generated, the logical volume used by the customer to instantiate one or more virtual machines utilizing computing resources of a computing resource service provider, where the computing resources are distributed across one or more service provider networks operated by the computing resource service provider; provide access to the image to the computer system, the computer system being operated by the computing resource service provider; track file modification frequency of one or more files included in a logical volume of another customer; analyze the image to create a histogram of the file modification frequency of the one or more files included in the logical volume of the other customer; extract timestamps of intrusion detection alert information from the one or more files included in the logical volume of the other customer; correlate the histogram with intrusion detection alert information obtained from an intrusion detection system; and determine, based at least in part on the histogram, a result of forensics analysis of the image. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification