Forensic software investigation

US 10,476,759 B2
Filed: 01/03/2018
Issued: 11/12/2019
Est. Priority Date: 07/15/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system including instructions recorded on a non-transitory computer-readable medium and executable by at least one processor, the computer system comprising:

a server configured to at least manage forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider in a cloud environment, wherein the forensic investigations include technical evidence generation for each client asset associated with the client, wherein the technical evidence generation comprises contextual reporting, and wherein the contextual reporting comprises separating audit data with respect to tenants of a multi-tenant environment and correlating the audit data with respect to a reported incident, the server including;

a forensic service interface configured to at least establish the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, the forensic service interface providing multiple modes for the forensic service agreement, wherein the forensic service agreement includes a forensics as a service subscription, and under the forensics as a service subscription, the cloud service provider is configured to expose one or more forensic functionalities related to one or more of on-demand investigation, troubleshooting, auditing, or logging of forensic data related to the client assets associated with the client;

a forensic data handler configured to at least acquire forensic data related to each client asset associated with the client, and generate one or more client inventory records for each client asset based on the forensic data related to each client asset, wherein the forensic data handler acquires the forensic data according to a selected mode of the multiple modes for the forensic service agreement; and

a forensic engine configured to at least generate one or more client evidence records for each client asset based on each client inventory record generated for each client asset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with aspects of the disclosure, systems and methods are provided for managing forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider, including establishing the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, acquiring forensic data related to each client asset associated with the client, and generating one or more client inventory records for each client asset based on the forensic data related to each client asset, and generating one or more client evidence records for each client asset based on each client inventory record generated for each client asset.

27 Citations

19 Claims

1. A computer system including instructions recorded on a non-transitory computer-readable medium and executable by at least one processor, the computer system comprising:
- a server configured to at least manage forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider in a cloud environment, wherein the forensic investigations include technical evidence generation for each client asset associated with the client, wherein the technical evidence generation comprises contextual reporting, and wherein the contextual reporting comprises separating audit data with respect to tenants of a multi-tenant environment and correlating the audit data with respect to a reported incident, the server including;
  
  a forensic service interface configured to at least establish the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, the forensic service interface providing multiple modes for the forensic service agreement, wherein the forensic service agreement includes a forensics as a service subscription, and under the forensics as a service subscription, the cloud service provider is configured to expose one or more forensic functionalities related to one or more of on-demand investigation, troubleshooting, auditing, or logging of forensic data related to the client assets associated with the client;
  
  a forensic data handler configured to at least acquire forensic data related to each client asset associated with the client, and generate one or more client inventory records for each client asset based on the forensic data related to each client asset, wherein the forensic data handler acquires the forensic data according to a selected mode of the multiple modes for the forensic service agreement; and
  
  a forensic engine configured to at least generate one or more client evidence records for each client asset based on each client inventory record generated for each client asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer system of claim 1, wherein the forensic investigations are related to data ownership for each client asset associated with the client, including one or more of data dependency information or contract termination information.
  - 3. The computer system of claim 1, wherein the forensic investigations are related to data acquisition for each client asset associated with the client, including one or more of data collection information or data preservation information.
  - 4. The computer system of claim 1, wherein the forensic investigations are related to data analysis for each client asset associated with the client, including one or more of filtering information or presentation information.
  - 5. The computer system of claim 1, wherein the computer system further comprises or is comprised in a platform service deployed in a heterogeneous cloud service provider environment.
  - 6. The computer system of claim 1, wherein the multiple modes include at least:
    - (i) a first mode where the server is configured to manage the forensic investigations in real time on an ongoing basis;
      
      (ii) a second mode where the server is configured to manage the forensic investigations for an event during a time period specified by the client; and
      
      (iii) a third mode where the server is configured to manage the forensic investigations on a just-in-time basis in response to an investigation request from the client, wherein the forensic data handler acquires the forensic data in the real time on the ongoing basis when the forensic service agreement specifies the first mode, wherein the forensic data handler acquires the forensic data for the event during the time period when the forensic service agreement specifies the second mode, and wherein the forensic data handler acquires the forensic data on the just-in-time basis when the forensic service agreement specifies the third mode.
  - 7. The computer system of claim 1, wherein the forensic data includes data related to one or more of client configuration, network configuration, memory configuration, tenant configuration, historical data, file metadata, or user access history data.
  - 8. The computer system of claim 1, wherein the forensic service interface includes a forensic service application programming interface associated with the forensic service agreement.
  - 9. The computer system of claim 1, wherein the forensic data handler is further configured to at least:
    - retrieve relevant data from the cloud service provider including tenant information related to the client; and
      
      cluster different forensic data related to the client assets into dedicated sub-components for the one or more client inventory records.
  - 10. The computer system of claim 1,wherein the forensic record handler is further configured to at least persist the one or more client inventory records and the one or more client evidence records in a data store.
  - 11. The computer system of claim 1, wherein the one or more client evidence records include data related to identifying client upload history, client file history, client tenant history, or client responsibility history related to one or more of the one or more client inventory records.
  - 12. The computer system of claim 1, wherein the server comprises or is comprised in a centralized monitoring solution for the cloud environment.

13. A computer program product tangibly embodied on a non-transitory computer-readable storage medium including instructions that, when executed by at least one processor, are configured to at least:
- manage forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider in a cloud environment, wherein the forensic investigations include technical evidence generation for each client asset associated with the client, wherein the technical evidence generation comprises contextual reporting, and wherein the contextual reporting comprises separating audit data with respect to tenants of a multi-tenant environment and correlating the audit data with respect to a reported incident, the non-transitory computer-readable storage medium further including instructions that, when executed by the at least one processor, are further configured to at least;
  
  establish the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, wherein multiple modes are provided for the forensic service agreement, and wherein the forensic service agreement includes a forensics as a service subscription, and under the forensics as a service subscription, the cloud service provider is configured to expose one or more forensic functionalities related to one or more of on-demand investigation, troubleshooting, auditing, or logging of forensic data related to the client assets associated with the client;
  
  acquire forensic data related to each client asset associated with the client, and generate one or more client inventory records for each client asset based on the forensic data related to each client asset, wherein the forensic data is acquired according to a selected mode of the multiple modes for the forensic service agreement;
  
  generate one or more client evidence records for each client asset based on each client inventory record generated for each client asset; and
  
  persist the one or more client inventory records and the one or more client evidence records in a data store.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, wherein the multiple modes include at least:
    - (i) a first mode where the forensic investigations are managed in real time on an ongoing basis;
      
      (ii) a second mode where the forensic investigations are managed for an event during a time period specified by the client; and
      
      (iii) a third mode where the forensic investigations are managed on a just-in-time basis in response to an investigation request from the client wherein the forensic data is acquired in the real time on the ongoing basis when the forensic service agreement specifies the first mode, wherein the forensic data is acquired for the event during the time period when the forensic service agreement specifies the second mode, and wherein the forensic data is acquired on the just-in-time basis when the forensic service agreement specifies the third mode.
  - 15. The computer program product of claim 13, wherein the forensic data includes data related to one or more of client configuration, network configuration, memory configuration, tenant configuration, historical data, file metadata, or user access history data.
  - 16. The computer program product of claim 13, the non-transitory computer-readable storage medium further including instructions that, when executed by the at least one processor are further configured to at least retrieve relevant data from the cloud service provider including tenant information related to the client.
  - 17. The computer program product of claim 13, the non-transitory computer-readable storage medium further including instructions that, when executed by the at least one processor are further configured to at least to cluster different forensic data related to the client assets into dedicated sub-components for the one or more client inventory records.
  - 18. The computer program product of claim 13, wherein the one or more client evidence records include data related to one or more of identifying client upload history, client file history, client tenant history, or client responsibility history related to client inventory records.

19. A computer-implemented method, comprising:
- managing forensic investigations of client assets associated with a client based on a forensic service agreement between the client and a cloud service provider in a cloud environment, wherein the forensic investigations include technical evidence generation for each client asset associated with the client, wherein the technical evidence generation comprises contextual reporting, and wherein the contextual reporting comprises separating audit data with respect to tenants of a multi-tenant environment and correlating the audit data with respect to a reported incident, the computer-implemented method further comprising;
  
  establishing the forensic service agreement between the client and the cloud service provider for servicing the forensic investigations of the client assets associated with the client, including provision of multiple modes for the forensic service agreement, wherein the forensic service agreement includes a forensics as a service subscription, and under the forensics as a service subscription, the cloud service provider is configured to expose one or more forensic functionalities related to one or more of on-demand investigation, troubleshooting, auditing, or logging of forensic data related to the client assets associated with the client;
  
  receiving at least one request from the client for forensic investigation of the client assets associated with the client based on the forensic service agreement established between the client and the cloud service provider;
  
  acquiring forensic data related to each client asset associated with the client, wherein the forensic data is acquired according to a selected mode of the multiple modes for the forensic service agreement;
  
  searching one or more client inventory records for suspicious activity related to each client asset associated with the client;
  
  generating one or more client evidence records for each client asset including forensic data related to suspicious activity associated with each client asset based the one or more client inventory records for each client asset; and
  
  persisting in a data store the one or more client inventory records and the one or more client evidence records including forensic data related to suspicious activity associated with each client asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Rahaman, Mohammad Ashiqur
Primary Examiner(s)
Hussain, Tauqir
Assistant Examiner(s)
Grijalva Lobos, Boris D

Application Number

US15/861,260
Publication Number

US 20180145888A1
Time in Patent Office

678 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 41/5006   Creating or negotiating SLA...

H04L 41/5032   Generating service level re...

H04L 63/308   retaining data, e.g. retain...

Forensic software investigation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Forensic software investigation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links