System and method for concurrent discovery and survey of networked devices

US 20070011450A1
Filed: 09/14/2004
Published: 01/11/2007
Est. Priority Date: 09/14/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for concurrently investigating a plurality of target devices in a data communications network, the method comprising:

receiving over a network connection a request transmitted by a remote device, wherein the request is associated with a range of network addresses in the data communications network;

concurrently surveying, in response to the request, at least a portion of the network addresses for a responding target device connected to the network via a surveyed network address;

establishing concurrent connections with a plurality of responding target devices;

invoking a plurality of investigative processes, the processes being concurrently executed on the plurality of responding target devices;

transmitting to the remote device connection information associated with the plurality of responding target devices;

establishing concurrent connections between the remote device and the plurality of responding target devices based on the connection information;

concurrently receiving at the remote device data generated by the plurality of responding target devices in response to the investigative processes;

correlating the received data based on a correlating criteria; and

displaying the correlated data on a display coupled to the remote device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for concurrent investigations of network devices in a data communications network. The network includes an examining machine, a secure server, and various target machines. The secure server receives a request from the examining machine to capture volatile data stored in the target machines, and in response, spawns various processing threads that concurrently attempt connections with the target machines. Upon successful connection with the target machines, a plurality of processes for gathering volatile data are concurrently executed on the responding target machines. The secure server receives the volatile data retrieved and transmitted by the responding target machines. The data is aggregated by the secure server, which transmits the data to the examining machine. The examining machine correlates the received data based on a correlating criteria, and displays the correlated data on a display.

Citations

39 Claims

1. A method for concurrently investigating a plurality of target devices in a data communications network, the method comprising:
- receiving over a network connection a request transmitted by a remote device, wherein the request is associated with a range of network addresses in the data communications network;
  
  concurrently surveying, in response to the request, at least a portion of the network addresses for a responding target device connected to the network via a surveyed network address;
  
  establishing concurrent connections with a plurality of responding target devices;
  
  invoking a plurality of investigative processes, the processes being concurrently executed on the plurality of responding target devices;
  
  transmitting to the remote device connection information associated with the plurality of responding target devices;
  
  establishing concurrent connections between the remote device and the plurality of responding target devices based on the connection information;
  
  concurrently receiving at the remote device data generated by the plurality of responding target devices in response to the investigative processes;
  
  correlating the received data based on a correlating criteria; and
  
  displaying the correlated data on a display coupled to the remote device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the investigative process retrieves volatile data from a local memory of a responding target device.
  - 3. The method of claim 2, wherein the volatile data is data stored in a random access memory of the responding target device.
  - 4. The method of claim 3, wherein the volatile data is information on an active process running on the responding target device.
  - 5. The method of claim 3, wherein the volatile data is information on a communication port open on the responding target device.
  - 6. The method of claim 3, wherein the volatile data is information on a file open on the responding target device.
  - 7. The method of claim 1 further comprising manipulating the displayed data via a graphical user interface.
  - 8. The method of claim 7, wherein the manipulating is filtering the displayed data based on a selected filter.
  - 9. The method of claim 8, wherein the filter is programmable via the graphical user interface.
  - 10. The method of claim 1, wherein the correlating includes correlating information on communication ports open on a responding target device with information on processes active on the device.
  - 11. The method of claim 1, wherein the correlating includes correlating information on processes active on the responding target device with information on files open on the device.
  - 12. The method of claim 1, wherein the correlating includes correlating information on processes active on the responding target device with information on processes authorized for the target device.
  - 13. The method of claim 12 further comprising:
    - associating a machine profile to a first target device, the machine profile including information on one or more processes authorized for the machine profile;
      
      receiving first volatile data transmitted by the first target device, the first volatile data including information on a process active on the first target device;
      
      retrieving the target profile for the first target device;
      
      determining based on the machine profile whether the active process is an authorized process; and
      
      displaying authorization information based on the determination.
  - 14. The method of claim 13 further comprising:
    - generating a description of a plurality of known processes;
      
      storing the description in a data store;
      
      searching the data store for the active process; and
      
      displaying a description of the active process upon a match.
  - 15. The method of claim 14 wherein searching the data store includes searching the data store for a hash value associated with the active process.
  - 16. The method of claim 1 further comprising establishing a secure communication with the remote device including:
    - generating an encryption key;
      
      transmitting the encryption key to the remote device;
      
      receiving an authentication key from the remote device; and
      
      authenticating the remote device based on the authentication key.
  - 17. The method of claim 16 further comprising receiving from the remote device a data packet encrypted using the encryption key.
  - 18. The method of claim 1 further comprising establishing a secure communication with a particular target device including:
    - receiving a first encryption key generated by the particular target device;
      
      generating a second encryption key; and
      
      transmitting the second encryption key to the particular target device, wherein the second encryption key is encrypted via the first encryption key.
  - 19. The method of claim 18 further comprising receiving from the particular target device a data packet encrypted using the second encryption key.

20. In a data communications network including a remote device and a plurality of target devices, a concurrent investigation server comprising:
- means for receiving a request transmitted by the remote device, wherein the request is associated with a range of network addresses in the data communications network;
  
  means for concurrently surveying, in response to the request, at least a portion of the network addresses for a responding target device connected to the network via a surveyed network address;
  
  means for establishing concurrent connections with a plurality of responding target devices;
  
  means for invoking a plurality of investigative processes, the processes being concurrently executed on the plurality of responding target devices;
  
  means for transmitting to the remote device connection information associated with the plurality of responding target devices, wherein;
  
  concurrent connections are established between the remote device and the plurality of responding target devices;
  
  the remote device concurrently receives data generated by the plurality of responding target devices in response to the investigative processes;
  
  the received data is correlated based on a correlating criteria; and
  
  the correlated data is displayed on a display coupled to the remote device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The server of claim 20, wherein the investigative process retrieves volatile data from a local memory of a responding target device.
  - 22. The server of claim 21, wherein the volatile data is data stored in a random access memory of the responding target device.
  - 23. The server of claim 21, wherein the volatile data is information on an active process running on the responding target device.
  - 24. The server of claim 21, wherein the volatile data is information on a communication port open on the responding target device.
  - 25. The server of claim 21, wherein the volatile data is information on a file open on the responding target device.
  - 26. The server of claim 20, wherein the remote device includes a graphical user interface for manipulating the displayed data.
  - 27. The server of claim 26, wherein the manipulating is filtering the displayed data based on a selected filter.
  - 28. The server of claim 27, wherein the filter is programmable via the graphical user interface.
  - 29. The server of claim 20, wherein the means for correlating includes means for correlating information on communication ports open on a responding target device with information on processes active on the device.
  - 30. The server of claim 20, wherein the means for correlating includes means for correlating information on processes active on the responding target device with information on files open on the device.
  - 31. The server of claim 20, wherein the means for correlating includes means for correlating information on processes active on the responding target device with information on processes authorized for the target device.
  - 32. The server of claim 31, wherein the remote device includes:
    - means for associating a machine profile to a first target device, the machine profile including information on one or more processes authorized for the machine profile;
      
      means for receiving first volatile data transmitted by the first target device, the first volatile data including information on a process active on the first target device;
      
      means for retrieving the target profile for the first target device;
      
      means for determining based on the machine profile whether the active process is an authorized process; and
      
      means for displaying authorization information based on the determination.
  - 33. The server of claim 32, wherein the remote device further includes:
    - means for generating a description of a plurality of known processes;
      
      means for storing the description in a data store;
      
      means for searching the data store for the active process; and
      
      means for displaying a description of the active process upon a match.
  - 34. The server of claim 33, wherein the means for searching includes means for searching the data store for a hash value associated with the process.
  - 35. The server of claim 20 further comprising means for establishing a secure communication with the remote device including:
    - means for generating an encryption key;
      
      means for transmitting the encryption key to the remote device;
      
      means for receiving an authentication key from the remote device; and
      
      means for authenticating the remote device based on the authentication key.
  - 36. The server of claim 35 further comprising means for receiving from the remote device a data packet encrypted using the encryption key.
  - 37. The server of claim 20 further comprising means for establishing a secure communication with a particular target device including:
    - means for receiving a first encryption key generated by the particular target device;
      
      means for generating a second encryption key; and
      
      means for transmitting the second encryption key to the particular target device, wherein the second encryption key is encrypted via the first encryption key.
  - 38. The server of claim 37 further comprising means for receiving from the particular target device a data packet encrypted using the second encryption key.

39. A concurrent investigation system of network devices in a data communications network, the system comprising:
- a remote device transmitting a first request over a network connection, wherein the first request is associated with a range of network addresses in the data communications network; and
  
  a server receiving the first request and invoking a plurality of processing threads in response, each processing thread being assigned a network address from the range of network addresses or names of machines, the processing threads concurrently attempting a connection with a plurality of network devices at the assigned network addresses, wherein in response to successful connections with a plurality of responding network devices, a plurality of investigative processes are concurrently invoked on the plurality of responding network devices, and connection information for the plurality of responding network devices is returned to the server, the server forwarding the connection information to the remote device in response to a second request, the remote device establishing concurrent connections with the plurality of responding network devices based on the connection information, wherein the remote device concurrently receives data generated by the plurality of responding network devices in response to the investigative processes, correlates the received data based on a correlating criteria, and displays the correlated data on a display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guidance Software Incorporated (Open Text Corporation)
Original Assignee
Guidance Software Incorporated (Open Text Corporation)
Inventors
McCreight, Shawn, Weber, Dominik

Application Number

US10/940,092
Publication Number

US 20070011450A1
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 63/102   Entity profiles

H04L 9/0822   using key encryption key

H04L 9/3247   involving digital signatures

H04L 9/3273   for mutual authentication n...

System and method for concurrent discovery and survey of networked devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for concurrent discovery and survey of networked devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links