File System Event Tracking

US 20080077988A1
Filed: 09/26/2006
Published: 03/27/2008
Est. Priority Date: 09/26/2006
Status: Active Grant

First Claim

Patent Images

1. A file system tracking method, comprising:

intercepting a file system security change request directed to a target file system object, the target file system object having a current security state, the security change request specifying a final security state;

recording the current security state;

communicating the security change request to a file system;

intercepting an indication that the security change request has been processed by the file system; and

recording the final security state.

View all claims

27 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.

32 Citations

View as Search Results

44 Claims

1. A file system tracking method, comprising:
- intercepting a file system security change request directed to a target file system object, the target file system object having a current security state, the security change request specifying a final security state;
  
  recording the current security state;
  
  communicating the security change request to a file system;
  
  intercepting an indication that the security change request has been processed by the file system; and
  
  recording the final security state.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 41)
- - 2. The method of claim 1, wherein the acts of intercepting are performed by a kernel-level application.
  - 3. The method of claim 1, wherein the security change request comprises a IRP_MJ_SET_SECURITY request.
  - 4. The method of claim 1, wherein the act of recording the final security state comprises recording a single datum from which both the current security state and final security state may be derived.
  - 5. The method of claim 1, wherein the act of recording the current security state comprises storing the current security state and an identifier identifying the target file system object in a kernel memory.
  - 6. The method of claim 5, wherein the act of recording the final security state comprises associating the final security state with the current security state in the kernel memory.
  - 7. The method of claim 6, further comprising:
    - retrieving the current security state, the target security state and the identifier identifying the target file system object from the kernel buffer memory; and
      
      storing the current security state, the target security state and the identifier identifying the target file system object in a database.
  - 8. The method of claim 7, wherein the act of retrieving and storing is performed by a user-level application.
  - 9. The method of claim 1, wherein the act of recording the current security state and the final security state further comprises recording a time associated with the intercepted file system security change request.
  - 10. The method of claim 1, wherein the act of recording the current security state and the final security state further comprises recording a user account identifier associated with the security change request.
  - 11. The method of claim 1, wherein the act of recording the current security state and the final security state further comprises recording a process identifier associated with the security change request.
  - 12. The method of claim 1, wherein the act of recording the current security state and the final security state further comprises recording a computer system identifier on which the target file system object is stored.
  - 13. The method of claim 1, wherein the act of recording the current security state and the final security state further comprises recording a path associated with the target file system object.
  - 41. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 1.

14. A file system tracking method, comprising:
- identifying a first file system event changing a first file system object'"'"'s name from a first name to a second name;
  
  identifying a second file system event changing a second file system object'"'"'s name to the first name; and
  
  aggregating the first and second file system events as a single file modification event for the first file system object.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 40)
- - 15. The method of claim 14 further comprising, prior to the act of aggregating, identifying a file system delete event for the first file system object.
  - 16. The method of claim 14, whereinthe act of identifying the first file system event comprises determining a first time associated with the first file system event,the act identifying the second file system event comprises determining a second time associated with the second file system event, andthe act of aggregating occurs only if the time between the first and second times is within a specified range.
  - 17. The method of claim 16, wherein the specified range is approximately 2 seconds.
  - 18. The method of claim 14, wherein the acts of identifying and aggregating are performed by a user-level application.
  - 19. The method of claim 14, wherein the act of aggregating further comprises writing the file modification event to a log file.
  - 20. The method of claim 19, wherein the act of writing the file modification event to a log file comprises writing the file modification to a database.
  - 21. The method of claim 20, wherein the act of writing the file modification event to a database comprises writing the file modification event to a relational database.
  - 22. The method of claim 21, wherein the database comprises a SQL database.
  - 40. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 14.

23. A file system audit method, comprising:
- intercepting, by a kernel level application, file system events;
  
  recording the intercepted file system events in a kernel memory;
  
  retrieving the recorded file system events from kernel memory to a user level memory;
  
  identifying, from the retrieved file system events, a first file system event changing a first file system object'"'"'s name from a first name to a second name;
  
  identifying, from the retrieved file system events, a second file system event changing a second file system object'"'"'s name to the first name;
  
  consolidating the first and second file system events into a third file system event; and
  
  recording the third file system event as a file modification event for the first file system object.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 42)
- - 24. The method of claim 23 further comprising, prior to the act of consolidating, identifying, from the retrieved file system events, a file system delete event for the first file system object.
  - 25. The method of claim 23, whereinthe act of identifying the first file system event comprises determining a first time associated with the first file system event,the act identifying the second file system event comprises determining a second time associated with the second file system event, andthe act of consolidating occurs only if the time between the first and second times is within a specified range.
  - 26. The method of claim 25, wherein the specified range is approximately 2 seconds.
  - 27. The method of claim 23, wherein the act of recording comprises writing to a log.
  - 28. The method of claim 23, wherein the act of writing to a log comprises writing to a database.
  - 29. The method of claim 28, wherein the database comprises a SQL database.
  - 42. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 23.

30. A file system audit method, comprising:
- intercepting, by a kernel level application, file system events;
  
  recording the intercepted file system events in a kernel memory;
  
  retrieving the recorded file system events from kernel memory to a user level memory;
  
  identifying, from the retrieved file system events, a first file system event copying a first file system object from a first location to a second location;
  
  identifying, from the retrieved file system events, a second file system event deleting the first file system object from the first location;
  
  consolidating the first and second file system events into a third file system event; and
  
  recording the third file system event as a file move event for the first file system object.
- View Dependent Claims (31, 32, 43)
- - 31. The method of claim 30, wherein the act of consolidating occurs only if a time associated with the first file system event and a time associated with the second file system event within a specified time interval.
  - 32. The method of claim 31, wherein the specified time interval is approximately 2 seconds.
  - 43. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 30.

33. A file system tracking method, comprising:
- identifying a first file system event opening a first file system object;
  
  identifying a second file system event creating a second file system object;
  
  detecting one or more read operations directed to the first file system object into a specified memory;
  
  detecting one or more file system write operations to the second file system object from the specified memory; and
  
  consolidating the first file system event, the second file system event, the one or more file system read operations and the one or more file system write operations into a single file modification event.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 44)
- - 34. The method of claim 33, whereinthe act of identifying the first file system event comprises determining a first time associated with the first file system event,the act identifying the second file system event comprises determining a second time associated with the second file system event, andthe act of consolidating occurs only if the time between the first and second times is within a specified range.
  - 35. The method of claim 34, wherein the specified range is approximately 2 seconds.
  - 36. The method of claim 33, wherein the acts of identifying and consolidating are performed by a user-level application.
  - 37. The method of claim 33, wherein the act of consolidating further comprises writing the file modification event to a log file.
  - 38. The method of claim 37, wherein the act of writing the file modification event to a log file comprises writing the file modification to a database.
  - 39. The method of claim 38, wherein the act of writing the file modification event to a database comprises writing the file modification event to a relational database.
  - 44. A program storage device, readable by a programmable control device, comprising instructions stored on the program storage device for causing the programmable control device to perform the method of claim 33.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
ScriptLogic Corporation (Quest Software, Inc.)
Inventors
Small, Brian Thomas

Granted Patent

US 7,818,801 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/3476 Data logging G06F11/14, G06...

G06F 2201/86 Event-based monitoring

File System Event Tracking

First Claim

27 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

File System Event Tracking

First Claim

27 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links