METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR EFFICIENT COMPUTER FORENSIC ANALYSIS AND DATA ACCESS CONTROL

US 20140157407A1
Filed: 05/07/2012
Published: 06/05/2014
Est. Priority Date: 05/06/2011
Status: Active Grant

First Claim

Patent Images

1. A method for efficient computer forensic analysis and data access control, the method comprising:

from within a virtualization layer separate from a guest operating system;

monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory;

tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; and

linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one aspect, the subject matter described herein includes a method for efficient computer forensic analysis and data access control. The method includes steps occurring from within a virtualization layer separate from a guest operating system. The steps include monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory. The steps also include tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network. The steps further include linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accessed.

Citations

23 Claims

1. A method for efficient computer forensic analysis and data access control, the method comprising:
- from within a virtualization layer separate from a guest operating system;
  
  monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory;
  
  tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; and
  
  linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the virtualization layer comprises a hypervisor layer.
  - 3. The method of claim 1 wherein monitoring disk accesses includes maintaining a watch list of virtual machine disk blocks containing data of interest and determining whether a disk access corresponds to any of the virtual machine blocks on the watch list.
  - 4. The method of claim 3 wherein tracking subsequent accesses to the memory resident data includes, in response to determining that the disk access corresponds to a virtual machine disk block on the watch list, triggering a memory monitoring module located within the virtualization layer to monitor a physical page of memory into which blocks of data from the disk access are paged.
  - 5. The method of claim 1 comprising maintaining a watch list of file system objects corresponding to data of interest and determining whether a file system object operation corresponds to any of the file system objects on the watch list.
  - 6. The method of claim 1 wherein linking the operations made by the guest operating system associated with the disk accesses with the operations associated with the memory accesses includes examining source and destination parameters associated with operations to infer that the operations concern the same data.
  - 7. The method of claim 1 wherein tracking subsequent accesses to the memory resident data includes, in response to the memory resident data being copied from its initial location to another memory resident location, adding the new memory resident location to a watch list and monitoring subsequent accesses to the new memory resident location using the watch list.
  - 8. The method of claim 1 comprising identifying a codepage signature of a process making the memory accesses and comparing the codepage signature to stored codepage signatures to identify the process.
  - 9. The method of claim 8 comprising creating the codepage signature for the process by recognizing shared and kernel code pages associated with the process and utilizing the codepage signature to selectively extract codepages that identify the process.
  - 10. The method of claim 1 comprising selectively blocking and/or dropping packets associated with a network connection without examining the packets'"'"' contents.
  - 11. The method of claim 1 comprising selectively blocking accesses to the guest operating system to memory and/or disk locations containing data of interest.

12. A system for efficient computer forensic analysis and data access control, the system comprising:
- a virtualization layer separate from a guest operating system for virtualizing resources of an underlying computing system;
  
  a storage monitoring module located within the virtualization layer and for monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory;
  
  a memory monitoring module located within the virtualization layer for tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; and
  
  a system call monitoring module for linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12 wherein the virtualization layer comprises a hypervisor layer.
  - 14. The system of claim 12 wherein the storage monitoring module is configured to maintain a watch list of virtual machine disk blocks containing data of interest and determine whether a disk access corresponds to any of the virtual machine blocks on the watch list.
  - 15. The system of claim 14 wherein the storage monitoring module is configured to, in response to determining that the disk access corresponds to a virtual machine disk block on the watch list, trigger the memory monitoring module to monitor a physical page of memory into which blocks of data from the disk access are paged.
  - 16. The system of claim 12 wherein the storage monitoring module is configured to maintain a watch list of file system objects corresponding to data of interest and determine whether a file system object operation corresponds to any of the file system objects on the watch list.
  - 17. The system of claim 12 wherein the system call monitoring module is configured to examine source and destination parameters associated with operations to infer that the operations concern the same data.
  - 18. The system of claim 12 wherein the memory monitoring module is configured to, in response to the memory resident data being copied from its initial location to another memory resident location, add the new memory resident location to a watch list and monitor subsequent accesses to the new memory resident location using the watch list.
  - 19. The system of claim 12 wherein the memory monitoring module is configured to identify a codepage signature of a process making the memory accesses and to compare the codepage signature to stored codepage signatures to identify the process.
  - 20. The system of claim 19 wherein the memory monitoring module is configured to create the codepage signature for the process by recognizing shared and kernel code pages associated with the process and utilize the codepage signature to selectively extract codepages that identify the process.
  - 21. The system of claim 12 comprising a network monitoring module configured to, in response to a trigger from either the memory monitoring module or the system call monitoring module, selectively block and/or drop packets associated with a network connection.
  - 22. The system of claim 12 comprising an enforcement module for selectively blocking accesses to the guest operating system to memory and/or disk locations containing data of interest.

23. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising:
- from within a virtualization layer separate from a guest operating system;
  
  monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory;
  
  tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network; and
  
  linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accesses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of North Carolina At Chapel Hill (University of North Carolina System)
Original Assignee
University of North Carolina At Chapel Hill (University of North Carolina System)
Inventors
Krishnan, Srinivas, Monrose, Fabian, Snow, Kevin

Granted Patent

US 9,721,089 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/50 Monitoring users, programs ...

G06F 21/53 by executing in a restricte...

METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR EFFICIENT COMPUTER FORENSIC ANALYSIS AND DATA ACCESS CONTROL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR EFFICIENT COMPUTER FORENSIC ANALYSIS AND DATA ACCESS CONTROL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links