SYSTEMS AND METHODS FOR PROVIDING AUTOMATIC SYSTEM STOP AND BOOT-TO-SERVICE OS FOR FORENSICS ANALYSIS

US 20160342477A1
Filed: 05/20/2015
Published: 11/24/2016
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. An Information Handling System (IHS), comprising:

a processor; and

a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to;

detect an Indicator of Compromise (IoC);

send, to a server, a message including the IoC;

receive, from the server, a recovery instruction; and

boot into a service OS identified in the recovery instruction, wherein the service OS is distinct from a main OS included in the IHS.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing automatic system stop and boot-to-service OS for forensic analysis. In some embodiments, an Information Handling System (IHS) includes a processor and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to: detect an Indicator of Compromise (IoC); send, to a server, a message including the IoC; receive, from the server, a recovery instruction; and boot into a service OS identified in the recovery instruction, wherein the service OS is distinct from a main OS included in the IHS.

21 Citations

View as Search Results

20 Claims

1. An Information Handling System (IHS), comprising:
- a processor; and
  
  a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the IHS to;
  
  detect an Indicator of Compromise (IoC);
  
  send, to a server, a message including the IoC;
  
  receive, from the server, a recovery instruction; and
  
  boot into a service OS identified in the recovery instruction, wherein the service OS is distinct from a main OS included in the IHS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The IHS of claim 1, wherein the IoC includes a malicious artifact observed on a network, within an Operating System (OS), firmware, Unified Extensible Firmware Interface (UEFI), Basic I/O System (BIOS), or the cloud.
  - 3. The IHS of claim 1, wherein the service OS is stored in a recovery partition of a hard drive within the IHS.
  - 4. The IHS of claim 1, wherein the service OS is stored in a Non-Volatile Memory (NVM) or flash memory within the IHS.
  - 5. The IHS of claim 1, wherein the service OS is stored remotely with respect to the IHS.
  - 6. The IHS of claim 1, wherein the server is part of a Counter Threat Platform (CTP) accessible over a network.
  - 7. The IHS of claim 1, wherein the server is configured to generate the recovery instructions based, at least in part, upon the IoC.
  - 8. The IHS of claim 7, wherein the server is configured to generate the recovery instructions based, at least in part, upon a recovery success history of other IHSs.
  - 9. The IHS of claim 8, wherein the recovery instruction includes a list of two or more service OSs, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot at least one of the two or more service OSs in the listed order.
  - 10. The IHS of claim 8, wherein the recovery instruction includes an ordered list of two or more service OS sources, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS from at least one of the two or more service OS sources in the listed order.
  - 11. The IHS of claim 8, wherein the recovery instruction includes an ordered list of two or more modes of operation of a service OS, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS in at least one of the two or modes of operation in the listed order.
  - 12. The IHS of claim 8, wherein the recovery instruction includes a list of two or more recovery options, each recovery option having one of a plurality of service OSs, one of a plurality of service OS sources, and one of a plurality of modes of operation, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot following at least one of the two or more recovery options in the listed order.

13. A computer-implemented method, comprising:
- receiving, from a client device, a message including an Indicator of Compromise (IoC);
  
  determining, based at least in part upon the IoC and upon a recovery history of other client devices, a list of two or more service OSs; and
  
  transmitting a recovery instruction to the client device, wherein the recovery instruction includes the list, wherein the client device is configured to boot into a service OS identified in the recovery instruction, and wherein the service OS is distinct from a main OS included in the client device.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-implemented method of claim 13, wherein the recovery instruction includes an ordered list of two or more service OS sources, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS from at least one of the two or more service OS sources in the listed order.
  - 15. The computer-implemented method of claim 13, wherein the recovery instruction includes an ordered list of two or more modes of operation of a service OS, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS in at least one of the two or modes of operation in the listed order.
  - 16. The computer-implemented method of claim 13, wherein the recovery instruction includes a list of two or more recovery options, each recovery option having one of a plurality of service OSs, one of a plurality of service OS sources, and one of a plurality of modes of operation, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot following at least one of the two or more recovery options in the listed order.

17. A memory device having program instructions stored thereon that, upon execution by an Information Handling System (IHS), cause the IHS to:
- detect an Indicator of Compromise (IoC);
  
  send, to a server, a message including the IoC;
  
  receive, from the server, a recovery instruction; and
  
  boot into a service OS identified in the recovery instruction, wherein the recovery instruction includes an ordered list of two or more service OSs, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot at least one of the two or more service OSs in the listed order.
- View Dependent Claims (18, 19, 20)
- - 18. The memory device of claim 17, wherein the recovery instruction includes an ordered list of two or more service OS sources, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS from at least one of the two or more service OS sources in the listed order.
  - 19. The memory device of claim 17, wherein the recovery instruction includes an ordered list of two or more modes of operation of a service OS, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot the service OS in at least one of the two or modes of operation in the listed order.
  - 20. The memory device of claim 17, wherein the recovery instruction includes a list of two or more recovery options, each recovery option having one of a plurality of service OSs, one of a plurality of service OS sources, and one of a plurality of modes of operation, and wherein the program instructions, upon execution by the processor, cause the IHS to attempt to boot following at least one of the two or more recovery options in the listed order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Skipper, Chad, Swierk, Todd Erick, Andrews, Carlton A., Lo, Yuan-Chang, Seibert, Phillip M.

Granted Patent

US 10,102,073 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/14   Error detection or correcti...

G06F 11/1417   Boot up procedures

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/575   Secure boot

G06F 21/6218   to a system of files or obj...

G06F 2201/805   Real-time

G06F 2221/034   Test or assess a computer o...

G06F 9/4406   Loading of operating system

SYSTEMS AND METHODS FOR PROVIDING AUTOMATIC SYSTEM STOP AND BOOT-TO-SERVICE OS FOR FORENSICS ANALYSIS

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PROVIDING AUTOMATIC SYSTEM STOP AND BOOT-TO-SERVICE OS FOR FORENSICS ANALYSIS

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links