Digital forensic analysis using empirical privilege profiling (EPP) for filtering collected data

US 8,458,805 B2
Filed: 05/20/2009
Issued: 06/04/2013
Est. Priority Date: 06/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances of the software application executing on top of a plurality of instances of a platform;

dynamically generating an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based on the empirical information;

receiving, with a forensic device coupled to a target computing device via a communication link, input from user that identifies computer evidence to acquire from the target computing device;

acquiring the computer evidence from the target computing device with the forensic device;

filtering the computer evidence on the forensic device with the application profile; and

presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance.

42 Citations

View as Search Results

33 Claims

1. A method comprising:
- capturing empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances of the software application executing on top of a plurality of instances of a platform;
  
  dynamically generating an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based on the empirical information;
  
  receiving, with a forensic device coupled to a target computing device via a communication link, input from user that identifies computer evidence to acquire from the target computing device;
  
  acquiring the computer evidence from the target computing device with the forensic device;
  
  filtering the computer evidence on the forensic device with the application profile; and
  
  presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1,wherein capturing the empirical information includes capturing empirical information relating to the exercise of system-level privileges by the plurality of instances of the software application executing on top of the plurality of instances of the platform, andwherein dynamically generating the application profile comprises dynamically generating in real-time the application profile that describes the aggregate exercise of system-level privileges by the plurality of instances of the software application based on the empirical information.
  - 3. The method of claim 1, wherein capturing the empirical information includes capturing one or more of contents of any file handles or other nested structures, a return status, and argument values from an invocation of a kernel reference module and a program counter of the calling one of the plurality of software application instances.
  - 4. The method of claim 1, further comprising:
    - logging the empirical information to a plurality of log files; and
      
      uploading the plurality of log files to an empirical privilege profiler (EPP) system with an upload module.
  - 5. The method of claim 4, wherein dynamically generating an application profile includes dynamically generating an application profile based on the uploaded plurality of log files with the EPP system.
  - 6. The method of claim 4, wherein uploading the plurality of log files includes:
    - determining whether the plurality of log files includes empirical information describing privileges that deviate from the corresponding application profile with the upload module; and
      
      uploading only a portion of the empirical information that describes privileges that deviate from the corresponding application profile with the upload module.
  - 7. The method of claim 1, wherein dynamically generating the application profile includes:
    - extracting privilege tuples that each describe a program point and a resource accessed by a respective one of the instances of the software application;
      
      identifying multiple privilege tuples that reference a resource using a same name and program point from at least a threshold number of different client devices; and
      
      updating the application profile to include the name of the resource.
  - 8. The method of claim 7, the threshold number of client devices is user-configurable.
  - 9. The method of claim 7,wherein extracting the privilege tuples comprises extracting the privilege tuples from the empirical information according to a description file.
  - 10. The method of claim 1, further comprising:
    - storing the application profile in the form of a filter; and
      
      installing the filter on the forensic device prior to receiving the input from the user identifying the target computing device.
  - 11. The method of claim 1, further comprising transmitting the application profile generated by the EPP system to the plurality of client devices.
  - 12. The method of claim 11, further comprising utilizing the application profile within the client device to enable one or more of detection of system intrusions, monitoring of privilege use by the plurality of instances of the software application, and facilitating development of the software application.

13. A method comprising:
- capturing empirical information relating to the exercise of privileges by a software application instance executing within a client device;
  
  logging the empirical information to a log file with a wrapper included within the client device; and
  
  generating an application profile with an empirical privilege profiler (EPP) system that describes the aggregate exercise of privileges by the software application instance;
  
  communicating the application profile to a forensic device;
  
  receiving, with the forensic device coupled to a target computing device via a communication link, input from a user that identifies computer evidence to acquire from the target computing device;
  
  acquiring the computer evidence from the target computing device with the forensic device;
  
  filtering the acquired computer evidence on the forensic device with the application profile; and
  
  presenting a user interface for the forensic device through which the remote user views and analyzes, using the client device, the filtered computer evidence acquired from the target computing device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein capturing the empirical information includes capturing empirical information relating to the exercise of system-level privileges by the software application instance executing within the client devices.
  - 15. The method of claim 13, wherein capturing the empirical information includes capturing one or more of contents of any file handles or other nested structures, a return status, and argument values from an invocation of a kernel reference module and a program counter of the calling one of the plurality of software application instances.
  - 16. The method of claim 13, wherein logging the empirical information includes logging the empirical information to a log file according to extensible markup language (XML) specification with a wrapper that encases one of a Microsoft Windows digital link library (DLL) structure that references the Windows operating system kernel, a UNIX operating system kernel, and a Linux operating system kernel, an operating system from Apple Incorporated, or a Java Virtual Machine.
  - 17. The method of claim 16, wherein logging the empirical information includes logging the empirical information to the log file according to XML specifications with a wrapper that encases a Microsoft Windows digital link library (DLL) structure that references the Windows operating system kernel.
  - 18. The method of claim 16, wherein logging the empirical information includes logging the empirical information to the log file according to XML specifications with a wrapper that encases a UNIX operating system kernel reference structure.
  - 19. The method of claim 16, wherein logging the empirical information includes logging the empirical information to the log file according to XML specifications with a wrapper that encases a Linux operating system kernel reference structure.
  - 20. The method of claim 13, wherein uploading the plurality of log files includes:
    - determining whether the plurality of log files includes empirical information describing privileges that deviate from the application profile with the upload module of each of the client devices; and
      
      uploading only a portion of the empirical information that described privileges that deviate from the corresponding application profile with the upload module of each of the client devices.

21. A method comprising:
- receiving log files uploaded by a plurality of client devices, wherein log files include information relating to the exercise of privileges by a plurality of instances of a software application executing on top of a plurality of instances of a platform residing within the plurality of client devices;
  
  executing computer-implemented privilege profiling software to dynamically generate an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based the uploaded log files; and
  
  communicating the application profile to a forensic device for filtering forensic evidence.
- View Dependent Claims (22)
- - 22. The method of claim 21, wherein dynamically generating the application profile comprises dynamically generating in real-time the application profile based on uploaded log files with the EPP system, wherein the log files record kernel calls by the plurality of instances of the software application executing on top of the plurality of instances of the platform residing within the plurality of client devices.

23. A system comprising:
- a plurality of client computing devices that capture empirical information relating to the exercise of privileges by a plurality of instances of a software application, the instances executing on top of a plurality of instances of a platform residing within the plurality of client computing devices;
  
  an empirical privilege profiler system that dynamically generates an application profile that describes the aggregate exercise of privileges by the plurality of instances of the software application based the empirical information; and
  
  a target computing device;
  
  a forensic device coupled to the target computing device via a customer network of the target computing device; and
  
  an access device executing a user interface module to present a user interface for the forensic device that is remotely accessible by the access device,wherein the forensic device acquires computer evidence from the target computing device, filters the computer evidence using the application profile generated by the empirical privilege profiler by identifying resources within the computer evidence that do not match the application profile, and presents the filtered computer evidence to the remote user for analysis via the user interface.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The system of claim 23,wherein the plurality of client computing devices capture the empirical information by capturing empirical information relating to the exercise of system-level privileges by the plurality of instances of the software application executing on top of the plurality of instances of the platform residing within the plurality of client computing devices, andwherein the EPP system dynamically generates the application profile by dynamically generating the application profile that describes the aggregate exercise of system-level privileges by the plurality of software application instances based on the empirical information.
  - 25. The system of claim 23, wherein the forensic device presents a user interface to the remote user to allow the remote user to view and analyze the filtered computer evidence on-line.
  - 26. The system of claim 23, wherein the plurality of client computing devices capture empirical information by capturing one or more of contents of any file handles or other nested structures, a return status, and argument values from an invocation of a kernel reference module and a program counter of the calling one of the plurality of instances of the software application.
  - 27. The system of claim 23, wherein the plurality of client computing devices each comprise:
    - a wrapper that logs the empirical information to a plurality of log files; and
      
      an upload module that uploads the plurality of log files to the EPP system.
  - 28. The system of claim 27, wherein the EPP system dynamically generates the application profile by dynamically generating in real-time an application profile based on the uploaded plurality of log files uploaded to the EPP system by the upload module.
  - 29. The system of claim 27, wherein the upload module uploads the plurality of log files by:
    - determining whether the plurality of log files includes empirical information describing privileges that deviate from the corresponding application profile; and
      
      uploading only a portion of the empirical information that described privileges that deviate from the corresponding application profile.
  - 30. The system of claim 23, wherein the EPP system comprises a privilege profiler module that generates the application profile by:
    - extracting privilege tuples that each describe a program point and a resource accessed by a respective one of the instances of the software application;
      
      identifying multiple privilege tuples that reference a resource using a same name and program point from at least a threshold number of different client devices; and
      
      updating the application profile to include the name of the resource.
  - 31. The system of claim 30, wherein threshold number of client devices is user-configurable.
  - 32. The system of claim 23, wherein the EPP system maintains a database of filters, each of the filters corresponding to a different application profile generated by the EPP system.
  - 33. The system of claim 23, wherein in response to the empirical information captured by the client devices, the empirical privilege profiler maintains and continuously updates a filter database of application profiles for access by the forensic devices when needed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Adelstein, Frank, Marceau, Carla
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US12/469,558
Publication Number

US 20090288164A1
Time in Patent Office

1,476 Days
Field of Search

None
US Class Current

726/27
CPC Class Codes

H04L 63/123 received data contents, e.g...

H04L 63/14 for detecting or protecting...

Digital forensic analysis using empirical privilege profiling (EPP) for filtering collected data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Digital forensic analysis using empirical privilege profiling (EPP) for filtering collected data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links