Forensic instance snapshotting

US 9,524,389 B1
Filed: 06/08/2015
Issued: 12/20/2016
Est. Priority Date: 06/08/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

under the control of one or more computer systems that execute instructions,configuring an event trigger for causing, upon occurrence of a predetermined event, a set of local changes made to a virtual machine of a plurality of virtual machines in a distributed computing environment to be captured, each virtual machine of the plurality of virtual machines having virtual memory and access to storage; and

for each virtual machine of the plurality of virtual machines;

running the virtual machine, wherein the virtual machine is instantiated at least in part from a base software image and in isolation from one or more networks;

obtaining a first snapshot of the virtual machine, the first snapshot including states of the virtual memory and the storage at a first time;

determining a set of differences between the first snapshot and a base snapshot;

connecting the virtual machine to the one or more networks; and

as a result of the occurrence of the predetermined event triggering the event trigger;

obtaining a second snapshot of the virtual machine, the second snapshot including states of the virtual memory and the storage at a second time;

deriving a derived first snapshot based at least in part on the base snapshot and the set of differences;

determining the set of local changes based at least in part on differences between the second snapshot and the derived first snapshot; and

storing the set of local changes in persistent storage; and

terminating the virtual machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for capturing forensic snapshots of virtual machines prior to terminating the virtual machine, the system and method including obtaining a configuration that specifies an event and running a virtual machine in accordance with the configuration. Upon detection of an occurrence of the specified event, the system and method further includes determining a state of the virtual machine, storing information based at least in part on the determined state of the virtual machine, the information usable at least in part to recreate the state of the virtual machine, terminating the virtual machine, and running another virtual machine in accordance with the configuration.

89 Citations

View as Search Results

23 Claims

1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,configuring an event trigger for causing, upon occurrence of a predetermined event, a set of local changes made to a virtual machine of a plurality of virtual machines in a distributed computing environment to be captured, each virtual machine of the plurality of virtual machines having virtual memory and access to storage; and
  
  for each virtual machine of the plurality of virtual machines;
  
  running the virtual machine, wherein the virtual machine is instantiated at least in part from a base software image and in isolation from one or more networks;
  
  obtaining a first snapshot of the virtual machine, the first snapshot including states of the virtual memory and the storage at a first time;
  
  determining a set of differences between the first snapshot and a base snapshot;
  
  connecting the virtual machine to the one or more networks; and
  
  as a result of the occurrence of the predetermined event triggering the event trigger;
  
  obtaining a second snapshot of the virtual machine, the second snapshot including states of the virtual memory and the storage at a second time;
  
  deriving a derived first snapshot based at least in part on the base snapshot and the set of differences;
  
  determining the set of local changes based at least in part on differences between the second snapshot and the derived first snapshot; and
  
  storing the set of local changes in persistent storage; and
  
  terminating the virtual machine.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein an application programming interface is provided by a computing resource service provider hosting the plurality of virtual machines through which an administrator of the plurality of virtual machines can specify the predetermined event and specify that the set of local changes are to be captured upon the occurrence of the predetermined event.
  - 3. The computer-implemented method of claim 1, wherein:
    - the predetermined event is receiving an instruction to terminate the virtual machine from an entity external to the virtual machine; and
      
      the entity is unable to prevent the set of local changes from being stored and is unable to erase the set of local changes from the persistent storage.
  - 4. The computer-implemented method of claim 1, the method further comprising, as the result of the occurrence of the predetermined event:
    - isolating the virtual machine from a network; and
      
      in parallel with terminating the virtual machine, launching a third virtual machine.

5. A system, comprising:
- one or more processors; and
  
  memory including instructions that, as a result of execution by the one or more processors, cause the system to;
  
  launch one or more virtual machines that are associated with a configuration specifying that an occurrence of a predetermined event is to cause a virtual machine of the one or more virtual machines to stop running;
  
  for each of the one or more virtual machines;
  
  instantiate the virtual machine in isolation from a network;
  
  obtain an initial state of the virtual machine;
  
  determine a set of differences between the initial state and a baseline state;
  
  connect the virtual machine to the network; and
  
  determine whether the predetermined event has occurred; and
  
  upon determining that the predetermined event has occurred, for the virtual machine;
  
  obtain a current state of the virtual machine;
  
  derive, based at least in part on the baseline state and the set of differences, a derived initial state;
  
  without storing the current state, store a set of local changes between the current state and the derived initial state of the virtual machine into persistent storage;
  
  de-provision the virtual machine; and
  
  launch a new virtual machine having a configuration specifying that the new virtual machine is to stop running after another occurrence of the predetermined event.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein the predetermined event is that a predetermined amount of time has elapsed since the virtual machine was launched.
  - 7. The system of claim 5, wherein the predetermined event is detecting an instruction to terminate the virtual machine from an entity other than a scaling service.
  - 8. The system of claim 5, wherein the set of local changes includes one or more of a set of changes to local memory of the virtual machine or a set of changes to block-level storage allocated to the virtual machine.
  - 9. The system of claim 5, wherein the instructions further include instructions that, upon the determination that the predetermined event has occurred, cause the system to:
    - isolate the virtual machine from a network; and
      
      store the set of local changes in persistent storage and deprovision the virtual machine in parallel with launching the new virtual machine.
  - 10. The system of claim 5, wherein the instructions that cause the system to store the set of local changes, further include instructions that cause the system to instruct a storage service to store the set of local changes in persistent storage with an indication of an expiration date for the set of local changes.
  - 11. The system of claim 5, wherein:
    - the one or more virtual machines are members of a virtual private network in a distributed computing environment; and
      
      being configured to store the set of local changes upon the occurrence of the predetermined event is prerequisite for the virtual machine joining the virtual private network.
  - 12. The system of claim 5, wherein the one or more virtual machines are configurable, by an entity authorized to administrate the one or more virtual machines, through an application programming interface to store the set of local changes upon an occurrence of the predetermined event.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system of a computing resource service provider, cause the computer system to at least:
- obtain a configuration that specifies a set of events;
  
  run a virtual machine under a virtualization layer of the computer system in accordance with the configuration, the virtual machine instantiated in isolation from a network;
  
  obtain an initial state of the virtual machine;
  
  determine a set of differences between the initial state and a baseline state;
  
  connect the virtual machine to the network; and
  
  upon detection of an occurrence of an event of the set of events;
  
  determine a current state of the virtual machine;
  
  determine, based at least in part on the current state, the baseline state, and the set of differences, a set of changes between the current state and the initial state, the set of changes usable at least in part to recreate the current state of the virtual machine;
  
  store the set of changes, resulting in a stored set of changes;
  
  terminate the virtual machine; and
  
  instantiate another virtual machine in accordance with the configuration.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the event is receiving an instruction from an entity external to the virtual machine to terminate the virtual machine; and
      
      the entity is unable to prevent the set of changes from being stored and is unable to erase the stored set of changes.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the event is an attempt to circumvent one or more of:
    - the detection of the occurrence of the event,determination of the current state of the virtual machine, orstorage of the set of changes.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the detection of the occurrence of the event is performed according to the configuration by an entity that is external to the virtual machine.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the event is that a predetermined amount of time has elapsed since the virtual machine was launched.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the event is an instruction from a scaling service to terminate the virtual machine.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the stored set of changes is retained for a minimum amount of time, the minimum amount of time specified in a request to store the set of changes.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the virtual machine is a member of a group of virtual machines;
      
      the group is configured such that one or more virtual machines are added to or removed from the group as a result of fulfillment of a corresponding condition; and
      
      the occurrence of the event is the fulfillment of a condition that corresponds to removal of the virtual machine from the group.
  - 21. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further include executable instructions that, upon detection of the occurrence of the event, cause the computer system to remove the virtual machine from communication with a load balancer prior to determining the current state.
  - 22. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further include executable instructions that, upon detection of the occurrence of the event, cause the computer system to block the virtual machine from one or more networks prior to determining the current state.
  - 23. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions include executable instructions that cause the computer system to provide an application programming interface through which an entity can specify that the set of changes are to be stored upon the occurrence of the event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek
Primary Examiner(s)
Nguyen, Phillip H

Application Number

US14/733,748
Time in Patent Office

561 Days
Field of Search

718/100, 718/1
US Class Current

1/1
CPC Class Codes

G06F 11/1451   by selection of backup cont...

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2201/815   Virtual middleware or OS fu...

G06F 2221/034   Test or assess a computer o...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/4843   by program, e.g. task dispa...

Forensic instance snapshotting

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Forensic instance snapshotting

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links