Ordering of event records in an electronic system for forensic analysis

US 8,825,848 B1
Filed: 03/20/2012
Issued: 09/02/2014
Est. Priority Date: 03/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method of ordering events captured by multiple forensic agents running in an electronic system, comprising:

receiving, by a recording unit of the electronic system, multiple event records from the forensic agents, each event record including a set of timing information provided by the respective agent;

storing the event records in the recording unit in the order received;

resequencing the event records received by the recording unit based on the sets of timing information received from the forensic agents to at least partially reconstruct an order of events described in the event records across the forensic agents; and

storing the resequenced event records in the recording unit,wherein the recording unit and the forensic agents each receive periodic timestamps from a timestamp server,wherein at least one forensic agent stores an event in a vector clock that records receipt of at least one of the timestamps from the timestamp server, the vector clock established among the forensic agents, andwherein resequencing the event records received by the recording unit includes correcting for timing errors in the event records based on differences between timestamps reported in the vector clock and timestamps received by the recording unit.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved technique for logging events in an electronic system for forensic analysis includes receiving event records by a recording unit from different forensic agents of the electronic system and applying timing information included within the event records to resequence the event records in the recording unit in a more accurate order. In some examples, the timing information includes a vector clock established among the agents of the electronic system for storing sequences of events. The vector clock provides sequence information about particular events occurring among the forensic agents, which is applied to correct the order of reported event records. In other examples, the timing information includes timestamps published to the agents from a common timestamp server. In yet other examples, the timing information includes timestamps of the devices on which the agents are running, or any combination of the foregoing examples of timing information.

269 Citations

20 Claims

1. A method of ordering events captured by multiple forensic agents running in an electronic system, comprising:
- receiving, by a recording unit of the electronic system, multiple event records from the forensic agents, each event record including a set of timing information provided by the respective agent;
  
  storing the event records in the recording unit in the order received;
  
  resequencing the event records received by the recording unit based on the sets of timing information received from the forensic agents to at least partially reconstruct an order of events described in the event records across the forensic agents; and
  
  storing the resequenced event records in the recording unit,wherein the recording unit and the forensic agents each receive periodic timestamps from a timestamp server,wherein at least one forensic agent stores an event in a vector clock that records receipt of at least one of the timestamps from the timestamp server, the vector clock established among the forensic agents, andwherein resequencing the event records received by the recording unit includes correcting for timing errors in the event records based on differences between timestamps reported in the vector clock and timestamps received by the recording unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 20)
- - 2. The method of claim 1, wherein the multiple forensic agents include at least one network agent that monitors network activity of the electronic system and at least one storage agent that monitors storage activity of the electronic system.
  - 3. The method of claim 2, wherein resequencing the event records includes reordering event records received from a network agent relative to event records received from a storage agent.
  - 4. The method of claim 2, wherein the sets of timing information included in the event records received from the forensic agents include the vector clock established among the forensic agents.
  - 5. The method of claim 4, wherein resequencing the event records received by the recording unit includes applying the vector clock received from the forensic agents to correct for timing errors in reporting event records to the recording unit.
  - 6. The method of claim 5, wherein applying the vector clock received from the forensic agents to correct for timing errors includes comparing events in the vector clock with at least one timestamp received by the storage unit.
  - 7. The method of claim 4, wherein vector clock information is received by the recording unit in the timing information provided with event records from different forensic agents, the vector clock information for each such record entry including a multi-element clock maintained by the forensic agent from which the record entry is received, the multi-element clock including a logical clock of the forensic agent as well as the logical clock of at least one other forensic agent.
  - 8. The method of claim 2, wherein the set of timing information received with an event record includes a local device time of a device of the electronic system on which the forensic agent that produces the event record is running.
  - 9. The method of claim 8, further comprising the recording unit applying the most recent timestamp received from the timestamp server to each event record received by the recording unit at the time the recording unit receives the event record.
  - 10. The method of claim 9, further comprising the recording unit receiving timestamps pushed to the recording unit from the timestamp server and the recording unit pulling timestamps from the timestamp server by issuing requests for timestamps to the timestamp server.
  - 11. The method of claim 9, wherein the sets of timing information received by the recording unit from the forensic agents include the most recent timestamps received from the timestamp server by the respective forensic agents.
  - 12. The method of claim 2, wherein resequencing the event records includes creating at least one intermediate table for storing intermediate resequencing results of the event records received.
  - 13. The method of claim 12, wherein at least one sorting operation includes correcting for a time offset between event records from a first of the forensic agents having a first set of timestamps and event records from a second of the forensic agents having a second set of timestamps.
  - 14. The method of claim 2, wherein storing the resequenced event records includes providing the event records in the form of parameter-value pairs, wherein the values of the parameter-value pairs form indices for NoSQL database queries.
  - 20. The method of claim 1, further comprising performing a forensic analysis on the resequenced event records stored in the recording unit.

15. An apparatus for ordering events captured by multiple forensic agents running on an electronic system, comprising:
- a set of processors;
  
  memory, coupled to the set of processors, the memory constructed and arranged to store instructions executable by the set of processors; and
  
  a recording unit coupled to the memory and the set of processors,wherein the set of processors executing instructions from the memory forms a specialized circuit constructed and arranged to;
  
  receive, by a recording unit of the electronic system, multiple event records from the forensic agents, each event record including a set of timing information provided by the respective agent;
  
  store the event records in the recording unit in the order received;
  
  resequence the event records received by the recording unit based on the sets of timing information received from the forensic agents to at least partially reconstruct an order of events described in the event records across the forensic agents; and
  
  store the resequenced event records in the recording unit,wherein the specialized circuit is further constructed and arranged to cause the recording unit and the forensic agents each to receive periodic timestamps from a timestamp server,wherein the specialized circuit is further constructed and arranged to cause at least one forensic agent to store an event in a vector clock that records receipt of at least one of the timestamps from the timestamp server, the vector clock established among the forensic agents, andwherein, when resequencing the event records received by the recording unit, the specialized circuitry is constructed and arranged to correct for timing errors in the event records based on differences between timestamps reported in the vector clock and timestamps received by the recording unit.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 15, wherein the sets of timing information included in the event records received from the forensic agents include the vector clock established among the forensic agents.
  - 17. The apparatus of claim 15, wherein, when the specialized circuit is configured to resequence the event records received by the recording unit, the specialized circuit is further configured to correct for timing errors in event records by comparing events in the vector clock with at least one timestamp received by the storage unit.

18. A non-transitory computer readable medium including instructions which, when executed by a set of processors, cause the set of processors to perform a method for ordering events captured by multiple forensic agents running in an electronic system, the method comprising:
- receiving, by a recording unit of the electronic system, multiple event records from the forensic agents, each event record including a set of timing information provided by the respective agent;
  
  storing the event records in the recording unit in the order received;
  
  resequencing the event records received by the recording unit based on the sets of timing information received from the forensic agents to at least partially reconstruct an order of events described in the event records across the forensic agents; and
  
  storing the resequenced event records in the recording unit,wherein the recording unit and the forensic agents each receive periodic timestamps from a timestamp server,wherein at least one forensic agent stores an event in a vector clock that records receipt of at least one of the timestamps from the timestamp server, the vector clock established among the forensic agents, andwherein resequencing the event records received by the recording unit includes correcting for timing errors in the event records based on differences between timestamps reported in the vector clock and timestamps received by the recording unit.
- View Dependent Claims (19)
- - 19. The non-transitory computer readable medium of claim 18, wherein the sets of timing information included in the event records received from the forensic agents include the vector clock established among the forensic agents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Dotan, Yedidya, Natanzon, Assaf, Friedman, Lawrence N.
Primary Examiner(s)
Ashraf, Waseem

Application Number

US13/424,955
Time in Patent Office

896 Days
Field of Search

709/224, 709/223
US Class Current

709/224
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 11/3495   for systems

G06F 16/1734   Details of monitoring file ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2201/86   Event-based monitoring

H04L 63/1425   Traffic logging, e.g. anoma...

Ordering of event records in an electronic system for forensic analysis

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Ordering of event records in an electronic system for forensic analysis

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links