WO2014105960A1 - Timeline wrinkling system and method - Google Patents

Timeline wrinkling system and method Download PDF

Info

Publication number
WO2014105960A1
WO2014105960A1 PCT/US2013/077822 US2013077822W WO2014105960A1 WO 2014105960 A1 WO2014105960 A1 WO 2014105960A1 US 2013077822 W US2013077822 W US 2013077822W WO 2014105960 A1 WO2014105960 A1 WO 2014105960A1
Authority
WO
WIPO (PCT)
Prior art keywords
timeline
event data
wrinkle
timestamp
primary
Prior art date
Application number
PCT/US2013/077822
Other languages
French (fr)
Inventor
David Ross
Original Assignee
Mandiant Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mandiant Corporation filed Critical Mandiant Corporation
Priority to EP13867490.8A priority Critical patent/EP2939167A4/en
Publication of WO2014105960A1 publication Critical patent/WO2014105960A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation
    • G06F16/9577Optimising the visualization of content, e.g. distillation of HTML documents

Definitions

  • the present inventive concept pertains to a system and method of conducting a forensic investigation on a computer system following an incident.
  • the present inventive concept more particularly concerns an improved system and method for organizing and manipulating recorded event data and generating a wrinkle timeline report for display to computer forensics investigators.
  • Various technologies may be employed to aid in the processing and organizing of data, including search technologies, software that copies the entire contents of the hard drive in a computer system, and software that allows an analyst to review its contents and categorize it based on their observations.
  • Certain of the data stored in computer memory that may be of interest to forensic investigators may be found in log files or timelines, that is, files that contain records of the activities of a computer system as lists of data entries specifying, without limitation, the date/time of events occurring in or in connection with the computer system along with each associated event source (an event source may be a software program which is modified in the computer system thus giving rise to a data entry, such as a timestamp, showing the date/time of the modification and the name of the program).
  • This sort of log file or timeline analysis may be conducted to determine how a computer system has changed over time. This is helpful in finding indicators of a security breach or determining exactly what has changed when a security breach has occurred so that the changes may be corrected. For example, during a computer security incident, looking at file modification dates in line with the dates and times for various system log entries can help create a picture of the activity an attacker may have engaged in while on a system. Existing methods of examining such data are slow and cumbersome, with the majority relying on finding a particular log entry and "walking" forward and backward in the log file or timeline looking for other entries that might be relevant.
  • the present application describes a method and system for organizing and manipulating recorded event data and generating a wrinkle timeline report for display to and use by computer forensics investigators.
  • data can be organized and presented following an event by identifying a primary timeline containing event data including a first timestamp, choosing a radius for the first timestamp, searching for other event data within the radius of the first timestamp, and/or generating a wrinkle timeline incorporating at least a portion of or all event data, e.g., identified event data.
  • the first timestamp may, in certain embodiments, be identified and used because of its association with a first item that is of interest to the investigator. For example, if the item "install.exe” is of interest to an investigator, he may choose event data for an "AccessQ" event of "install.exe” logged at a certain date and time as the first timestamp.
  • the first timestamp may, in certain embodiments, be identified via a search using parameters corresponding with one or more desired characteristics of the event data.
  • An example of a characteristic includes but is not limited to a type of timestamp and/or a type of item.
  • Event data means data associated with an event, e.g., a primary timeline entry for an event recorded by a computer system, a date/time for the event, and/or the like.
  • An “item” as used herein refers to an event source for which event data is stored. For example, if running, accessing, or initializing "install.exe” causes timestamp event data to be recorded and stored, then “install.exe” is considered to be an “item.”
  • Each item may have several different types of event data, such as one or more different timestamps associated with it in a primary timeline.
  • a “primary timeline” is a graphical representation of event data, such as that extracted from one or more computer log files, external memory device(s), and/or other like sources configured to contain, store, and/or track data.
  • An “association” as used herein refers to an identifiable relationship or connection. For example, a relationship between an item and a date/time data entry can typically be identified from an event data describing both. Using such a date/time, an investigator is able to make determinations regarding, for example, when one or more items were accessed, used, modified, and/or otherwise manipulated.
  • the radius is preferably defined in minutes, thus the investigator may search the primary timeline for event data having time fields within a predetermined number of minutes of the first timestamp, e.g., within any number of minutes. It is foreseen that the radius may be determined using any type and/or combination of measurable units without deviating from the scope of the present inventive concept, e.g., seconds, minutes, hours, days, weeks, months, years, decades, and/or centuries.
  • the event data incorporated into the wrinkle timeline might include a second timestamp identified in the search step of the method, a second item associated with the second timestamp, and/or additional event data associated with the second item.
  • the second timestamp may be identified using one or more characteristics selected by default settings of a computing device involved in performance of one or more steps of the method, or may be manually selected by a user; the selected characteristics may include a type of timestamp (e.g., Accessed, Modified, Deleted, Compile Time), a type of item associated with a timestamp (e.g., a type of item, such as a process or program), or other characteristics of the timestamp and/or associated item.
  • a type of timestamp e.g., Accessed, Modified, Deleted, Compile Time
  • a type of item associated with a timestamp e.g., a type of item, such as a process or program
  • the method may further include the step of determining whether event data to be incorporated into the wrinkle timeline is already in the wrinkle timeline, to avoid duplicative entry of event data into the wrinkle timeline.
  • a wrinkle timeline may also be structured or formatted so as to incorporate substantially similar settings of a primary timeline on which it is based, or of another timeline. These settings may include visual styling (such as highlighting item(s) of a specific type) or filters (such as those that omit items where certain criteria are or are not satisfied). These settings may be incorporated into the wrinkle timeline so that some or most of its characteristics (such as functionality, data population, display characteristics, etc.) resemble those of the primary timeline.
  • An investigator in certain embodiments may select event data from the primary timeline to incorporate into the wrinkle timeline, and/or select event data in the wrinkle timeline to remove or emphasize.
  • the event data of a wrinkle timeline may also be indexed for ease of reference and search. Such an index may be structured substantially similarly to an index maintained in relation to a primary timeline on which it is based, or to another timeline. This may help the event data of the wrinkle timeline behave in a similar fashion as if it were in the primary timeline.
  • the index may, for example, be structured around individual timestamps or content-specific features of items in the wrinkled timeline such as event log item event codes.
  • event data of the primary timeline will be extracted from an external device.
  • an investigator may define a certain timeframe in which data is desired for examination and request that data from an external device. Returned data may be incorporated into the primary timeline for examination and use in generating a wrinkle timeline.
  • the wrinkle timeline may include the first timestamp and/or the first item, and the method may further include the step of marking or visually emphasizing the first timestamp and/or first item to a viewer to assist the viewer in realizing relationships with other event data in the wrinkle timeline.
  • event data of the primary timeline which is not incorporated into the wrinkle timeline may nonetheless be represented by a visual marking indicating to the investigator that such event data has been removed or was never incorporated from the primary timeline.
  • an investigator may rely on the wrinkle timeline to build yet another, second, wrinkle timeline using substantially the same techniques used to build the first. While the process may be iterative, and thus perhaps conceptualized similarly to a series of filters in which event data filtered out when creating the first wrinkle timeline would not be available or considered for building the second wrinkle timeline, an investigator may elect to pull event data from the primary timeline or other timelines, along with the first wrinkle timeline, for purposes of constructing the second wrinkle timeline.
  • FIG. 1 is a flow chart depicting processing steps of an aspect of the present inventive concept to identify event data along a primary timeline
  • FIG. 2 is a screen shot depicting event data of a primary timeline identified using the present inventive concept.
  • FIG. 3 is a screen shot depicting selection of several timestamps and associated radii using the present inventive concept.
  • references to "one embodiment,” “an embodiment,” or “embodiments” mean that the feature or features being referred to are included in at least one aspect of the present inventive concept.
  • references to "one embodiment,” “an embodiment,” or “embodiments” in this description do not necessarily refer to the same embodiment and are also not mutually exclusive unless so stated and/or except as will be readily apparent to those skilled in the art from the description.
  • a feature, structure, act, etc. described in one embodiment may also be included in other embodiments, but is not necessarily included.
  • the present inventive concept can include a variety of combinations and/or integrations of the embodiments described herein.
  • the software configured to execute various steps or operations of the present inventive concept may reside on many different hardware configurations which would be known to one skilled in the art.
  • the present application describes a method for organizing, analyzing and displaying event data. Data can be organized and presented according to embodiments of the present inventive concept following an event by identifying a primary timeline containing event data including a first timestamp, choosing a radius for the first timestamp, searching for a subset of event data within the radius of the first timestamp, and/or generating a wrinkle timeline incorporating at least a portion or all of the event data.
  • FIG. 1 steps for generating and displaying a first wrinkle timeline via the present inventive concept are illustrated.
  • the same or at least substantially similar steps may be repeated by the present inventive concept to generate additional wrinkle timelines, e.g., a second wrinkle timeline, from event data of the first wrinkle timeline.
  • a "Source Item,” is selected by a user or investigator from the event data of the Primary Timeline in step 100.
  • the Source Item may be selected by the investigator using one or more computer systems.
  • the shell for the Wrinkle Timeline is then created in step 120.
  • the shell may be created using duplicate settings from the Primary Timeline, but may not initially contain any event data.
  • the duplicate settings may be at least partially or entirely based on data that has been previously stored in a database or memory in communication with and accessibly to the investigator via at least one of the one or more computer systems.
  • Timestamps, including a first timestamp, of the Source Item are then extracted or identified in step 130, at which point the investigator is presented with the option of setting or selecting a radius or radii for each timestamp by inputting such into the computer system in step 140, which will be further discussed with respect to FIG. 3 hereafter. Then, for each item in the Primary Timeline and for each timestamp associated with each item, steps 140, 150, and 160 are executed via the computer system, which allow the investigator to search for timestamp event data and populate the timeline with such timestamp event data.
  • the event data is analyzed to determine if the event data is within one or more of the selected radii and, if so, compared with other similar timestamps, e.g., based on type of timestamp. Any of the event data that is outside all of the selected radii is separately grouped together, e.g., should the investigator elect to conduct any further analysis on the separate group. If the event data is within one or more of the radii, characteristics of such event data, such as item IDs and timestamps, are compared against event data already populating the Wrinkle Timeline in step 150. If such event data is not already in the Wrinkle Timeline, it is inserted into the Wrinkle Timeline in step 160.
  • the event data that fell within the radii are associated with various items, and those items are themselves associated with other event data having time field entries that may fall outside of the radii but nonetheless be relevant, e.g., the separately- grouped event data
  • an investigator may also insert such separately-grouped event data of any items deemed to be relevant into the Wrinkle Timeline via the computer system.
  • the event data in the Wrinkle Timeline may be indexed according to various schema, e.g., predetermined schema selected by the Investigator.
  • the index is structured similarly to the index for the Primary Timeline.
  • a wrinkle timeline may be modifiable to mark or visually or aurally emphasize the first item (the Source Item in FIG. 1 ) or first timestamp to aid the investigator in identifying or realizing relationships with other event data in the wrinkle timeline.
  • Event data of the primary timeline that is not incorporated into the wrinkle timeline may be marked or visually accounted for in the wrinkle timeline so that the investigator is aware of those gaps.
  • the investigator may rely on the results of the search method in creating a wrinkle timeline, whether by selecting settings for what event data is included in the wrinkle timeline or allowing default settings to do so, and may also manually select event data to exclude or include in the data set incorporated into the wrinkle timeline, or may manually select data in the wrinkle time for exclusion therefrom.
  • event data of a primary timeline of the present inventive concept is depicted.
  • Drop down menus depicted in FIG. 2 allow for selection of a timeframe by the investigator in which the event data must fall in order to be included in the primary timeline.
  • the investigator may also select certain types of event data to be included in the primary timeline. Alternatively, some or all of these settings may be used while selecting a first timestamp or first item, but may then be relaxed or disengaged when the search step of the method is reached so that a more comprehensive set of event data may be searched by the investigator using the computer system.
  • FIG. 3 a first item (“install.exe”) is depicted with a set of associated timestamps of different types, one of which may be considered the first timestamp. Also depicted are drop down menus allowing the investigator to select a value for a radius for each timestamp. For illustrative purposes, he radii drop down menus of FIG. 3 are measured in minutes. As discussed herein, however, the radii is not limited to such. Generally, during a search for timestamps within, for example, a five minute radius of the first timestamp of the first item, the investigator will look for other event data, such as other timestamps, associated with Date/Time time field entries five minutes before or after the first timestamp.
  • the investigator may perform the present inventive concept using an agent in certain embodiments.
  • An agent is a module of software installed on a target system that enables a user to monitor and interact with the target system. Agents allow users to gather information about multiple aspects of the target system. Agents also permit users to remotely retrieve the contents of the target system's memory or hard drive, and could potentially be configured to modify its contents.
  • the agent may be configured to either communicate over a computer network, or to read and write all relevant configuration information and acquired data to a computer storage medium, such as a hard drive or removable read/write media (USB key, etc).
  • the agent is built in a modular fashion. The ability to gather a particular piece of data from a target system (e.g. a list of running processes on the target system or a primary timeline) is implemented as a discrete module of software and loaded by the agent. This allows for easy adaptation of the agent to different environments that have specific requirements for data collection.
  • a software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

A method for organizing event data by identifying a primary timeline containing event data, extracting a first timestamp from a first item of the primary timeline, setting a radius around the first timestamp, identifying a second timestamp within the radius, determining whether the second timestamp is already in a wrinkle timeline, and, if not, incorporating the second timestamp into the wrinkle timeline. Event data associated with the first item may be marked and emphasized in the wrinkle timeline. The system may also create one or more indexes of the event data.

Description

TITLE
TIMELINE WRINKLING SYSTEM AND METHOD CROSS-REFERENCE TO RELATED APPLICATION
[0001] This Patent Application claims priority to U.S. Patent Application Serial Number 61/746,019 filed December 26, 2012, and titled Timeline Wrinkling, the entire contents of which is incorporated herein by reference in its entirety.
BACKGROUND
[0002] 1. Field
[0003] The present inventive concept pertains to a system and method of conducting a forensic investigation on a computer system following an incident. The present inventive concept more particularly concerns an improved system and method for organizing and manipulating recorded event data and generating a wrinkle timeline report for display to computer forensics investigators.
[0004] 2. Discussion of Related Art
[0005] As more businesses and governmental entities increasingly rely on computer networks to conduct their operations and store relevant data, security of these networks has become increasingly important. The need for increased security is emphasized when these networks are connected to non-secure networks such as the Internet. The preservation of important data and the ability to retrieve and analyze the data in the aftermath of a security breach or incident has become a major focus of forensic investigators.
[0006] Various technologies may be employed to aid in the processing and organizing of data, including search technologies, software that copies the entire contents of the hard drive in a computer system, and software that allows an analyst to review its contents and categorize it based on their observations. Certain of the data stored in computer memory that may be of interest to forensic investigators may be found in log files or timelines, that is, files that contain records of the activities of a computer system as lists of data entries specifying, without limitation, the date/time of events occurring in or in connection with the computer system along with each associated event source (an event source may be a software program which is modified in the computer system thus giving rise to a data entry, such as a timestamp, showing the date/time of the modification and the name of the program). [0007] This sort of log file or timeline analysis may be conducted to determine how a computer system has changed over time. This is helpful in finding indicators of a security breach or determining exactly what has changed when a security breach has occurred so that the changes may be corrected. For example, during a computer security incident, looking at file modification dates in line with the dates and times for various system log entries can help create a picture of the activity an attacker may have engaged in while on a system. Existing methods of examining such data are slow and cumbersome, with the majority relying on finding a particular log entry and "walking" forward and backward in the log file or timeline looking for other entries that might be relevant.
[0008] Thus there exists a need for additional technologies to analyze and manipulate event data and display same in a fashion that increases efficiency of investigation, controls costs and reduces time spent on analysis.
SUMMARY
[0009] In response to aforementioned needs, the present application describes a method and system for organizing and manipulating recorded event data and generating a wrinkle timeline report for display to and use by computer forensics investigators.
[0010] In accordance with an aspect of the present inventive concept, data can be organized and presented following an event by identifying a primary timeline containing event data including a first timestamp, choosing a radius for the first timestamp, searching for other event data within the radius of the first timestamp, and/or generating a wrinkle timeline incorporating at least a portion of or all event data, e.g., identified event data.
[0011] The first timestamp may, in certain embodiments, be identified and used because of its association with a first item that is of interest to the investigator. For example, if the item "install.exe" is of interest to an investigator, he may choose event data for an "AccessQ" event of "install.exe" logged at a certain date and time as the first timestamp. The first timestamp may, in certain embodiments, be identified via a search using parameters corresponding with one or more desired characteristics of the event data. An example of a characteristic includes but is not limited to a type of timestamp and/or a type of item.
[0012] "Event data" as used herein means data associated with an event, e.g., a primary timeline entry for an event recorded by a computer system, a date/time for the event, and/or the like. An "item" as used herein refers to an event source for which event data is stored. For example, if running, accessing, or initializing "install.exe" causes timestamp event data to be recorded and stored, then "install.exe" is considered to be an "item." Each item may have several different types of event data, such as one or more different timestamps associated with it in a primary timeline. A "primary timeline" is a graphical representation of event data, such as that extracted from one or more computer log files, external memory device(s), and/or other like sources configured to contain, store, and/or track data. An "association" as used herein refers to an identifiable relationship or connection. For example, a relationship between an item and a date/time data entry can typically be identified from an event data describing both. Using such a date/time, an investigator is able to make determinations regarding, for example, when one or more items were accessed, used, modified, and/or otherwise manipulated.
[0013] The radius is preferably defined in minutes, thus the investigator may search the primary timeline for event data having time fields within a predetermined number of minutes of the first timestamp, e.g., within any number of minutes. It is foreseen that the radius may be determined using any type and/or combination of measurable units without deviating from the scope of the present inventive concept, e.g., seconds, minutes, hours, days, weeks, months, years, decades, and/or centuries.
[0014] Further, the event data incorporated into the wrinkle timeline might include a second timestamp identified in the search step of the method, a second item associated with the second timestamp, and/or additional event data associated with the second item. The second timestamp may be identified using one or more characteristics selected by default settings of a computing device involved in performance of one or more steps of the method, or may be manually selected by a user; the selected characteristics may include a type of timestamp (e.g., Accessed, Modified, Deleted, Compile Time), a type of item associated with a timestamp (e.g., a type of item, such as a process or program), or other characteristics of the timestamp and/or associated item. The method may further include the step of determining whether event data to be incorporated into the wrinkle timeline is already in the wrinkle timeline, to avoid duplicative entry of event data into the wrinkle timeline. A wrinkle timeline may also be structured or formatted so as to incorporate substantially similar settings of a primary timeline on which it is based, or of another timeline. These settings may include visual styling (such as highlighting item(s) of a specific type) or filters (such as those that omit items where certain criteria are or are not satisfied). These settings may be incorporated into the wrinkle timeline so that some or most of its characteristics (such as functionality, data population, display characteristics, etc.) resemble those of the primary timeline. An investigator in certain embodiments may select event data from the primary timeline to incorporate into the wrinkle timeline, and/or select event data in the wrinkle timeline to remove or emphasize. [0015] The event data of a wrinkle timeline may also be indexed for ease of reference and search. Such an index may be structured substantially similarly to an index maintained in relation to a primary timeline on which it is based, or to another timeline. This may help the event data of the wrinkle timeline behave in a similar fashion as if it were in the primary timeline. The index may, for example, be structured around individual timestamps or content-specific features of items in the wrinkled timeline such as event log item event codes.
[0016] In certain embodiments, event data of the primary timeline will be extracted from an external device. For example, an investigator may define a certain timeframe in which data is desired for examination and request that data from an external device. Returned data may be incorporated into the primary timeline for examination and use in generating a wrinkle timeline.
[0017] The wrinkle timeline may include the first timestamp and/or the first item, and the method may further include the step of marking or visually emphasizing the first timestamp and/or first item to a viewer to assist the viewer in realizing relationships with other event data in the wrinkle timeline. In addition, event data of the primary timeline which is not incorporated into the wrinkle timeline may nonetheless be represented by a visual marking indicating to the investigator that such event data has been removed or was never incorporated from the primary timeline.
[0018] In still another embodiment, an investigator may rely on the wrinkle timeline to build yet another, second, wrinkle timeline using substantially the same techniques used to build the first. While the process may be iterative, and thus perhaps conceptualized similarly to a series of filters in which event data filtered out when creating the first wrinkle timeline would not be available or considered for building the second wrinkle timeline, an investigator may elect to pull event data from the primary timeline or other timelines, along with the first wrinkle timeline, for purposes of constructing the second wrinkle timeline.
[0019] Additional aspects, advantages, and utilities of the present inventive concept will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present inventive concept. [0020] The foregoing is intended to be illustrative and are not meant in a limiting sense. Many features and subcombinations of the present inventive concept may be made and will be readily evident upon a study of the following specification and accompanying drawings comprising a part thereof. These features and subcombinations may be employed without reference to other features and subcombinations.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The present inventive concept is described in detail below with reference to the attached drawing figures, wherein:
[0022] FIG. 1 is a flow chart depicting processing steps of an aspect of the present inventive concept to identify event data along a primary timeline;
[0023] FIG. 2 is a screen shot depicting event data of a primary timeline identified using the present inventive concept; and
[0024] FIG. 3 is a screen shot depicting selection of several timestamps and associated radii using the present inventive concept.
[0025] The drawing figures do not limit the present inventive concept to the specific examples disclosed and described herein. The drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present inventive concept.
DETAILED DESCRIPTION
[0026] The following detailed description references the accompanying drawings that illustrate the present inventive concept. The illustrations and description are intended to describe aspects of the present inventive concept in sufficient detail to enable those skilled in the art to practice the present inventive concept. Other components can be utilized and changes can be made without departing from the scope of the present inventive concept. The following detailed description is, therefore, not to be taken in a limiting sense. The scope of the present inventive concept is defined only by the appended claims, along with the full scope of equivalents to which such claims are entitled.
[0027] In this description, references to "one embodiment," "an embodiment," or "embodiments" mean that the feature or features being referred to are included in at least one aspect of the present inventive concept. Separate references to "one embodiment," "an embodiment," or "embodiments" in this description do not necessarily refer to the same embodiment and are also not mutually exclusive unless so stated and/or except as will be readily apparent to those skilled in the art from the description. For example, a feature, structure, act, etc. described in one embodiment may also be included in other embodiments, but is not necessarily included. Thus, the present inventive concept can include a variety of combinations and/or integrations of the embodiments described herein.
[0028] The software configured to execute various steps or operations of the present inventive concept may reside on many different hardware configurations which would be known to one skilled in the art. The present application describes a method for organizing, analyzing and displaying event data. Data can be organized and presented according to embodiments of the present inventive concept following an event by identifying a primary timeline containing event data including a first timestamp, choosing a radius for the first timestamp, searching for a subset of event data within the radius of the first timestamp, and/or generating a wrinkle timeline incorporating at least a portion or all of the event data.
[0029] Turning now to FIG. 1 , steps for generating and displaying a first wrinkle timeline via the present inventive concept are illustrated. The same or at least substantially similar steps may be repeated by the present inventive concept to generate additional wrinkle timelines, e.g., a second wrinkle timeline, from event data of the first wrinkle timeline.
[0030] As illustrated FIG. 1 , a "Source Item," is selected by a user or investigator from the event data of the Primary Timeline in step 100. The Source Item may be selected by the investigator using one or more computer systems. The shell for the Wrinkle Timeline is then created in step 120. The shell may be created using duplicate settings from the Primary Timeline, but may not initially contain any event data. The duplicate settings may be at least partially or entirely based on data that has been previously stored in a database or memory in communication with and accessibly to the investigator via at least one of the one or more computer systems.
[0031] Timestamps, including a first timestamp, of the Source Item are then extracted or identified in step 130, at which point the investigator is presented with the option of setting or selecting a radius or radii for each timestamp by inputting such into the computer system in step 140, which will be further discussed with respect to FIG. 3 hereafter. Then, for each item in the Primary Timeline and for each timestamp associated with each item, steps 140, 150, and 160 are executed via the computer system, which allow the investigator to search for timestamp event data and populate the timeline with such timestamp event data. In step 140, the event data is analyzed to determine if the event data is within one or more of the selected radii and, if so, compared with other similar timestamps, e.g., based on type of timestamp. Any of the event data that is outside all of the selected radii is separately grouped together, e.g., should the investigator elect to conduct any further analysis on the separate group. If the event data is within one or more of the radii, characteristics of such event data, such as item IDs and timestamps, are compared against event data already populating the Wrinkle Timeline in step 150. If such event data is not already in the Wrinkle Timeline, it is inserted into the Wrinkle Timeline in step 160. Because the event data that fell within the radii are associated with various items, and those items are themselves associated with other event data having time field entries that may fall outside of the radii but nonetheless be relevant, e.g., the separately- grouped event data, an investigator may also insert such separately-grouped event data of any items deemed to be relevant into the Wrinkle Timeline via the computer system. [0032] Optionally, so that the investigator might more easily search the Wrinkle Timeline via the computer system, the event data in the Wrinkle Timeline may be indexed according to various schema, e.g., predetermined schema selected by the Investigator. In a preferred embodiment, the index is structured similarly to the index for the Primary Timeline. Still further, a wrinkle timeline may be modifiable to mark or visually or aurally emphasize the first item (the Source Item in FIG. 1 ) or first timestamp to aid the investigator in identifying or realizing relationships with other event data in the wrinkle timeline. Event data of the primary timeline that is not incorporated into the wrinkle timeline may be marked or visually accounted for in the wrinkle timeline so that the investigator is aware of those gaps. The investigator may rely on the results of the search method in creating a wrinkle timeline, whether by selecting settings for what event data is included in the wrinkle timeline or allowing default settings to do so, and may also manually select event data to exclude or include in the data set incorporated into the wrinkle timeline, or may manually select data in the wrinkle time for exclusion therefrom.
[0033] Turning now to FIG. 2, event data of a primary timeline of the present inventive concept is depicted. As is apparent from FIG. 2, there are a number of methods for filtering or modifying display of the event data of a primary timeline via the computer system, for example to simplify the process of choosing a first timestamp and/or first item. Drop down menus depicted in FIG. 2 allow for selection of a timeframe by the investigator in which the event data must fall in order to be included in the primary timeline. The investigator may also select certain types of event data to be included in the primary timeline. Alternatively, some or all of these settings may be used while selecting a first timestamp or first item, but may then be relaxed or disengaged when the search step of the method is reached so that a more comprehensive set of event data may be searched by the investigator using the computer system.
[0034] It is foreseen that other units of time, such as seconds, hours, days, weeks, months, years, decades, and/or centuries, or any other like, identifiable and comparable characteristics related to and expressed by event data such as physical distance, e.g., physical distance between stored data in a memory, may be used as radii without departing from the spirit of the present inventive concept. It is foreseen that a combination of different types of radii may be used as well, e.g., time and physical distance of one or more portions of the event data. The investigator may select an appropriate radii depending upon the focus of investigation. For example, smaller units of time may be used when focusing on an efficient investigation of higher resolution network events, or larger units may be used for searches of a larger scope and/or to achieve higher accuracy.
[0035] Turning now to FIG. 3, a first item ("install.exe") is depicted with a set of associated timestamps of different types, one of which may be considered the first timestamp. Also depicted are drop down menus allowing the investigator to select a value for a radius for each timestamp. For illustrative purposes, he radii drop down menus of FIG. 3 are measured in minutes. As discussed herein, however, the radii is not limited to such. Generally, during a search for timestamps within, for example, a five minute radius of the first timestamp of the first item, the investigator will look for other event data, such as other timestamps, associated with Date/Time time field entries five minutes before or after the first timestamp.
[0036] The investigator may perform the present inventive concept using an agent in certain embodiments. An agent is a module of software installed on a target system that enables a user to monitor and interact with the target system. Agents allow users to gather information about multiple aspects of the target system. Agents also permit users to remotely retrieve the contents of the target system's memory or hard drive, and could potentially be configured to modify its contents. The agent may be configured to either communicate over a computer network, or to read and write all relevant configuration information and acquired data to a computer storage medium, such as a hard drive or removable read/write media (USB key, etc). In one embodiment, the agent is built in a modular fashion. The ability to gather a particular piece of data from a target system (e.g. a list of running processes on the target system or a primary timeline) is implemented as a discrete module of software and loaded by the agent. This allows for easy adaptation of the agent to different environments that have specific requirements for data collection.
[0037] The previous description of the presently disclosed inventive concept is provided to enable any person skilled in the art to make or use the present inventive concept. Various modifications will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied alternatively without departing from the spirit or scope of the present inventive concept. Thus, the present inventive concept is not intended to be limited to the description herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
[0038] The steps of a method, system, or operation described in connection with the present inventive concept disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
[0039] Having now described the features, discoveries and principles of the present inventive aspect of this disclosure, the manner in which the present inventive aspect is constructed and used, the characteristics of the construction, and advantageous, new and useful results obtained; the new and useful structures, devices, elements, arrangements, parts and combinations, are set forth in the appended claims.
[0040] It is also to be understood that the following claims are intended to cover all of the generic and specific features of the present inventive aspect herein described, and all statements of the scope of the present inventive aspect which, as a matter of language, might be said to fall there between.

Claims

CLAIMS What is claimed is:
1. A method of organizing event data using a computer system, the method comprising the steps of:
identifying a primary timeline containing event data including a first timestamp;
choosing a radius for the first timestamp;
searching, via the computer system, for at least one subset of the event data within the radius; and
generating, via the computer system, a first wrinkle timeline incorporating the at least one subset of the event data.
2. The method according to claim 1 , further comprising the step of:
identifying a first item associated with the first timestamp.
3. The method according to claim 2, further comprising the step of:
identifying a second timestamp by the search and a second item associated with the second timestamp.
4. The method according to claim 1 , wherein the step of searching for the at least one subset of the event data within the radius includes identifying one or more timestamp characteristics and comparing the one or more timestamp characteristics to the event data.
5. The method according to claim 3, further comprising the steps of: identifying a third timestamp associated with the second item; and
determining whether the second and third timestamps are present in the first wrinkle timeline.
6. The method according to claim 5, wherein if one or more of the second and third timestamps are determined not to be present in the first wrinkle timeline, the one or more of the second and third timestamps are copied into the first wrinkle timeline.
7. The method according to claim 1 , further comprising the step of: creating an index of the event data of the first wrinkle timeline.
8. The method according to claim 7, wherein the first wrinkle timeline index is substantially similar to an index associated with the primary timeline.
9. The method of claim 1 , wherein the event data of the first wrinkle timeline includes the first timestamp.
10. The method of claim 9, wherein the first timestamp is marked in the first wrinkle timeline.
1 1 . The method of claim 1 , wherein the first wrinkle timeline has substantially the same settings as the primary timeline.
12. The method of claim 1 , wherein the radius is at least partially defined in minutes.
13. The method of claim 1 , further comprising the step of: identifying the first timestamp of the primary timeline using a keyword search.
14. The method of claim 1 , wherein the steps of the method are carried out using a computing device and event data of the primary timeline resides in memory of an external device.
15. The method of claim 14, wherein the primary timeline comprises event data extracted from the external device according to pre-determined parameters.
16. The method of claim 15, wherein the pre-determined parameters define one or more windows of time for comparing against timestamps contained in the memory of the external device.
17. The method of claim 1 , further comprising the step of: creating a visual representation of event data of the primary timeline that is incorporated into the first wrinkle timeline.
18. The method of claim 1 , further comprising the step of: selecting event data to be incorporated into the first wrinkle timeline.
19. The method of claim 1 , further comprising the step of: selecting event data not to be incorporated into the first wrinkle timeline.
20. The method of claim 1 , further comprising the step of: selecting event data to remove from the first wrinkle timeline.
21 . The method of claim 1 , further comprising the step of: marking one or more event data in the first wrinkle timeline.
22. The method of claim 20, further comprising the steps of: identifying a fourth timestamp in the first wrinkle timeline;
choosing a radius for the fourth timestamp;
searching for one or more event data within the radius; and
generating a second wrinkle timeline incorporating at least one of the event data.
PCT/US2013/077822 2012-12-26 2013-12-26 Timeline wrinkling system and method WO2014105960A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP13867490.8A EP2939167A4 (en) 2012-12-26 2013-12-26 Timeline wrinkling system and method

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201261746019P 2012-12-26 2012-12-26
US61/746,019 2012-12-26
US14/034,672 2013-09-24
US14/034,672 US9633134B2 (en) 2012-12-26 2013-09-24 Timeline wrinkling system and method

Publications (1)

Publication Number Publication Date
WO2014105960A1 true WO2014105960A1 (en) 2014-07-03

Family

ID=50975915

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/077822 WO2014105960A1 (en) 2012-12-26 2013-12-26 Timeline wrinkling system and method

Country Status (3)

Country Link
US (1) US9633134B2 (en)
EP (1) EP2939167A4 (en)
WO (1) WO2014105960A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10169585B1 (en) 2016-06-22 2019-01-01 Fireeye, Inc. System and methods for advanced malware detection through placement of transition events

Families Citing this family (137)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8793787B2 (en) 2004-04-01 2014-07-29 Fireeye, Inc. Detecting malicious network content using virtual environment components
US8528086B1 (en) 2004-04-01 2013-09-03 Fireeye, Inc. System and method of detecting computer worms
US7587537B1 (en) 2007-11-30 2009-09-08 Altera Corporation Serializer-deserializer circuits formed from input-output circuit registers
US9106694B2 (en) 2004-04-01 2015-08-11 Fireeye, Inc. Electronic message analysis for malware detection
US8171553B2 (en) 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US8881282B1 (en) 2004-04-01 2014-11-04 Fireeye, Inc. Systems and methods for malware attack detection and identification
US8832829B2 (en) 2009-09-30 2014-09-09 Fireeye, Inc. Network-based binary file extraction and analysis for malware detection
US8713681B2 (en) 2009-10-27 2014-04-29 Mandiant, Llc System and method for detecting executable machine instructions in a data stream
US10572665B2 (en) 2012-12-28 2020-02-25 Fireeye, Inc. System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events
US9176843B1 (en) 2013-02-23 2015-11-03 Fireeye, Inc. Framework for efficient security coverage of mobile software applications
US9195829B1 (en) 2013-02-23 2015-11-24 Fireeye, Inc. User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
US9565202B1 (en) 2013-03-13 2017-02-07 Fireeye, Inc. System and method for detecting exfiltration content
US9626509B1 (en) 2013-03-13 2017-04-18 Fireeye, Inc. Malicious content analysis with multi-version application support within single operating environment
US9104867B1 (en) 2013-03-13 2015-08-11 Fireeye, Inc. Malicious content analysis using simulated user interaction without user involvement
US9430646B1 (en) 2013-03-14 2016-08-30 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US9311479B1 (en) 2013-03-14 2016-04-12 Fireeye, Inc. Correlation and consolidation of analytic data for holistic view of a malware attack
US9497213B2 (en) 2013-03-15 2016-11-15 Fireeye, Inc. System and method to manage sinkholes
US9413781B2 (en) 2013-03-15 2016-08-09 Fireeye, Inc. System and method employing structured intelligence to verify and contain threats at endpoints
US9824211B2 (en) 2013-03-15 2017-11-21 Fireeye, Inc. System and method to visualize user sessions
US10713358B2 (en) 2013-03-15 2020-07-14 Fireeye, Inc. System and method to extract and utilize disassembly features to classify software intent
US9495180B2 (en) 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system
US9635039B1 (en) 2013-05-13 2017-04-25 Fireeye, Inc. Classifying sets of malicious indicators for detecting command and control communications associated with malware
US9536091B2 (en) 2013-06-24 2017-01-03 Fireeye, Inc. System and method for detecting time-bomb malware
US9300686B2 (en) 2013-06-28 2016-03-29 Fireeye, Inc. System and method for detecting malicious links in electronic messages
US9628507B2 (en) 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
US9690936B1 (en) 2013-09-30 2017-06-27 Fireeye, Inc. Multistage system and method for analyzing obfuscated content for malware
US9736179B2 (en) 2013-09-30 2017-08-15 Fireeye, Inc. System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection
US9171160B2 (en) 2013-09-30 2015-10-27 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen
US9189627B1 (en) 2013-11-21 2015-11-17 Fireeye, Inc. System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
US9747446B1 (en) 2013-12-26 2017-08-29 Fireeye, Inc. System and method for run-time object classification
US9756074B2 (en) 2013-12-26 2017-09-05 Fireeye, Inc. System and method for IPS and VM-based detection of suspicious objects
US9507935B2 (en) 2014-01-16 2016-11-29 Fireeye, Inc. Exploit detection system with threat-aware microvisor
US9262635B2 (en) 2014-02-05 2016-02-16 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US10242185B1 (en) 2014-03-21 2019-03-26 Fireeye, Inc. Dynamic guest image creation and rollback
US9591015B1 (en) 2014-03-28 2017-03-07 Fireeye, Inc. System and method for offloading packet processing and static analysis operations
US9223972B1 (en) 2014-03-31 2015-12-29 Fireeye, Inc. Dynamically remote tuning of a malware content detection system
US10084813B2 (en) 2014-06-24 2018-09-25 Fireeye, Inc. Intrusion prevention and remedy system
US9398028B1 (en) 2014-06-26 2016-07-19 Fireeye, Inc. System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers
US10805340B1 (en) 2014-06-26 2020-10-13 Fireeye, Inc. Infection vector and malware tracking with an interactive user display
US10002252B2 (en) 2014-07-01 2018-06-19 Fireeye, Inc. Verification of trusted threat-aware microvisor
US9912644B2 (en) 2014-08-05 2018-03-06 Fireeye, Inc. System and method to communicate sensitive information via one or more untrusted intermediate nodes with resilience to disconnected network topology
US9363280B1 (en) 2014-08-22 2016-06-07 Fireeye, Inc. System and method of detecting delivery of malware using cross-customer data
US10027689B1 (en) 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US9690933B1 (en) 2014-12-22 2017-06-27 Fireeye, Inc. Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10075455B2 (en) 2014-12-26 2018-09-11 Fireeye, Inc. Zero-day rotating guest image profile
US9934376B1 (en) 2014-12-29 2018-04-03 Fireeye, Inc. Malware detection appliance architecture
US9838417B1 (en) 2014-12-30 2017-12-05 Fireeye, Inc. Intelligent context aware user interaction for malware detection
US10148693B2 (en) 2015-03-25 2018-12-04 Fireeye, Inc. Exploit detection system
US9438613B1 (en) 2015-03-30 2016-09-06 Fireeye, Inc. Dynamic content activation for automated analysis of embedded objects
US9483644B1 (en) 2015-03-31 2016-11-01 Fireeye, Inc. Methods for detecting file altering malware in VM based analysis
US10417031B2 (en) 2015-03-31 2019-09-17 Fireeye, Inc. Selective virtualization for security threat detection
US10474813B1 (en) 2015-03-31 2019-11-12 Fireeye, Inc. Code injection technique for remediation at an endpoint of a network
US9654485B1 (en) 2015-04-13 2017-05-16 Fireeye, Inc. Analytics-based security monitoring system and method
US9892261B2 (en) 2015-04-28 2018-02-13 Fireeye, Inc. Computer imposed countermeasures driven by malware lineage
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US10216927B1 (en) 2015-06-30 2019-02-26 Fireeye, Inc. System and method for protecting memory pages associated with a process using a virtualization layer
US10454950B1 (en) 2015-06-30 2019-10-22 Fireeye, Inc. Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
US10395029B1 (en) 2015-06-30 2019-08-27 Fireeye, Inc. Virtual system and method with threat protection
US10715542B1 (en) 2015-08-14 2020-07-14 Fireeye, Inc. Mobile application risk analysis
US10176321B2 (en) 2015-09-22 2019-01-08 Fireeye, Inc. Leveraging behavior-based rules for malware family classification
US10033759B1 (en) 2015-09-28 2018-07-24 Fireeye, Inc. System and method of threat detection under hypervisor control
US10033747B1 (en) 2015-09-29 2018-07-24 Fireeye, Inc. System and method for detecting interpreter-based exploit attacks
US10817606B1 (en) 2015-09-30 2020-10-27 Fireeye, Inc. Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic
US9825976B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Detection and classification of exploit kits
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US10706149B1 (en) 2015-09-30 2020-07-07 Fireeye, Inc. Detecting delayed activation malware using a primary controller and plural time controllers
US10601865B1 (en) 2015-09-30 2020-03-24 Fireeye, Inc. Detection of credential spearphishing attacks using email analysis
US9825989B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
CN105354186A (en) * 2015-11-05 2016-02-24 同济大学 News event extraction method and system
US10284575B2 (en) 2015-11-10 2019-05-07 Fireeye, Inc. Launcher for setting analysis environment variations for malware detection
US10447728B1 (en) 2015-12-10 2019-10-15 Fireeye, Inc. Technique for protecting guest processes using a layered virtualization architecture
US10846117B1 (en) 2015-12-10 2020-11-24 Fireeye, Inc. Technique for establishing secure communication between host and guest processes of a virtualization architecture
US10108446B1 (en) 2015-12-11 2018-10-23 Fireeye, Inc. Late load technique for deploying a virtualization layer underneath a running operating system
US10050998B1 (en) 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US10565378B1 (en) 2015-12-30 2020-02-18 Fireeye, Inc. Exploit of privilege detection framework
US10133866B1 (en) 2015-12-30 2018-11-20 Fireeye, Inc. System and method for triggering analysis of an object for malware in response to modification of that object
US10621338B1 (en) 2015-12-30 2020-04-14 Fireeye, Inc. Method to detect forgery and exploits using last branch recording registers
US9824216B1 (en) 2015-12-31 2017-11-21 Fireeye, Inc. Susceptible environment detection system
US11552986B1 (en) 2015-12-31 2023-01-10 Fireeye Security Holdings Us Llc Cyber-security framework for application of virtual features
US10581874B1 (en) 2015-12-31 2020-03-03 Fireeye, Inc. Malware detection system with contextual analysis
US10601863B1 (en) 2016-03-25 2020-03-24 Fireeye, Inc. System and method for managing sensor enrollment
US10616266B1 (en) 2016-03-25 2020-04-07 Fireeye, Inc. Distributed malware detection system and submission workflow thereof
US10785255B1 (en) 2016-03-25 2020-09-22 Fireeye, Inc. Cluster configuration within a scalable malware detection system
US10671721B1 (en) 2016-03-25 2020-06-02 Fireeye, Inc. Timeout management services
US10826933B1 (en) 2016-03-31 2020-11-03 Fireeye, Inc. Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US10893059B1 (en) 2016-03-31 2021-01-12 Fireeye, Inc. Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10462173B1 (en) 2016-06-30 2019-10-29 Fireeye, Inc. Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10592678B1 (en) 2016-09-09 2020-03-17 Fireeye, Inc. Secure communications between peers using a verified virtual trusted platform module
US10491627B1 (en) 2016-09-29 2019-11-26 Fireeye, Inc. Advanced malware detection using similarity analysis
US10795991B1 (en) 2016-11-08 2020-10-06 Fireeye, Inc. Enterprise search
US10587647B1 (en) 2016-11-22 2020-03-10 Fireeye, Inc. Technique for malware detection capability comparison of network security devices
US10581879B1 (en) 2016-12-22 2020-03-03 Fireeye, Inc. Enhanced malware detection for generated objects
US10552610B1 (en) 2016-12-22 2020-02-04 Fireeye, Inc. Adaptive virtual machine snapshot update framework for malware behavioral analysis
US10523609B1 (en) 2016-12-27 2019-12-31 Fireeye, Inc. Multi-vector malware detection and analysis
US10904286B1 (en) 2017-03-24 2021-01-26 Fireeye, Inc. Detection of phishing attacks using similarity analysis
US10791138B1 (en) 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
US10848397B1 (en) 2017-03-30 2020-11-24 Fireeye, Inc. System and method for enforcing compliance with subscription requirements for cyber-attack detection service
US10902119B1 (en) 2017-03-30 2021-01-26 Fireeye, Inc. Data extraction system for malware analysis
US10798112B2 (en) 2017-03-30 2020-10-06 Fireeye, Inc. Attribute-controlled malware detection
US10855700B1 (en) 2017-06-29 2020-12-01 Fireeye, Inc. Post-intrusion detection of cyber-attacks during lateral movement within networks
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US10601848B1 (en) 2017-06-29 2020-03-24 Fireeye, Inc. Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US10893068B1 (en) 2017-06-30 2021-01-12 Fireeye, Inc. Ransomware file modification prevention technique
US10747872B1 (en) 2017-09-27 2020-08-18 Fireeye, Inc. System and method for preventing malware evasion
US10805346B2 (en) 2017-10-01 2020-10-13 Fireeye, Inc. Phishing attack detection
US11108809B2 (en) 2017-10-27 2021-08-31 Fireeye, Inc. System and method for analyzing binary code for malware classification using artificial neural network techniques
US11240275B1 (en) 2017-12-28 2022-02-01 Fireeye Security Holdings Us Llc Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
US11271955B2 (en) 2017-12-28 2022-03-08 Fireeye Security Holdings Us Llc Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US11005860B1 (en) 2017-12-28 2021-05-11 Fireeye, Inc. Method and system for efficient cybersecurity analysis of endpoint events
US10826931B1 (en) 2018-03-29 2020-11-03 Fireeye, Inc. System and method for predicting and mitigating cybersecurity system misconfigurations
US10956477B1 (en) 2018-03-30 2021-03-23 Fireeye, Inc. System and method for detecting malicious scripts through natural language processing modeling
US11003773B1 (en) 2018-03-30 2021-05-11 Fireeye, Inc. System and method for automatically generating malware detection rule recommendations
US11558401B1 (en) 2018-03-30 2023-01-17 Fireeye Security Holdings Us Llc Multi-vector malware detection data sharing system for improved detection
US11314859B1 (en) 2018-06-27 2022-04-26 FireEye Security Holdings, Inc. Cyber-security system and method for detecting escalation of privileges within an access token
US11075930B1 (en) 2018-06-27 2021-07-27 Fireeye, Inc. System and method for detecting repetitive cybersecurity attacks constituting an email campaign
US11228491B1 (en) 2018-06-28 2022-01-18 Fireeye Security Holdings Us Llc System and method for distributed cluster configuration monitoring and management
US11316900B1 (en) 2018-06-29 2022-04-26 FireEye Security Holdings Inc. System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US11182473B1 (en) 2018-09-13 2021-11-23 Fireeye Security Holdings Us Llc System and method for mitigating cyberattacks against processor operability by a guest process
US11763004B1 (en) 2018-09-27 2023-09-19 Fireeye Security Holdings Us Llc System and method for bootkit detection
US11368475B1 (en) 2018-12-21 2022-06-21 Fireeye Security Holdings Us Llc System and method for scanning remote services to locate stored objects with malware
US11743290B2 (en) 2018-12-21 2023-08-29 Fireeye Security Holdings Us Llc System and method for detecting cyberattacks impersonating legitimate sources
US11176251B1 (en) 2018-12-21 2021-11-16 Fireeye, Inc. Determining malware via symbolic function hash analysis
US11601444B1 (en) 2018-12-31 2023-03-07 Fireeye Security Holdings Us Llc Automated system for triage of customer issues
US11310238B1 (en) 2019-03-26 2022-04-19 FireEye Security Holdings, Inc. System and method for retrieval and analysis of operational data from customer, cloud-hosted virtual resources
US11677786B1 (en) 2019-03-29 2023-06-13 Fireeye Security Holdings Us Llc System and method for detecting and protecting against cybersecurity attacks on servers
US11636198B1 (en) 2019-03-30 2023-04-25 Fireeye Security Holdings Us Llc System and method for cybersecurity analyzer update and concurrent management system
US11258806B1 (en) 2019-06-24 2022-02-22 Mandiant, Inc. System and method for automatically associating cybersecurity intelligence to cyberthreat actors
US11556640B1 (en) 2019-06-27 2023-01-17 Mandiant, Inc. Systems and methods for automated cybersecurity analysis of extracted binary string sets
US11392700B1 (en) 2019-06-28 2022-07-19 Fireeye Security Holdings Us Llc System and method for supporting cross-platform data verification
US11886585B1 (en) 2019-09-27 2024-01-30 Musarubra Us Llc System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
US11637862B1 (en) 2019-09-30 2023-04-25 Mandiant, Inc. System and method for surfacing cyber-security threats with a self-learning recommendation engine
US11838300B1 (en) 2019-12-24 2023-12-05 Musarubra Us Llc Run-time configurable cybersecurity system
US11436327B1 (en) 2019-12-24 2022-09-06 Fireeye Security Holdings Us Llc System and method for circumventing evasive code for cyberthreat detection
US11522884B1 (en) 2019-12-24 2022-12-06 Fireeye Security Holdings Us Llc Subscription and key management system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017359A1 (en) * 2008-07-16 2010-01-21 Kiernan Gerald G Constructing a comprehensive summary of an event sequence
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
US20120079596A1 (en) * 2010-08-26 2012-03-29 Verisign, Inc. Method and system for automatic detection and analysis of malware
KR20120065819A (en) * 2010-12-13 2012-06-21 한국전자통신연구원 Digital forensic apparatus for analyzing the user activities and method thereof
KR20120086926A (en) * 2011-01-27 2012-08-06 한남대학교 산학협력단 A visualization system for Forensics audit data

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8069484B2 (en) 2007-01-25 2011-11-29 Mandiant Corporation System and method for determining data entropy to identify malware
US8566476B2 (en) 2008-02-01 2013-10-22 Mandiant Corporation Method and system for analyzing data related to an event
US8949257B2 (en) 2008-02-01 2015-02-03 Mandiant, Llc Method and system for collecting and organizing data corresponding to an event
US7937387B2 (en) 2008-02-01 2011-05-03 Mandiant System and method for data preservation and retrieval
US9106630B2 (en) 2008-02-01 2015-08-11 Mandiant, Llc Method and system for collaboration during an event
US8881271B2 (en) 2008-08-01 2014-11-04 Mandiant, Llc System and method for forensic identification of elements within a computer system
US8713681B2 (en) 2009-10-27 2014-04-29 Mandiant, Llc System and method for detecting executable machine instructions in a data stream
US8650209B1 (en) * 2010-10-27 2014-02-11 Amdocs Software Systems Limited System, method, and computer program for determining most of the non duplicate records in high performance environments in an economical and fault-tolerant manner
US8239529B2 (en) * 2010-11-30 2012-08-07 Google Inc. Event management for hosted applications
CN104067281A (en) * 2011-11-28 2014-09-24 惠普发展公司,有限责任合伙企业 Clustering event data by multiple time dimensions
US9275229B2 (en) 2012-03-15 2016-03-01 Mandiant, Llc System to bypass a compromised mass storage device driver stack and method thereof
US9268936B2 (en) 2012-07-27 2016-02-23 Mandiant, Llc Physical memory forensics system and method
US10572665B2 (en) 2012-12-28 2020-02-25 Fireeye, Inc. System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events
US9690935B2 (en) 2012-12-31 2017-06-27 Fireeye, Inc. Identification of obfuscated computer items using visual algorithms
US9497213B2 (en) 2013-03-15 2016-11-15 Fireeye, Inc. System and method to manage sinkholes
US10713358B2 (en) 2013-03-15 2020-07-14 Fireeye, Inc. System and method to extract and utilize disassembly features to classify software intent
US9413781B2 (en) 2013-03-15 2016-08-09 Fireeye, Inc. System and method employing structured intelligence to verify and contain threats at endpoints
US9824211B2 (en) 2013-03-15 2017-11-21 Fireeye, Inc. System and method to visualize user sessions
US9912644B2 (en) 2014-08-05 2018-03-06 Fireeye, Inc. System and method to communicate sensitive information via one or more untrusted intermediate nodes with resilience to disconnected network topology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017359A1 (en) * 2008-07-16 2010-01-21 Kiernan Gerald G Constructing a comprehensive summary of an event sequence
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
US20120079596A1 (en) * 2010-08-26 2012-03-29 Verisign, Inc. Method and system for automatic detection and analysis of malware
KR20120065819A (en) * 2010-12-13 2012-06-21 한국전자통신연구원 Digital forensic apparatus for analyzing the user activities and method thereof
KR20120086926A (en) * 2011-01-27 2012-08-06 한남대학교 산학협력단 A visualization system for Forensics audit data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2939167A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10169585B1 (en) 2016-06-22 2019-01-01 Fireeye, Inc. System and methods for advanced malware detection through placement of transition events

Also Published As

Publication number Publication date
EP2939167A4 (en) 2016-08-17
EP2939167A1 (en) 2015-11-04
US20140181131A1 (en) 2014-06-26
US9633134B2 (en) 2017-04-25

Similar Documents

Publication Publication Date Title
US9633134B2 (en) Timeline wrinkling system and method
Qiu et al. An empirical analysis of the co-evolution of schema and code in database applications
EP1938228B1 (en) Detecting database events using recovery logs
Alharbi et al. The proactive and reactive digital forensics investigation process: A systematic literature review
US8798400B2 (en) Using near-duplicate video frames to analyze, classify, track, and visualize evolution and fitness of videos
US20060256739A1 (en) Flexible multi-media data management
US9824148B2 (en) Method and device for searching and displaying scattered logs
Carrier et al. Automated Digital Evidence Target Definition Using Outlier Analysis and Existing Evidence.
AU2014281604B2 (en) System and method for text mining documents
US8984023B2 (en) Monitoring stored procedure execution
Zhu et al. A dataset for dynamic discovery of semantic changes in version controlled software histories
US9720997B2 (en) Method and apparatus for prioritizing metadata
US7974969B1 (en) Apparatus, method and computer-code for quantifying index overhead
Pieterse et al. Data hiding techniques for database environments
Verma et al. Defining a metric space of host logs and operational use cases
CN106528590B (en) Query method and device
JP2010170438A (en) Document management system
Syed et al. Digital Evidence Data Collection: Cloud Challenges
JP2007122440A (en) Information analysis apparatus, method of analyzing information, and computer program
Soltani et al. Detecting the software usage on a compromised system: A triage solution for digital forensics
Chae et al. DAAV: dynamic API authority vectors for detecting software theft
Kumar et al. Identification and Analysis of hard disk drive in digital forensic
Hauger Forensic attribution challenges during forensic examinations of databases
Zakarneh Forensic Investigation in SQL Server Database Using Temporal Tables & Extended Events Artifacts
Gehani et al. {Provenance-Only} Integration

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13867490

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2013867490

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2013867490

Country of ref document: EP