Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2000-08-29
2004-03-02
Baderman, Scott (Department: 2184)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S016000, C714S019000, C714S045000
Reexamination Certificate
active
06701456
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates, generally, to the restoration of a storage device such as a hard disk drive at a present state (T
N
) to a previous state (T
0
) or to any state (T
X
) occurring during the time period between T
0
and T
N
. More particularly, the invention relates to an audit trail that maintains a comprehensive record of hard disk write transactions and/or other activity that enables the storage device to undergo a forward restoration from T
0
to T
X
or a reverse restoration from T
N
to T
X
or that provides relevant data for forensic or diagnostic applications.
2. Background Information.
The restoration of a storage device for a computer, such as a hard disk drive, to a previous state is critical in many situations. For example, in enterprise computing situations, the hard disk drive often must be restored after installing new software if bugs or other problems are encountered. This situation also presents itself in other environments. For example, a user installing a new version of an operating system to his or her hard disk drive may find that the operating system does not function as advertised, and that he or she desires to restore the disk drive to the previous operating system.
The restoration process is generally similar for both of these situations. First a backup of the storage device is made to another storage device, such as a hard disk drive. The new software is then installed, and the system is booted and tested. When a problem arises such that restoration is required, the backup previously made is copied back to the hard drive. However, this is a less than optimal solution because backing up and restoring a storage device can take hours for a personal computer and can literally take days in an enterprise situation. Thus, the testing process of new software installations becomes needlessly time intensive. Furthermore, if a virus or other problem arises during the operation of the system, the restoration of the system is only as good as the last backup. To compound the problem, there may be a period of time in which the problem is undetected, which may lead to backing up corrupted data over a good back up.
A substantially instantaneous storage restoration solution is described in U.S. application Ser. No. 09/258,413, filed Feb. 26, 1999 by David Biesner, Joseph Frolik, and Gaston Biesner, and entitled Substantially Instantaneous Storage Restoration for Non-Computer Forensics Applications. That application describes a system that includes a host device such as a processor or computer, a connection point at the host device such as a communication bus, a primary storage and a secondary storage. The primary storage has stored thereon first data, and sends this data to the host device in response to receiving a corresponding read command at the connection point. The secondary storage stores second data in response to receiving a write command including this data at the connection point, and sends the second data in response to receiving a corresponding read command at the connection point. Thus, a first state can be defined as the first data already on the primary storage. Subsequent (second) data sent to the connection point by the host device is written to the secondary storage. Read commands from the host device are handled either by the primary or the secondary storage, depending on whether the command relates to the first data stored on the primary storage, or the second data stored on the secondary storage. Optimally, in at least some embodiments, this process is transparent to the host device.
That application also describes another embodiment in which first data can be copied to the secondary storage and their roles (as the primary and the secondary storage) reversed. Furthermore, in some embodiments, near instantaneous reconciliation can be achieved by updating the secondary storage during free bus cycles. Therefore, when restoration is required to the first state, in at least some embodiments the system also includes a switch, either hardware or software, that instantly restores the secondary storage to an initial state prior to which the second data was stored thereon. This means that restoration to the first state is performed substantially instantaneously—the primary storage still has stored thereon the first data, and the secondary storage stores anew. Furthermore, when a new ‘first state’ is desired, such that this new state includes both the first data stored on the primary storage and the second data stored on the secondary storage, then another switch of the system in at least some embodiments is included that copies the second data from the secondary storage to the primary storage, and the secondary storage is again restored to an initial state prior to which the second data was stored thereon. Thus, new third data sent by the host device is now stored on the secondary storage, such that restoration to the “first state” means restoration to the state where the primary storage has first and second data stored thereon.
In the timeline of events leading from T
O
to T
N
, the above-described recovery method is limited to restoring data to one of the ends of the timeline, i.e. either to T
O
or to T
N
, and cannot restore the data to a known good state at a point in time T
X
between T
O
to T
N
. This ability to restore the data to the last known good state is important in many situations. For example, in an enterprise system within an electronic commerce site that handles many on-line transactions per second, it is desirable to get the system back up and running as quick as possible to minimize the amount of lost sales. Additionally, it is extremely important to be able to restore the data to the last known good state (T
X
) so as not lose any of the transactions preceding the last known good state.
Additionally, the above-identified technology does not maintain a record or audit trail of the various computer commands, transactions or other relevant data that may be used for forensic or diagnostic applications. Merriam-Webster's Collegiate® Dictionary, Tenth Edition, describes “Forensic” as: relating to or dealing with the application of scientific knowledge to legal problems (~medicine) (~science) (~pathologist) (~experts). The term computer forensic application is a forensic investigation in which the computer was either the object of an activity or an instrument used in the activity under investigation. As used herein, the term computer forensic application includes, but is not limited to two investigative processes. The first forensic process enables an investigator to browse or otherwise investigate a target computer system beginning at time T
0
, and then upon completion of the investigation, restore the target computer to time T
0
. This may be accomplished using the technology described in application Ser. No. 09/258,413. The second forensic process involves maintaining an audit trail of hard drive transactions beginning at time T
0
. Because the second process provides a comprehensive record of all hard disk write transactions and potentially other commands that enable an in depth recreation of a virus or other malicious attack, or other software failure with respect to the hard drive(s), it may be considered to be a diagnostic application. The second application also provides the capability of restoring a hard drive to a user-selected time or user-selected transaction T
X
, and therefore can be considered to be a restoration process to a known state T
X
. A “diagnostic application” provides a means for detecting faults in the system. Ideally, a diagnostic application detects or enables detection of faults early before they get too serious or to quickly identify that problem to be fixed.
This invention provides a computer system and method for maintaining an audit record for data restoration, forensic and diagnostic applications which is believed to constitute an improvement over the background technology.
BRIEF SUMMARY OF THE INVENTION
The present invention include
Baderman Scott
Shumaker & Sieffert P.A.
Voom Technologies, Inc.
LandOfFree
Computer system and method for maintaining an audit record... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Computer system and method for maintaining an audit record..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Computer system and method for maintaining an audit record... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3268886