US 12,299,119 B2
Event-triggered forensics capture
Shi Min Sharon Ko, Redmond, WA (US); Vidhi Agarwal, Bellevue, WA (US); Gueorgui Chkodrov, Redmond, WA (US); Sangeetha Madderla, Redmond, WA (US); and Mohamed Rouatbi, Yakima, WA (US)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on May 16, 2022, as Appl. No. 17/745,477.
Prior Publication US 2023/0367871 A1, Nov. 16, 2023
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 2221/034 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A forensic computing system which is configured to perform event-triggered forensics capture, the forensic computing system comprising:
a digital data store;
a correlation engine interface to a correlation engine, the correlation engine interface configured to receive basic status data of a monitored computing system which is at least partially external to the forensic computing system; and
a forensic specification including a trigger event specification and a capture specification;
wherein the forensic computing system is configured to perform event-triggered forensics capture including: (a) detecting a trigger event in the basic status data, the trigger event matching the trigger event specification, (b) in response to detecting the trigger event, starting a forensic capture of extended status data from the monitored computing system, the extended status data including data which is not present in the basic status data and which matches the capture specification, and (c) submitting at least a portion of the extended status data to a forensic analysis tool, and wherein the submitting avoids transmitting the extended status data outside a specified regulatory compliance boundary.