US 12,314,227 B2
Forensic file service
Christopher Michael Montgomery, Blaine, MN (US); Peter John Lindquist, St. Paul, MN (US); Brent Aethon McCullough, Saint Paul, MN (US); Vijay Ramanathan, Eden Prairie, MN (US); and Daniel Louis Sullivan, Denver, CO (US)
Assigned to Code42 Software, Inc., Minneapolis, MN (US)
Filed by Code42 Software, Inc., Minneapolis, MN (US)
Filed on Oct. 23, 2023, as Appl. No. 18/382,621.
Application 18/382,621 is a continuation of application No. 16/360,273, filed on Mar. 21, 2019, granted, now 11,822,514.
Prior Publication US 2024/0054105 A1, Feb. 15, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 7/00 (2006.01); G06F 16/11 (2019.01); G06F 16/13 (2019.01); G06F 16/14 (2019.01); G06F 16/17 (2019.01); G06F 16/21 (2019.01)
CPC G06F 16/1734 (2019.01) [G06F 16/128 (2019.01); G06F 16/13 (2019.01); G06F 16/148 (2019.01); G06F 16/212 (2019.01)] 15 Claims
OG exemplary drawing
 
1. A system for forensic file services, the system comprising:
a computing device, comprising a hardware processor and a memory, the memory, storing instructions, which when executed by the hardware processor, causes the system to perform operations comprising:
receiving, over a network and from a monitoring application executing on a computing resource associated with a first tenant for forensic file services, data describing a filesystem element event corresponding to a particular filesystem element on the computing resource associated with the first tenant, the filesystem element event data describing a change to the particular filesystem element on a filesystem of the computing resource associated with the first tenant, and the filesystem element data including metadata of the particular filesystem element;
allocating the filesystem element event data to one of a plurality of parallel processing queues based upon an identifier of the computing resource;
determining that the filesystem element event corresponds to a deletion event;
responsive to determining that the filesystem element event corresponds to the deletion event, searching an event database for a last filesystem element event corresponding to that filesystem element and extracting a filesystem element signature including a hash of content of the particular filesystem element;
adding the filesystem element signature to the filesystem element event data to create enhanced filesystem element event data;
store the enhanced filesystem element event data in a database record of the event database in a partition configured to store a history of filesystem element events of a plurality computing resources associated with the first tenant;
receive a search request from a second computing device to search the event database, the search request comprising a search query and a tenant identifier of a second tenant;
execute the search query on a second partition of the event database to identify records that satisfy the search query, the second partition configured to store a history of filesystem element events of a plurality of computing resources associated with the second tenant; and
provide the identified records in response to the search request.