1. Field of the Invention
The present invention relates, generally, to the restoration of a storage device such as a hard disk drive at a present state (TN) to a previous state (T0) or to any state (TX) occurring during the time period between T0 and TN. More particularly, the invention relates to an audit trail that maintains a comprehensive record of hard disk write transactions and/or other activity that enables the storage device to undergo a forward restoration from T0 to TX or a reverse restoration from TN to TX or that provides relevant data for forensic or diagnostic applications.
2. Background Information.
The restoration of a storage device for a computer, such as a hard disk drive, to a previous state is critical in many situations. For example, in enterprise computing situations, the hard disk drive often must be restored after installing new software if bugs or other problems are encountered. This situation also presents itself in other environments. For example, a user installing a new version of an operating system to his or her hard disk drive may find that the operating system does not function as advertised, and that he or she desires to restore the disk drive to the previous operating system.
The restoration process is generally similar for both of these situations. First a backup of the storage device is made to another storage device, such as a hard disk drive. The new software is then installed, and the system is booted and tested. When a problem arises such that restoration is required, the backup previously made is copied back to the hard drive. However, this is a less than optimal solution because backing up and restoring a storage device can take hours for a personal computer and can literally take days in an enterprise situation. Thus, the testing process of new software installations becomes needlessly time intensive. Furthermore, if a virus or other problem arises during the operation of the system, the restoration of the system is only as good as the last backup. To compound the problem, there may be a period of time in which the problem is undetected, which may lead to backing up corrupted data over a good back up.
A substantially instantaneous storage restoration solution is described in U.S. application Ser. No. 09/258,413, filed Feb. 26, 1999 by David Biesner, Joseph Frolik, and Gaston Biesner, and entitled Substantially Instantaneous Storage Restoration for Non-Computer Forensics Applications. That application describes a system that includes a host device such as a processor or computer, a connection point at the host device such as a communication bus, a primary storage and a secondary storage. The primary storage has stored thereon first data, and sends this data to the host device in response to receiving a corresponding read command at the connection point. The secondary storage stores second data in response to receiving a write command including this data at the connection point, and sends the second data in response to receiving a corresponding read command at the connection point. Thus, a first state can be defined as the first data already on the primary storage. Subsequent (second) data sent to the connection point by the host device is written to the secondary storage. Read commands from the host device are handled either by the primary or the secondary storage, depending on whether the command relates to the first data stored on the primary storage, or the second data stored on the secondary storage. Optimally, in at least some embodiments, this process is transparent to the host device.
That application also describes another embodiment in which first data can be copied to the secondary storage and their roles (as the primary and the secondary storage) reversed. Furthermore, in some embodiments, near instantaneous reconciliation can be achieved by updating the secondary storage during free bus cycles. Therefore, when restoration is required to the first state, in at least some embodiments the system also includes a switch, either hardware or software, that instantly restores the secondary storage to an initial state prior to which the second data was stored thereon. This means that restoration to the first state is performed substantially instantaneouslyxe2x80x94the primary storage still has stored thereon the first data, and the secondary storage stores anew. Furthermore, when a new xe2x80x98first statexe2x80x99 is desired, such that this new state includes both the first data stored on the primary storage and the second data stored on the secondary storage, then another switch of the system in at least some embodiments is included that copies the second data from the secondary storage to the primary storage, and the secondary storage is again restored to an initial state prior to which the second data was stored thereon. Thus, new third data sent by the host device is now stored on the secondary storage, such that restoration to the xe2x80x9cfirst statexe2x80x9d means restoration to the state where the primary storage has first and second data stored thereon.
In the timeline of events leading from TO to TN, the above-described recovery method is limited to restoring data to one of the ends of the timeline, i.e. either to TO or to TN, and cannot restore the data to a known good state at a point in time TX between TO to TN. This ability to restore the data to the last known good state is important in many situations. For example, in an enterprise system within an electronic commerce site that handles many on-line transactions per second, it is desirable to get the system back up and running as quick as possible to minimize the amount of lost sales. Additionally, it is extremely important to be able to restore the data to the last known good state (TX) so as not lose any of the transactions preceding the last known good state.
Additionally, the above-identified technology does not maintain a record or audit trail of the various computer commands, transactions or other relevant data that may be used for forensic or diagnostic applications. Merriam-Webster""s Collegiate(copyright) Dictionary, Tenth Edition, describes xe2x80x9cForensicxe2x80x9d as: relating to or dealing with the application of scientific knowledge to legal problems (xcx9cmedicine) (xcx9cscience) (xcx9cpathologist) (xcx9cexperts). The term computer forensic application is a forensic investigation in which the computer was either the object of an activity or an instrument used in the activity under investigation. As used herein, the term computer forensic application includes, but is not limited to two investigative processes. The first forensic process enables an investigator to browse or otherwise investigate a target computer system beginning at time T0, and then upon completion of the investigation, restore the target computer to time T0. This may be accomplished using the technology described in application Ser. No. 09/258,413. The second forensic process involves maintaining an audit trail of hard drive transactions beginning at time T0. Because the second process provides a comprehensive record of all hard disk write transactions and potentially other commands that enable an in depth recreation of a virus or other malicious attack, or other software failure with respect to the hard drive(s), it may be considered to be a diagnostic application. The second application also provides the capability of restoring a hard drive to a user-selected time or user-selected transaction TX, and therefore can be considered to be a restoration process to a known state TX. A xe2x80x9cdiagnostic applicationxe2x80x9d provides a means for detecting faults in the system. Ideally, a diagnostic application detects or enables detection of faults early before they get too serious or to quickly identify that problem to be fixed.
This invention provides a computer system and method for maintaining an audit record for data restoration, forensic and diagnostic applications which is believed to constitute an improvement over the background technology.
The present invention includes a storage device embodiment with an instantaneous storage restoration. The storage device with instantaneous restoration generally comprises a connector, a primary storage, and a secondary storage. The connector connects the storage device to a connection point of the computer. The primary storage has first data stored thereon, and is adapted for sending the first data to the computer in response to a corresponding read command received at the connection point. The secondary storage is adapted for storing second data in response to a corresponding write command received at the connection point and further is adapted for sending the second data to the computer in response to a corresponding read command received at the connection point. The present invention combines the above-identified storage device (i.e. one with instantaneous storage) with an audit trail storage that records a log of communication activity occurring at the connection point. For the purposes of the present application, the term xe2x80x9clog of communication activityxe2x80x9d includes but is not limited to each write command and corresponding write content, a time stamp, a checksum (error checking), other communication of concern for a forensic application, other communication activity of concern for a diagnostic application, and a memory location and controller status corresponding to each read command. Additionally, the term xe2x80x9clog of communication activityxe2x80x9d is intended to include not only the actual write commands and corresponding write content, but also the effect of each write command on the system. For example, in at least one embodiment, the log of communication activity records the old data replaced by the new data on the storage by each write command.
The invention includes a storage device embodiment without instantaneous restoration. The storage device includes a connector, a storage, and an audit trail. The connector connects the storage device to a connection point of the computer. The storage is adapted for storing data in response to a corresponding write command received at the connection point, and is further adapted for sending the data to the computer in response to a corresponding read command received at the connection point. The audit trail storage is adapted for recording a log of communication activity occurring at the connection point.
The invention may further be defined as a system, that includes in addition to the elements attributed to the storage device, a host device connected to the connection point. The host device may be a computer, or one or more components thereof, such as a processor. The system may incorporate the storage device with or without instantaneous storage restoration.
The invention further may be defined as a computer-implemented method for restoring storage using an instantaneous storage system (T0xe2x86x92TX). This method generally comprises the steps of: (a) in response to receiving a write command regarding a first data, storing the first data to a secondary storage; (b) in response to receiving a read command regarding a second data, determining whether the second data is stored on the secondary storage: (c) upon determining that the second data is stored on the secondary storage, reading the second data from the secondary storage; (d) upon determining that the second data is not stored on the secondary storage, reading the second data from a primary storage; and (e) in response to receiving a restore command, resetting the secondary storage to an initial state. The present invention combines the above-identified steps performed with respect to the instantaneous storage system with the steps of: (1) recording a log of communication activity occurring at a connection point between a host device, a primary storage and a secondary storage; and (2) also in response to receiving a restore command after resetting the secondary storage to an initial state, performing a forward restoration process by duplicating the communication activity occurring at the connection point to restore the secondary storage to a known state at a desired time.
The invention further may be defined as a computer-implemented method for restoration of storage without using an instantaneous storage system (T0xe2x86x92TX). This method generally comprises the steps of: (a) recording data from a storage to a backup storage to establish an initial state; (b) recording a log of communication activity occurring at a connection point between a host device and the storage; and (c) in response to a restore command, restoring the storage to the initial state by restoring data from the backup storage to the storage, and restoring the storage to a known state at a desired time by chronologically duplicating the communication signals using the log of communication activity.
Additionally, the present invention may be defined as a computer-implemented method for restoring a storage device to a known state TX without first restoring to an initial state T0 (TX←TN). This method generally comprises the steps of: (a) prior to writing new data to a memory location in a storage unit, reading the old data stored in the memory location; (b) writing the old data with header information into an audit trail storage; and (c) in response to a restore command, performing a reverse restoration process by writing the old data recorded in the audit trail back into the corresponding memory location in the storage beginning with the present state and ending with the known state.
Significant features of the invention include the ability to quickly restore an enterprise or other computer system after a failure, the ability to quickly recover and restore the data for that system to a point in time right before the failure occurred, and the ability to hide or otherwise protect the restoration system from virus or other malicious attacks.