Often, it is of interest to monitor and/or collect events from a monitored computer system, as described, for example, in U.S. patent application Ser. No. 11/556,942, already incorporated by reference. This functionality is of limited use, however, without a facility to replay the events to see the user actions that generated the events.
Various products and offerings are available for capturing the activities of a user on a client workstation, analyzing the captured information and determining if the user is engaged in undesirable, proscribed or illegal behavior. The offerings fall into two broad categories: those that capture information at some central network gateway: and those that capture information directly from the client workstation through the use of an agent on the client. In both cases the captured information generally is analyzed for indications of proscribed activities and an alert or report made to some authorized observer.
The observer is then provided with reports and/or logs about the suspect behavior from which the observer attempts to determine the precise nature and order of the activities, using the activity details in the logs provided by the system. The system assists by providing various levels of reconstruction and reassembly of the user's sessions of activity.
However the task of reconstructing the user's behavior is analogous to being given a log of all of the commingled scripts for the concurrent television programs being broadcast and asked to pick out the plot of just one of the programs. This presents, at the least, a difficult and time-consuming task.
Another solution is to provide an application for “replaying” such events, allowing an operator to experience the events generally as would the user who generated them. In many cases, attempts at replaying captured web and other client workstation activity have relied upon programmatic solutions that simulate the capabilities of a web browser. One exemplary solution of this type is product example is the Speed-Trap™ product from the IS Solutions in the UK, which captures client workstation activity and used a Microsoft Visual Basic™ application to simulate the browser capabilities and replay the captured information.
Other attempts have been undertaken with Java and C++ programs to simulate the browser and to replay the collected information. Each of these attempts has suffered from the inability of the simulation programs to handle the full range of capabilities and variations found in modern web browsers. Each approach has provided a limited range of compatibility and a tendency to break when encountering complex or unexpected data structures or sequences that are handled by today's sophisticated web browsers.