In most modern organizations, almost all important information is stored in electronic form, across a variety of computer networks, servers, and other information systems. Trusted users inside an organization often have access to confidential and protected information. Consequently, organizations often employ a variety of security mechanisms to prevent unauthorized access to and/or use of such information.
One such security mechanism is the monitoring of computers within the organization's network and/or used by the organization's employees. Several systems and methods for monitoring events on a client computer are described in detail in U.S. patent application Ser. No. 11/556,942, already incorporated by reference.
A problem that commonly arises in the monitoring of computers, however, is that by the time a monitored event is analyzed and determined to be of interest, other events prior to the event of interest already have occurred. Consider, for example, the case in which a user sends an encrypted file via electronic mail. That event is determined to be of interest and is collected. Because the file is encrypted, however, it may be difficult and/or impossible to open and/or read the file, even if it is collected as part of the collection of the event. Hence, it would be useful if a monitoring system were able to look back in time in order to collect past events that might be related to a present event of interest.
Additionally, it would be useful for a monitoring system to have a set of data structures (in memory and/or on disk) that would provide for efficient storage of representations of events.