Since its invention, stochastic forensics has been used in real world investigation of insider data theft,
been the subject of academic research,
and met with industry demand for tools and training.
Origins in statistical mechanics
Stochastic forensics is inspired by the statistical mechanics
method used in physics
. Classical Newtonian mechanics
calculates the exact position and momentum of every particle
in a system. This works well for systems, such as the solar system
, which consist of a small number of objects. However, it cannot be used to study things like a gas
, which have intractably large numbers of molecules
. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge
statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles.
We can’t predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas’s overall behavior. Physics underwent such a paradigm shift in the late 1800s... Could digital forensics be in need of such a paradigm shift as well?
— Jonathan Grier, Investigating Data Theft With Stochastic Forensics, Digital Forensics Magazine, May 2012
Likewise, modern day computer systems, which can have over
states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a stochastic process
, which, although unpredictable, has well defined probabilistic
properties. By analyzing these properties statistically
, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.
Use in investigating insider data theft
Stochastic forensics chief application is detecting and investigating insider data theft
. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the file attributes
or Windows Registry
Consequently, unlike external computer attacks
, which, by their nature, leave traces of the attack, insider data theft is practically invisible.
However, the statistical distribution
is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed
distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable.
Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed.
Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.
Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions.
Furthermore, many operating systems
do not track access timestamps
by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as databases
Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by Guidance Software
- ^ a b c d e f Grier, Jonathan (2011). "Detecting data theft using stochastic forensics". Journal of Digital Investigation. 8(Supplement), S71-S77.
- ^ a b c d e f g h i j Schwartz, Mathew J. (December 13, 2011)."How Digital Forensics Detects Insider Theft". Information Week.
- ^ a b c d e f Chickowski, Ericka (June 26, 2012). "New Forensics Method May Nab Insider Thieves". Dark Reading.
- ^ "Insider Threat Spotlight". (August 2012). SC Magazine
- ^ a b Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009.
- ^ a b c d e f g Grier, Jonathan (May 2012). "Investigating Data Theft with Stochastic Forensics". "Digital Forensics Magazine."
- ^ Nishide, T., Miyazaki, S., & Sakurai, K. (2012). "Security Analysis of Offline E-cash Systems with Malicious Insider". Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3(1/2), 55-71.
- ^ Department of Defense Cyber Crime Center, 2012 DC3 Agenda.
- ^ Black Hat Briefings, USA 2012.Catching Insider Data Theft with Stochastic Forensics.
Last edited on 11 September 2018, at 23:42
Content is available under CC BY-SA 3.0
unless otherwise noted.