Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing

emergent properties In philosophy, systems theory, science, and art, emergence occurs when an entity is observed to have properties its parts do not have on their own, properties or behaviors that emerge only when the parts interact in a wider whole. Emergence ...

resulting from the

stochastic Stochastic (, ) refers to the property of being well described by a random probability distribution. Although stochasticity and randomness are distinct in that the former refers to a modeling approach and the latter refers to phenomena themselv ...

nature of modern computers.Grier, Jonathan (2011)
"Detecting data theft using stochastic forensics"
''Journal of Digital Investigation''. 8(Supplement), S71-S77.Schwartz, Mathew J. (December 13, 2011
"How Digital Forensics Detects Insider Theft"
''Information Week''.Chickowski, Ericka (June 26, 2012).

Dark Reading
Unlike traditional

computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensical ...

, which relies on

digital artifact Digital artifact in information science, is any undesired or unintended alteration in data introduced in a digital process by an involved technique and/or technology. Digital artifact can be of any content types including text, audio, video, ...

s, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of

insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German publ ...

data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, su ...

."Insider Threat Spotlight"
(August 2012). ''

SC Magazine Haymarket Media Group is a privately held media company headquartered in London. It has publications in the consumer, business and customer sectors, both print and online. It operates exhibitions allied to its own publications, and previously o ...

History

Stochastic forensics was invented in 2010 by computer scientist

Jonathan Grier Jonathan Grier is a computer scientist, consultant, and entrepreneur. He is best known for his work on stochastic forensics and insider data theft.Grier, Jonathan (2011)"Detecting data theft using stochastic forensics" ''Journal of Digital Inv ...

to detect and investigate

. Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the file attributes or

Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and use ...

).Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009. Consequently, industry demanded a new investigative technique. Since its invention, stochastic forensics has been used in real world investigation of insider data theft,Grier, Jonathan (May 2012).
"Investigating Data Theft with Stochastic Forensics"
"Digital Forensics Magazine." been the subject of academic research, and met with industry demand for tools and training.''

Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together a ...

'', USA 201
Catching Insider Data Theft with Stochastic Forensics

Origins in statistical mechanics

Stochastic forensics is inspired by the

statistical mechanics In physics, statistical mechanics is a mathematical framework that applies statistical methods and probability theory to large assemblies of microscopic entities. It does not assume or postulate any natural laws, but explains the macroscopic be ...

method used in

physics Physics is the natural science that studies matter, its fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge which r ...

. Classical Newtonian mechanics calculates the exact position and momentum of every

particle In the Outline of physical science, physical sciences, a particle (or corpuscule in older texts) is a small wikt:local, localized physical body, object which can be described by several physical property, physical or chemical property, chemical ...

in a system. This works well for systems, such as the

Solar System The Solar SystemCapitalization of the name varies. The International Astronomical Union, the authoritative body regarding astronomical nomenclature, specifies capitalizing the names of all individual astronomical objects but uses mixed "Solar S ...

, which consist of a small number of objects. However, it cannot be used to study things like a

gas Gas is one of the four fundamental states of matter (the others being solid, liquid, and plasma). A pure gas may be made up of individual atoms (e.g. a noble gas like neon), elemental molecules made from one type of atom (e.g. oxygen), or ...

, which have intractably large numbers of

molecules A molecule is a group of two or more atoms held together by attractive forces known as chemical bonds; depending on context, the term may or may not include ions which satisfy this criterion. In quantum physics, organic chemistry, and bioche ...

. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles. Likewise, modern day computer systems, which can have over

2^

states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a

stochastic process In probability theory and related fields, a stochastic () or random process is a mathematical object usually defined as a family of random variables. Stochastic processes are widely used as mathematical models of systems and phenomena that appea ...

, which, although unpredictable, has well defined

probabilistic Probability is the branch of mathematics concerning numerical descriptions of how likely an Event (probability theory), event is to occur, or how likely it is that a proposition is true. The probability of an event is a number between 0 and ...

properties. By analyzing these properties statistically, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.

Use in investigating insider data theft

Stochastic forensics chief application is detecting and investigating

. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the file attributes or

. Consequently, unlike external

computer attacks A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...

, which, by their nature, leave traces of the attack, insider data theft is practically invisible. However, the

statistical distribution In statistics, an empirical distribution function (commonly also called an empirical Cumulative Distribution Function, eCDF) is the distribution function associated with the empirical measure of a sample. This cumulative distribution functio ...

filesystems In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...

metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...

is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a

heavy tailed In probability theory, heavy-tailed distributions are probability distributions whose tails are not exponentially bounded: that is, they have heavier tails than the exponential distribution. In many applications it is the right tail of the distrib ...

distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable. Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed. Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.

Criticism

Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions. Furthermore, many

operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also inc ...

do not track access

timestamps A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...

by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as

databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...

. Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by

Guidance Software Guidance Software, Inc. was a public company (NASDAQ: GUID) founded in 1997. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Europe, the Middl ...

and others.

References

{{reflist, refs=

Department of Defense Cyber Crime Center The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digit ...

2012 DC3 Agenda

External links

"Detecting Data Theft Using Stochastic Forensics"
''Journal of Digital Investigation''
"How Digital Forensics Detects Insider Theft"
''Information Week''

''Dark Reading'' Digital forensics