HOME

TheInfoList



Click Here for Items Related To - Stochastic forensics
OR:
Stochastic forensics on:   [Wikipedia]   [Google]   [Amazon]

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the
stochastic Stochastic (, ) refers to the property of being well described by a random probability distribution. Although stochasticity and randomness are distinct in that the former refers to a modeling approach and the latter refers to phenomena themselv ...
nature of modern computers.Grier, Jonathan (2011)
"Detecting data theft using stochastic forensics"
''Journal of Digital Investigation''. 8(Supplement), S71-S77.Schwartz, Mathew J. (December 13, 2011
"How Digital Forensics Detects Insider Theft"
''Information Week''.Chickowski, Ericka (June 26, 2012).


Dark Reading
 Unlike traditional
computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensica ...
, which relies on digital artifacts, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German publ ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
."Insider Threat Spotlight"
(August 2012). '' SC Magazine''


History

Stochastic forensics was invented in 2010 by computer scientist Jonathan Grier to detect and investigate
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German publ ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
. Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the file attributes or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and ...
).Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009. Consequently, industry demanded a new investigative technique. Since its invention, stochastic forensics has been used in real world investigation of insider data theft,Grier, Jonathan (May 2012).
"Investigating Data Theft with Stochastic Forensics"
"Digital Forensics Magazine." been the subject of academic research, and met with industry demand for tools and training.''
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
'', USA 201
Catching Insider Data Theft with Stochastic Forensics


Origins in statistical mechanics

Stochastic forensics is inspired by the
statistical mechanics In physics, statistical mechanics is a mathematical framework that applies statistical methods and probability theory to large assemblies of microscopic entities. It does not assume or postulate any natural laws, but explains the macroscopic b ...
method used in
physics Physics is the natural science that studies matter, its fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge which ...
. Classical Newtonian mechanics calculates the exact position and momentum of every
particle In the physical sciences, a particle (or corpuscule in older texts) is a small localized object which can be described by several physical or chemical properties, such as volume, density, or mass. They vary greatly in size or quantity, from ...
in a system. This works well for systems, such as the
Solar System The Solar System Capitalization of the name varies. The International Astronomical Union, the authoritative body regarding astronomical nomenclature, specifies capitalizing the names of all individual astronomical objects but uses mixed "Solar ...
, which consist of a small number of objects. However, it cannot be used to study things like a gas, which have intractably large numbers of
molecules A molecule is a group of two or more atoms held together by attractive forces known as chemical bonds; depending on context, the term may or may not include ions which satisfy this criterion. In quantum physics, organic chemistry, and bio ...
. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which
emerge Emerge may refer to: * ''Emerge: The Best of Neocolours'', the fourth album of Neocolours * Emerge Desktop, a Desktop shell replacement for Microsoft Windows * Emerge (magazine), ''Emerge'' (magazine), a defunct news magazine * Emerge Stimulation ...
statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles. Likewise, modern day computer systems, which can have over 2^ states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a
stochastic process In probability theory and related fields, a stochastic () or random process is a mathematical object usually defined as a family of random variables. Stochastic processes are widely used as mathematical models of systems and phenomena that ap ...
, which, although unpredictable, has well defined
probabilistic Probability is the branch of mathematics concerning numerical descriptions of how likely an event is to occur, or how likely it is that a proposition is true. The probability of an event is a number between 0 and 1, where, roughly speaking, ...
properties. By analyzing these properties statistically, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.


Use in investigating insider data theft

Stochastic forensics chief application is detecting and investigating
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German publ ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the file attributes or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and ...
. Consequently, unlike external computer attacks, which, by their nature, leave traces of the attack, insider data theft is practically invisible. However, the statistical distribution of filesystems'
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable. Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed. Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.


Criticism

Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions. Furthermore, many
operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
do not track access timestamps by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as
databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
. Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by Guidance Software and others.


References

{{reflist, refs=
Department of Defense Cyber Crime Center The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Digi ...

2012 DC3 Agenda


External links


"Detecting Data Theft Using Stochastic Forensics"
''Journal of Digital Investigation''
"How Digital Forensics Detects Insider Theft"
''Information Week''

''Dark Reading'' Digital forensics