HOME

TheInfoList



Click Here for Items Related To - Stochastic Forensics
OR:
Stochastic Forensics on:   [Wikipedia]   [Google]   [Amazon]

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing
emergent properties In philosophy, systems theory, science, and art, emergence occurs when a complex entity has properties or behaviors that its parts do not have on their own, and emerge only when they interact in a wider whole. Emergence plays a central role ...
resulting from the
stochastic Stochastic (; ) is the property of being well-described by a random probability distribution. ''Stochasticity'' and ''randomness'' are technically distinct concepts: the former refers to a modeling approach, while the latter describes phenomena; i ...
nature of modern computers.Grier, Jonathan (2011)
"Detecting data theft using stochastic forensics"
''Journal of Digital Investigation''. 8(Supplement), S71-S77.Schwartz, Mathew J. (December 13, 2011
"How Digital Forensics Detects Insider Theft"
''Information Week''.Chickowski, Ericka (June 26, 2012).


Dark Reading
 Unlike traditional
computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensics, digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital me ...
, which relies on
digital artifact Digital artifact in information science, is any undesired or unintended alteration in data introduced in a digital process by an involved technique and/or technology. Digital artifact can be of any content types including text, audio, video, ...
s, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of
insider Insider(s) or The Insider(s) may refer to: Arts, entertainment, and media Comics * ''Insiders'', a comic series by Mark Millar and Paul Grist, published in ''Crisis'' * The Insiders, a team of DC Comics characters in the Brainiac stories * ''I ...
data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...
."Insider Threat Spotlight"
(August 2012). ''
SC Magazine Haymarket Media Group is a private media company headquartered in London, United Kingdom. It has publications in the consumer, business and customer sectors, both print and online. It operates exhibitions allied to its own publications, and pr ...
''


History

Stochastic forensics was invented in 2010 by computer scientist Jonathan Grier to detect and investigate
insider Insider(s) or The Insider(s) may refer to: Arts, entertainment, and media Comics * ''Insiders'', a comic series by Mark Millar and Paul Grist, published in ''Crisis'' * The Insiders, a team of DC Comics characters in the Brainiac stories * ''I ...
data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...
. Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the
file attributes File attributes are a type of metadata that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypte ...
or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...
).Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009. Consequently, industry demanded a new investigative technique. Since its invention, stochastic forensics has been used in real world investigation of insider data theft,Grier, Jonathan (May 2012).
"Investigating Data Theft with Stochastic Forensics"
"Digital Forensics Magazine." been the subject of academic research, and met with industry demand for tools and training.''
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
'', USA 201
Catching Insider Data Theft with Stochastic Forensics


Origins in statistical mechanics

Stochastic forensics is inspired by the
statistical mechanics In physics, statistical mechanics is a mathematical framework that applies statistical methods and probability theory to large assemblies of microscopic entities. Sometimes called statistical physics or statistical thermodynamics, its applicati ...
method used in
physics Physics is the scientific study of matter, its Elementary particle, fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge whi ...
. Classical Newtonian mechanics calculates the exact position and momentum of every
particle In the physical sciences, a particle (or corpuscle in older texts) is a small localized object which can be described by several physical or chemical properties, such as volume, density, or mass. They vary greatly in size or quantity, from s ...
in a system. This works well for systems, such as the
Solar System The Solar SystemCapitalization of the name varies. The International Astronomical Union, the authoritative body regarding astronomical nomenclature, specifies capitalizing the names of all individual astronomical objects but uses mixed "Sola ...
, which consist of a small number of objects. However, it cannot be used to study things like a
gas Gas is a state of matter that has neither a fixed volume nor a fixed shape and is a compressible fluid. A ''pure gas'' is made up of individual atoms (e.g. a noble gas like neon) or molecules of either a single type of atom ( elements such as ...
, which have intractably large numbers of
molecules A molecule is a group of two or more atoms that are held together by attractive forces known as chemical bonds; depending on context, the term may or may not include ions that satisfy this criterion. In quantum physics, organic chemistry ...
. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles. Likewise, modern day computer systems, which can have over 2^ states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a
stochastic process In probability theory and related fields, a stochastic () or random process is a mathematical object usually defined as a family of random variables in a probability space, where the index of the family often has the interpretation of time. Sto ...
, which, although unpredictable, has well defined
probabilistic Probability is a branch of mathematics and statistics concerning events and numerical descriptions of how likely they are to occur. The probability of an event is a number between 0 and 1; the larger the probability, the more likely an e ...
properties. By analyzing these properties statistically, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.


Use in investigating insider data theft

Stochastic forensics chief application is detecting and investigating
insider Insider(s) or The Insider(s) may refer to: Arts, entertainment, and media Comics * ''Insiders'', a comic series by Mark Millar and Paul Grist, published in ''Crisis'' * The Insiders, a team of DC Comics characters in the Brainiac stories * ''I ...
data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...
. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the
file attributes File attributes are a type of metadata that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypte ...
or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...
. Consequently, unlike external computer attacks, which, by their nature, leave traces of the attack, insider data theft is practically invisible. However, the
statistical distribution In statistics, an empirical distribution function ( an empirical cumulative distribution function, eCDF) is the distribution function associated with the empirical measure of a sample. This cumulative distribution function is a step functio ...
of filesystems'
metadata Metadata (or metainformation) is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive ...
is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable. Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed. Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.


Criticism

Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions. Furthermore, many
operating systems An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...
do not track access
timestamps A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolu ...
by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as
databases In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and ana ...
. Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by Guidance Software and others.


References

{{reflist, refs= Department of Defense Cyber Crime Center
2012 DC3 Agenda


External links


"Detecting Data Theft Using Stochastic Forensics"
''Journal of Digital Investigation''
"How Digital Forensics Detects Insider Theft"
''Information Week''

''Dark Reading'' Digital forensics