HOME

TheInfoList



Click Here for Items Related To - Stochastic Forensics
OR:
Stochastic Forensics on:   [Wikipedia]   [Google]   [Amazon]

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing
emergent properties In philosophy, systems theory, science, and art, emergence occurs when an entity is observed to have properties its parts do not have on their own, properties or behaviors that emerge only when the parts interact in a wider whole. Emergen ...
resulting from the
stochastic Stochastic (, ) refers to the property of being well described by a random probability distribution. Although stochasticity and randomness are distinct in that the former refers to a modeling approach and the latter refers to phenomena themselve ...
nature of modern computers.Grier, Jonathan (2011)
"Detecting data theft using stochastic forensics"
''Journal of Digital Investigation''. 8(Supplement), S71-S77.Schwartz, Mathew J. (December 13, 2011
"How Digital Forensics Detects Insider Theft"
''Information Week''.Chickowski, Ericka (June 26, 2012).


Dark Reading
 Unlike traditional
computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensica ...
, which relies on
digital artifact Digital artifact in information science, is any undesired or unintended alteration in data introduced in a digital process by an involved technique and/or technology. Digital artifact can be of any content types including text, audio, video, ...
s, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German pub ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
."Insider Threat Spotlight"
(August 2012). '' SC Magazine''


History

Stochastic forensics was invented in 2010 by computer scientist Jonathan Grier to detect and investigate
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German pub ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
. Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the
file attributes File attributes are a type of meta-data that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypte ...
or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and u ...
).Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009. Consequently, industry demanded a new investigative technique. Since its invention, stochastic forensics has been used in real world investigation of insider data theft,Grier, Jonathan (May 2012).
"Investigating Data Theft with Stochastic Forensics"
"Digital Forensics Magazine." been the subject of academic research, and met with industry demand for tools and training.''
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
'', USA 201
Catching Insider Data Theft with Stochastic Forensics


Origins in statistical mechanics

Stochastic forensics is inspired by the statistical mechanics method used in
physics Physics is the natural science that studies matter, its fundamental constituents, its motion and behavior through space and time, and the related entities of energy and force. "Physical science is that department of knowledge which rel ...
. Classical Newtonian mechanics calculates the exact position and momentum of every
particle In the physical sciences, a particle (or corpuscule in older texts) is a small localized object which can be described by several physical or chemical properties, such as volume, density, or mass. They vary greatly in size or quantity, fro ...
in a system. This works well for systems, such as the
Solar System The Solar System Capitalization of the name varies. The International Astronomical Union, the authoritative body regarding astronomical nomenclature, specifies capitalizing the names of all individual astronomical objects but uses mixed "Solar ...
, which consist of a small number of objects. However, it cannot be used to study things like a
gas Gas is one of the four fundamental states of matter (the others being solid, liquid, and plasma). A pure gas may be made up of individual atoms (e.g. a noble gas like neon), elemental molecules made from one type of atom (e.g. oxygen), or ...
, which have intractably large numbers of
molecules A molecule is a group of two or more atoms held together by attractive forces known as chemical bonds; depending on context, the term may or may not include ions which satisfy this criterion. In quantum physics, organic chemistry, and bioc ...
. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles. Likewise, modern day computer systems, which can have over 2^ states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a stochastic process, which, although unpredictable, has well defined
probabilistic Probability is the branch of mathematics concerning numerical descriptions of how likely an event is to occur, or how likely it is that a proposition is true. The probability of an event is a number between 0 and 1, where, roughly speaking, ...
properties. By analyzing these properties
statistically Statistics (from German: ''Statistik'', "description of a state, a country") is the discipline that concerns the collection, organization, analysis, interpretation, and presentation of data. In applying statistics to a scientific, industria ...
, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.


Use in investigating insider data theft

Stochastic forensics chief application is detecting and investigating
insider ''Insider'', previously named ''Business Insider'' (''BI''), is an American financial and business news website founded in 2007. Since 2015, a majority stake in ''Business Insider''s parent company Insider Inc. has been owned by the German pub ...
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, s ...
. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the
file attributes File attributes are a type of meta-data that describe and may modify how files and/or directories in a filesystem behave. Typical file attributes may, for example, indicate or specify whether a file is visible, modifiable, compressed, or encrypte ...
or
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and u ...
. Consequently, unlike external computer attacks, which, by their nature, leave traces of the attack, insider data theft is practically invisible. However, the
statistical distribution In statistics, an empirical distribution function (commonly also called an empirical Cumulative Distribution Function, eCDF) is the distribution function associated with the empirical measure of a sample. This cumulative distribution functio ...
of
filesystems In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
' metadata is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable. Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed. Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.


Criticism

Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions. Furthermore, many
operating systems An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
do not track access timestamps by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as
databases In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...
. Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by
Guidance Software Guidance Software, Inc. was a public company (NASDAQ: GUID) founded in 1997. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Europe, the Midd ...
and others.


References

{{reflist, refs=
Department of Defense Cyber Crime Center The Department of Defense Cyber Crime Center (DC3) is designated as a Federal Cyber Center by National Security Presidential Directive 54/Homeland Security Presidential Directive 23, as a Department of Defense (DoD) Center Of Excellence for Dig ...

2012 DC3 Agenda


External links


"Detecting Data Theft Using Stochastic Forensics"
''Journal of Digital Investigation''
"How Digital Forensics Detects Insider Theft"
''Information Week''

''Dark Reading'' Digital forensics