Stochastic forensics

Last updated January 27, 2023

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the stochastic nature of modern computers.^[1]^[2]^[3] Unlike traditional computer forensics, which relies on digital artifacts, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible.^[3] Its chief application is the investigation of insider data theft.^[1]^[2]^[4]

History

Stochastic forensics was invented in 2010 by computer scientist Jonathan Grier to detect and investigate insider data theft.^[2] Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the file attributes or Windows Registry).^[3]^[5] Consequently, industry demanded a new investigative technique.^[6]

Since its invention, stochastic forensics has been used in real world investigation of insider data theft,^[6] been the subject of academic research,^[1]^[7] and met with industry demand for tools and training.^[2]^[8]^[9]

Origins in statistical mechanics

Stochastic forensics is inspired by the statistical mechanics method used in physics.^[2]^[6] Classical Newtonian mechanics calculates the exact position and momentum of every particle in a system. This works well for systems, such as the Solar System, which consist of a small number of objects. However, it cannot be used to study things like a gas, which have intractably large numbers of molecules. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles.

We can’t predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas’s overall behavior. Physics underwent such a paradigm shift in the late 1800s... Could digital forensics be in need of such a paradigm shift as well?
— Jonathan Grier, "Investigating Data Theft With Stochastic Forensics", Digital Forensics Magazine, May 2012

Likewise, modern day computer systems, which can have over $2^{8^{10^{12}}}$ states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a stochastic process, which, although unpredictable, has well defined probabilistic properties. By analyzing these properties statistically, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.^[2]^[3]^[6]

Use in investigating insider data theft

Stochastic forensics chief application is detecting and investigating insider data theft. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the file attributes or Windows Registry.^[5] Consequently, unlike external computer attacks, which, by their nature, leave traces of the attack, insider data theft is practically invisible.^[3]

However, the statistical distribution of filesystems' metadata is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable.^[1]^[2]

Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed.^[1]^[2]^[3]^[6] Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.^[6]

Criticism

Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions.^[1]^[6]

Furthermore, many operating systems do not track access timestamps by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as databases.^[2]

Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by Guidance Software and others.^[2]

Related Research Articles

In physics, statistical mechanics is a mathematical framework that applies statistical methods and probability theory to large assemblies of microscopic entities. It does not assume or postulate any natural laws, but explains the macroscopic behavior of nature from the behavior of such ensembles.

Signal processing is an electrical engineering and geophysics subfield that focuses on analyzing, modifying and synthesizing signals, such as sound, images, potential fields, seismic signals, altimetry processing, and scientific measurements. Signal processing techniques are used to optimize transmissions, digital storage efficiency, correcting distorted signals, subjective video quality and to also detect or pinpoint components of interest in a measured signal. In geophysics, signal processing is used to amplify the signal vs the noise within time-series measurements of geophysical data. Processing is conducted within either the time domain or frequency domain, or both

Stochastic refers to the property of being well described by a random probability distribution. Although stochasticity and randomness are distinct in that the former refers to a modeling approach and the latter refers to phenomena themselves, these two terms are often used synonymously. Furthermore, in probability theory, the formal concept of a stochastic process is also referred to as a random process.

Computer simulation is the process of mathematical modelling, performed on a computer, which is designed to predict the behaviour of, or the outcome of, a real-world or physical system. The reliability of some mathematical models can be determined by comparing their results to the real-world outcomes they aim to predict. Computer simulations have become a useful tool for the mathematical modeling of many natural systems in physics, astrophysics, climatology, chemistry, biology and manufacturing, as well as human systems in economics, psychology, social science, health care and engineering. Simulation of a system is represented as the running of the system's model. It can be used to explore and gain new insights into new technology and to estimate the performance of systems too complex for analytical solutions.

Steganalysis is the study of detecting messages hidden using steganography; this is analogous to cryptanalysis applied to cryptography.

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Forensic accounting, forensic accountancy or financial forensics is the specialty practice area of accounting that investigates whether firms engage in financial reporting misconduct. Forensic accountants apply a range of skills and methods to determine whether there has been financial reporting misconduct.

<span class="mw-page-title-main">Geoarchaeology</span> Archaeological sub-discipline

Geoarchaeology is a multi-disciplinary approach which uses the techniques and subject matter of geography, geology, geophysics and other Earth sciences to examine topics which inform archaeological knowledge and thought. Geoarchaeologists study the natural physical processes that affect archaeological sites such as geomorphology, the formation of sites through geological processes and the effects on buried sites and artifacts post-deposition. Geoarchaeologists' work frequently involves studying soil and sediments as well as other geographical concepts to contribute an archaeological study. Geoarchaeologists may also use computer cartography, geographic information systems (GIS) and digital elevation models (DEM) in combination with disciplines from human and social sciences and earth sciences. Geoarchaeology is important to society because it informs archaeologists about the geomorphology of the soil, sediment, and rocks on the buried sites and artifacts they are researching. By doing this, scientists are able to locate ancient cities and artifacts and estimate by the quality of soil how "prehistoric" they really are. Geoarchaeology is considered a sub-field of environmental archaeology because soil can be altered by human behavior, which archaeologists are then able to study and reconstruct past landscapes and conditions.

Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, such as USB flash drives, iPods and even digital cameras. Since employees often spend a considerable amount of time developing contacts, confidential, and copyrighted information for the company they work for, they may feel they have some right to the information and are inclined to copy and/or delete part of it when they leave the company, or misuse it while they are still in employment. Information can be sold and bought and then used by criminals and criminal organizations. Alternatively, an employee may choose to deliberately abuse trusted access to information for the purpose of exposing misconduct by the employer. From the perspective of the society, such an act of whistleblowing can be seen as positive and is protected by law in certain situations in some jurisdictions, such as the USA.

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

Anti-computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">Forensic geology</span>

Forensic geology is the study of evidence relating to minerals, oil, petroleum, and other materials found in the Earth, used to answer questions raised by the legal system.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

Jonathan Grier is a computer scientist, consultant, and entrepreneur. He is best known for his work on stochastic forensics and insider data theft. He has also contributed to computer security, digital forensics, and software development.

Forensic Data Analysis (FDA) is a branch of Digital forensics. It examines structured data with regard to incidents of financial crime. The aim is to discover and analyse patterns of fraudulent activities. Data from application systems or from their underlying databases is referred to as structured data.

References

1 2 3 4 5 6 Grier, Jonathan (2011). "Detecting data theft using stochastic forensics". Journal of Digital Investigation. 8(Supplement), S71-S77.
1 2 3 4 5 6 7 8 9 10 Schwartz, Mathew J. (December 13, 2011)."How Digital Forensics Detects Insider Theft". Information Week.
1 2 3 4 5 6 Chickowski, Ericka (June 26, 2012). "New Forensics Method May Nab Insider Thieves". Dark Reading.
↑ "Insider Threat Spotlight". (August 2012). SC Magazine
1 2 Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009.
1 2 3 4 5 6 7 Grier, Jonathan (May 2012). "Investigating Data Theft with Stochastic Forensics". "Digital Forensics Magazine."
↑ Nishide, T., Miyazaki, S., & Sakurai, K. (2012). "Security Analysis of Offline E-cash Systems with Malicious Insider". Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3(1/2), 55-71.
↑ Department of Defense Cyber Crime Center, 2012 DC3 Agenda.
↑ Black Hat Briefings , USA 2012.Catching Insider Data Theft with Stochastic Forensics.

External links

"Detecting Data Theft Using Stochastic Forensics", Journal of Digital Investigation
"How Digital Forensics Detects Insider Theft", Information Week
"New Forensics Method May Nab Insider Thieves", Dark Reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[J_Digital_Investigation-1] 1 2 3 4 5 6 Grier, Jonathan (2011). "Detecting data theft using stochastic forensics". Journal of Digital Investigation. 8(Supplement), S71-S77.

[Information_Week-2] 1 2 3 4 5 6 7 8 9 10 Schwartz, Mathew J. (December 13, 2011)."How Digital Forensics Detects Insider Theft". Information Week.

[Dark_Reading-3] 1 2 3 4 5 6 Chickowski, Ericka (June 26, 2012). "New Forensics Method May Nab Insider Thieves". Dark Reading.

[SC_Magazine-4] "Insider Threat Spotlight". (August 2012). SC Magazine

[Carvey-5] 1 2 Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009.

[Digital_Forensics_Magazine-6] 1 2 3 4 5 6 7 Grier, Jonathan (May 2012). "Investigating Data Theft with Stochastic Forensics". "Digital Forensics Magazine."

[7] Nishide, T., Miyazaki, S., & Sakurai, K. (2012). "Security Analysis of Offline E-cash Systems with Malicious Insider". Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3(1/2), 55-71.

[DC3_Agenda-8] Department of Defense Cyber Crime Center, 2012 DC3 Agenda.

[9] Black Hat Briefings , USA 2012.Catching Insider Data Theft with Stochastic Forensics.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]