Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the stochastic nature of modern computers. Unlike traditional computer forensics, which relies on digital artifacts, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of insider data theft.
Stochastic forensics was invented in 2010 by computer scientist Jonathan Grier to detect and investigate insider data theft. Insider data theft has been notoriously difficult to investigate using traditional methods, since it does not create any artifacts (such as changes to the file attributes or Windows Registry). Consequently, industry demanded a new investigative technique.
Since its invention, stochastic forensics has been used in real world investigation of insider data theft, been the subject of academic research, and met with industry demand for tools and training.
Origins in statistical mechanics
Stochastic forensics is inspired by the statistical mechanics method used in physics. Classical Newtonian mechanics calculates the exact position and momentum of every particle in a system. This works well for systems, such as the solar system, which consist of a small number of objects. However, it cannot be used to study things like a gas, which have intractably large numbers of molecules. Statistical mechanics, however, doesn't attempt to track properties of individual particles, but only the properties which emerge statistically. Hence, it can analyze complex systems without needing to know the exact position of their individual particles.
We can’t predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas’s overall behavior. Physics underwent such a paradigm shift in the late 1800s... Could digital forensics be in need of such a paradigm shift as well?
— Jonathan Grier, Investigating Data Theft With Stochastic Forensics, Digital Forensics Magazine, May 2012
Likewise, modern day computer systems, which can have over states, are too complex to be completely analyzed. Therefore, stochastic forensics views computers as a stochastic process, which, although unpredictable, has well defined probabilistic properties. By analyzing these properties statistically, stochastic mechanics can reconstruct activity that took place, even if the activity did not create any artifacts.
Use in investigating insider data theft
Stochastic forensics chief application is detecting and investigating insider data theft. Insider data theft is often done by someone who is technically authorized to access the data, and who uses it regularly as part of their job. It does not create artifacts or change the file attributes or Windows Registry. Consequently, unlike external computer attacks, which, by their nature, leave traces of the attack, insider data theft is practically invisible.
However, the statistical distribution of filesystems' metadata is affected by such large scale copying. By analyzing this distribution, stochastic forensics is able to identify and examine such data theft. Typical filesystems have a heavy tailed distribution of file access. Copying in bulk disturbs this pattern, and is consequently detectable.
Drawing on this, stochastic mechanics has been used to successfully investigate insider data theft where other techniques have failed. Typically, after stochastic forensics has identified the data theft, follow up using traditional forensic techniques is required.
Stochastic forensics has been criticized as only providing evidence and indications of data theft, and not concrete proof. Indeed, it requires a practitioner to "think like Sherlock, not Aristotle." Certain authorized activities besides data theft may cause similar disturbances in statistical distributions.
Furthermore, many operating systems do not track access timestamps by default, making stochastic forensics not directly applicable. Research is underway in applying stochastic forensics to these operating systems as well as databases.
Additionally, in its current state, stochastic forensics requires a trained forensic analyst to apply and evaluate. There have been calls for development of tools to automate stochastic forensics by Guidance Software and others.
- Grier, Jonathan (2011). "Detecting data theft using stochastic forensics". Journal of Digital Investigation. 8(Supplement), S71-S77.
- Schwartz, Mathew J. (December 13, 2011)."How Digital Forensics Detects Insider Theft". Information Week.
- Chickowski, Ericka (June 26, 2012). "New Forensics Method May Nab Insider Thieves". Dark Reading.
- "Insider Threat Spotlight". (August 2012). SC Magazine
- Security Suite."A New Forensics Method to Nab Rogue Insiders". Retrieved 2013-01-20.
- Carvey, Harlan. "Windows forensic analysis DVD Toolkit". 2nd ed. Syngress Publishing; 2009.
- Grier, Jonathan (May 2012). "Investigating Data Theft with Stochastic Forensics". "Digital Forensics Magazine."
- Nishide, T., Miyazaki, S., & Sakurai, K. (2012). "Security Analysis of Offline E-cash Systems with Malicious Insider". Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3(1/2), 55-71.
- Department of Defense Cyber Crime Center, 2012 DC3 Agenda.
- Black Hat Briefings, USA 2012.Catching Insider Data Theft with Stochastic Forensics.