How Digital Forensics Detects Insider Theft

A new digital forensic technique promises to help solve an ongoing problem involving malicious insiders: determining whether any information has actually been stolen.

Mathew Schwartz

December 13, 2011

4 Min Read
Network Computing logo

A new digital forensic technique promises to help solve an ongoing problem involving malicious insiders: determining whether any information has actually been stolen.

"[In] most of the forensic methods that are out there, if I'm breaking into your computer there will be the digital equivalent of broken windows," said Jonathan Grier, an independent security and digital-forensics consultant. "But an insider, he's authorized to use this data, he's using it day in and day out, and the computer isn't going to look much more different if I steal it, or use it to do my job," he said.

Now, however, Grier said he's found a way to address the "was data copied?" challenge by using stochastic forensics. Briefly, stochastic means randomly determined, but having a pattern. For example, look at gas molecules: while it's impossible to know where each and every molecule will be in a gas cloud, the probability of how the overall gas cloud will behave can be statistically computed. Grier has applied that principle to study file-access patterns on computers, building on research published by Dan Farmer and Wietse Venema. "They basically found that over a year, about 90% of files on a computer aren't being used," he said.

How can that fact help digital forensic investigators? "When you look at routine usage, you see a nice graph--a long-tailed pattern--where you use a few things, but most things gather dust," he said. "When you copy, you break that pattern. Because when you copy, you don't cherry-pick, you just get in and get out. And that has a uniform pattern, which is going to look unusual."

[ "An ounce of prevention is worth a pound of cure," said Benjamin Franklin. Learn How To Spot Malicious Insiders Before Data Theft. ]

The technique can also be used to reconstruct unusual access patterns, even after a notable period of time has elapsed, since files that normally wouldn't be accessed would likely only be accessed when they had been copied en masse. "Most forensics right now is, there was data, let's reconstruct it. There was child porn, let's undelete it. This is a very different approach. We're saying, what was the guy doing? We can use probability and statistics not to reconstruct data, but to reconstruct timelines," said Grier. That, in turn, can provide investigators with clues into people's actual behavior.

Grier has detailed his approach in "Detecting Data Theft Using Stochastic Forensics," published in Digital Investigation. Reviewing the research, Jessica M. Bair, senior director for curriculum development at Guidance Software, which makes the EnCase Forensic toolkit, said that Grier's technique could be a valuable addition to an investigator's bag of tricks.

"The concept that he's proposed here is really smart: to programmatically look at the directory, and all the subdirectories, and to look at the time-date stamps of access, because it's continuous rather than random," she said. "Intellectual property theft would be a great application of this."

What's required for digital stochastic forensics to work? "All we need is the source of the data, because we can see when it's been read. It doesn't matter if the data was loaded onto a USB key, or copied from the network," Grier said. "The only serious problem is if the operating system doesn't log access times." Notably, Windows 7 is set by default to not do this. But forensic investigators recommend activating such logging before giving PCs to employees, "because it's an interesting source of investigative information," he said.

Grier developed the technique while investigating a suspected case of insider theft. A company had fired a top-level employee. He was pushing hard for a generous settlement, but there were rumors that he'd taken a lot of valuable information with him. "He had an ax over the company, really," said Grier. But using stochastic forensics, Grier was able to determine that the employee had walked away with valuable information, which allowed the company to try and neutralize the resulting risk. "Through the company's lawyers, we presented to him a very strong case--enough to cause him to settle the outstanding grievances (severance, dismissal) with the company, and enough that the data never made any noise again."

Grier has applied for a patent for his stochastic forensics technique, and hopes to create an automated tool that can be used to complement existing digital forensic toolkits. He said the technique could also be extended to spot insider theft unfolding in real time, by watching for unusual file-access patterns, which would also spot insiders taking screenshots of sensitive information. Finally, Grier is working with Alexander Rasin at DePaul University's school of computing to see if the technique can be extended to analyze database access patterns.

Guidance Software's Bair also urged Grier to develop and sell a script for EnCase that uses the technique, especially since it would be able to remotely analyze someone's computer without altering its state, or tipping an investigator's hand. "He did the research, so he should be the first to market," she said.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights