Catching Insider Data Theft with Stochastic Forensics

Presented at Black Hat USA 2012, Unknown date/time (Unknown duration)

A stochastic process is, by definition, something unpredictable, but unpredictable in a precise way. Think of the molecules in a gas: we can't predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas's overall behavior. What's this have to do with data theft? Insider data theft often leaves no artifacts or broken windows, making it invisible to traditional forensics. But copying large amounts of data will always affect the file system, and when we look through stochastic lenses, copying sticks out like a sore thumb. Stochastic forensics is a new technique which uses these patterns to detect insider data theft, despite its lack of artifacts. I've used these techniques to catch data theft months after its occurrence. I'll show you the statistical patterns present on a typical filesystem, the distinct patterns induced by copying, and the mathematical technique which highlights the difference. You'll learn how to spot otherwise invisible data theft.