To Catch a Thief: Cyber Forensics

Monday, July 2, 2012 @ 05:07 PM gHale

Insider theft and damage is a big problem facing manufacturers today and one of the biggest challenges of forensics investigations is the markers investigators use to detect most attacks are typically not present in insider cases where an employee or other authorized user has legitimate access to sensitive data.

A new methodology can now compare normal file access patterns against patterns present when files end up copied, which can detect when insiders have inappropriately copied data. The methodology will be front and center at Black Hat USA in Las Vegas later on this month.

Impossible to Possible: New Cryptography Approach
European Security Centers Eye Digital Gaps
A+ Discovery: Student Finds Zero Day
Socially Engineered Emails a Threat

Typically, most forensics investigations today depend upon artifacts, which are basically the markers left on a machine that leave an evidence trail, said Jonathan Grier who will present his methodology at Black Hat. In one case, if you plug in a USB drive, there will be an artifact showing the USB drive serial number. Unfortunately, when insiders copy large amounts of data, there are very few usable artifacts available to an investigator, he said. Insider data exfiltration is tricky to detect after the fact because of this and because it is very difficult to show whether the user accessed data during the normal course of business, he said.

“Most people who look at the issue just stop there and say ‘There are no artifacts, there’s not much we can do now,'” said Grier, who runs Grier Forensics. “But necessity is the mother of invention.”

A forensic examiner with over a decade of experience, Grier saw the necessity to get creative when a client needed his help. The client had heard rumors through the grapevine that a former employee fired under unpleasant circumstances had stolen some very valuable company assets on his way out the door. Of course, the big problem was this was months after the theft would have occurred, plus, on top of that, the ex-employee had access the data in question in order to get his job done.

Nevertheless, the client very badly needed to know whether or not this was true and asked Grier to help out. That’s exactly what he did, and in the process he came up with a patent-pending insider forensics detection methodology he said could change the way forensics investigators approach these cases.

At is root, the idea behind his method is to compare the relatively random and chaotic time-of-access file usage statistics of a typical user’s machine to the orderly patterns in time-of-access made by a machine when a user makes a wholesale copy of files at once. He calls it stochastic forensics, for the similar analysis used in physics to use the statistics of the random unpredictability of molecules to predict the behavior of a gas.

“If you look at how computers are used, files are not used uniformly. There is what is called a heavy tail distribution, which means that certain files are popular and used every day, every hour, every minute and then there are a large number of files that no one bothers to use,” Grier said. “There will be a number of files that have their timestamps overwritten because they were well-used and many files that were never opened. Whereas when you’re copying something, that’s not true. You open and copy everything inside the folder, not just what’s of interest. The question was, could we use this to figure things out?”

In order to answer the question, Grier built a computer simulation of a user’s activity within file structures over the course of a year. Then he reworked the simulation in such a way that the user had normal activity, but also made a large copy of files on the machine. After crunching the numbers and performing some statistical clean up of the data, he created a histogram that examined timestamp activity attached the files and saw that a huge spike occurred in the copying instance.

“You could graphically note exactly where the data was copied,” he said.

The result of the investigation: Stochastic forensics helped Grier reach a conclusion with a great degree of certainty the ex-employee made a copy of the data within a small window of time.

Leave a Reply

You must be logged in to post a comment.