Catching Insider Data Theft with Stochastic Forensics 2012

753 views

Published on

Company names mentioned herein are the property of, and may be trademarks of, their respective owners.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
753
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Catching Insider Data Theft with Stochastic Forensics 2012

  1. 1. Catching Insider Data Theft with Stochastic Forensics Jonathan Grier
  2. 2. Confidentiality To preserve client confidentiality, case information (names, places, dates, and settings) has been omitted or altered. The data and techniques presented have not been altered.
  3. 3. Can you find the data thief?
  4. 4. Harlan Carvey, Windows Forensic Analysis, 2009
  5. 5. Harlan Carvey, Windows Forensic Analysis, 2009 No Artifacts = No Forensics
  6. 6. Harlan Carvey, Windows Forensic Analysis, 2009 No Artifacts = No Forensics???
  7. 7. Access timestamps updates during: Routine access
  8. 8. Access timestamps updates during: Copying a folder Routine access
  9. 9. Copying Folders Routine Access Nonselective All subfolders and files accessed Selective Temporally continuous Temporally irregular Recursive Random order Directory accessed before its files Files can be accessed without directory
  10. 10. COPIED NOT COPIED
  11. 11. “slap-your-head-and-say-'doh-wish-I'd-thought-of-that’” -- an anonymous reviewer No Artifacts Yes Forensics
  12. 12. Not so fast... 1. Timestamps are overwritten very quickly 2. There are other nonselective, recursive . activities (besides copying)
  13. 13. Not so fast... 1. Timestamps are overwritten very quickly Can we use this method months later? On a heavily used system? Won’t most of the timestamps have been overwritten?
  14. 14. Not so fast... 1. Timestamps are overwritten very quickly Can we use this method months later? On a heavily used system? Won’t most of the timestamps have been overwritten? YES! YES! Not really!
  15. 15. Two observations: 1. Timestamps values can increase, but never decrease. 2. A lot of files just collect dust. Most activity is on a minority of files.
  16. 16. Farmer & Venema, Forensic Discovery, 2005
  17. 17. At tcopying: • All files have access_timestamp = tcopying
  18. 18. At tcopying: • All files have access_timestamp = tcopying Several weeks later: • All files have access_timestamp ≥ tcopying
  19. 19. At tcopying: • All files have access_timestamp = tcopying Several weeks later: • All files have access_timestamp ≥ tcopying • Many files still have access_timestamp = tcopying
  20. 20. After 300 days of simulated activity Histogram of access timestamps
  21. 21. Copying creates a cutoff cluster cutoff – No file has timestamp < tcluster cluster – Many files have timestamp = tcluster
  22. 22. Aren’t there other recursive access patterns besides copying? Affirming the consequent A ⟶ B doesn’t prove B ⟶ A. The absence of a cutoff cluster can disprove copying, but the existence can’t prove copying. Perhaps they ran grep.
  23. 23. Indeed, there are! vs.Affirming the consequent A ⟶ B doesn’t prove B ⟶ A. Abductive reasoning An unusual observation supports inferring a likely cause. The absence of a cutoff cluster can disprove copying, but the existence can’t prove copying. Who’s trying to prove anything? Investigate! One clue leads to another until the case unravels. Perhaps they ran grep. Indeed! Check if grep is installed, if they’ve ever run it before, or after, on any folder. Check why they were still in the building at 11 PM.
  24. 24. Farmer & Venema, Forensic Discovery, 2005
  25. 25. An actual investigation...
  26. 26. Part II: Now for the real world...
  27. 27. NOISE
  28. 28. OpenSolaris cp command source code
  29. 29. Notice anything?
  30. 30. Notice anything?
  31. 31. OpenSolaris cp command source code writefile() function
  32. 32. Is all lost (on Windows at least) ?
  33. 33. a Directory is also a File!
  34. 34. Filter...
  35. 35. NOISE
  36. 36. ACCURACY?
  37. 37. ACCURACY? Who needs
  38. 38. Part III: Applying Stochastic Forensics
  39. 39. Eyeball?
  40. 40. Filter & Plot
  41. 41. Filter 1. By folder
  42. 42. Filter 1. By folder 2. Directories versus Files
  43. 43. Filter 1. By folder 2. Directories versus Files 3. Permissions
  44. 44. Filter 1. By folder 2. Directories versus Files 3. Permissions 4. Other
  45. 45. Plot Our visual cognition is amazingly robust Ploticus: http://ploticus.sourceforge.net
  46. 46. Interpret & Advance
  47. 47. No Cluster? Strong evidence of no copying
  48. 48. Found Cluster? 1. Check control folders 2. Search for causes 3. Fingerprint it
  49. 49. Found Cluster? A cluster defines a tight window of opportunity. Use it to propel the investigation forward.
  50. 50. Part IV: Forensic Hacking
  51. 51. hack v. Exploring the inner workings of something by using it in a way its creators never imagined.
  52. 52. Look at the Surviving Data  Reconstruct Previous Data  This previous data is our deliverable. Classical Forensics:
  53. 53. What do I want to know about? What behavior is associated? How does that behavior affect the system? Measure those effects. Draw a (quantifiable) inference.    Look at the Surviving Data  Reconstruct Previous Data  This previous data is our deliverable. Classical Forensics: Stochastic Forensics:
  54. 54. Leading researchers have called to move from: “What data can we find?” To: “What did this person do?”
  55. 55. Farmer & Venema, Forensic Discovery, 2005
  56. 56. Research Agenda (i.e. a request for help) 1. Scientific testing Automate, build corpus, confidence levels, validate 2. Fingerprinting We can distinguish copying from grep! 3. Probability value 4. What other questions can stochastic forensics address? Let’s find sloppy questions and answer them less precisely!
  57. 57. Questions? Comments? Want More Info? Please speak to me, here at Black Hat or jdgrier at grierforensics com.

×