Catching
Insider
Data Theft
with
Stochastic Forensics
Jonathan Grier
Confidentiality
To preserve client confidentiality,
case information (names, places, dates, and
settings) has been omitted...
Can you find the data thief?
Harlan Carvey, Windows Forensic Analysis, 2009
Harlan Carvey, Windows Forensic Analysis, 2009
No Artifacts = No Forensics
Harlan Carvey, Windows Forensic Analysis, 2009
No Artifacts = No Forensics???
Access timestamps updates during:
Routine access
Access timestamps updates during:
Copying a folder Routine access
Copying Folders Routine Access
Nonselective
All subfolders and files accessed
Selective
Temporally continuous Temporally i...
COPIED
NOT COPIED
“slap-your-head-and-say-'doh-wish-I'd-thought-of-that’”
-- an anonymous reviewer
No Artifacts
Yes Forensics
Not so fast...
1. Timestamps are overwritten very quickly
2. There are other nonselective, recursive
. activities (besides...
Not so fast...
1. Timestamps are overwritten very quickly
Can we use this method months later?
On a heavily used system?
W...
Not so fast...
1. Timestamps are overwritten very quickly
Can we use this method months later?
On a heavily used system?
W...
Two observations:
1. Timestamps values can increase,
but never decrease.
2. A lot of files just collect dust.
Most activit...
Farmer & Venema, Forensic Discovery, 2005
At tcopying:
• All files have access_timestamp = tcopying
At tcopying:
• All files have access_timestamp = tcopying
Several weeks later:
• All files have access_timestamp ≥ tcopying
At tcopying:
• All files have access_timestamp = tcopying
Several weeks later:
• All files have access_timestamp ≥ tcopyin...
After 300 days of simulated activity
Histogram of access timestamps
Copying creates a
cutoff cluster
cutoff – No file has timestamp < tcluster
cluster – Many files have timestamp = tcluster
Aren’t there other recursive access patterns besides copying?
Affirming the
consequent
A ⟶ B doesn’t prove B ⟶	A.
The abse...
Indeed, there are!
vs.Affirming the
consequent
A ⟶ B doesn’t prove B ⟶	A.
Abductive reasoning
An unusual observation
suppo...
Farmer & Venema, Forensic Discovery, 2005
An actual investigation...
Part II:
Now for the real
world...
NOISE
OpenSolaris cp command source code
Notice anything?
Notice anything?
OpenSolaris cp command source code
writefile() function
Is all lost
(on Windows at least)
?
a Directory
is also
a File!
Filter...
NOISE
ACCURACY?
ACCURACY?
Who needs
Part III:
Applying
Stochastic
Forensics
Eyeball?
Filter
&
Plot
Filter
1. By folder
Filter
1. By folder
2. Directories versus Files
Filter
1. By folder
2. Directories versus Files
3. Permissions
Filter
1. By folder
2. Directories versus Files
3. Permissions
4. Other
Plot
Our visual cognition is
amazingly robust
Ploticus: http://ploticus.sourceforge.net
Interpret
&
Advance
No Cluster?
Strong evidence
of no copying
Found Cluster?
1. Check control folders
2. Search for causes
3. Fingerprint it
Found Cluster?
A cluster defines a tight
window of opportunity.
Use it to propel the
investigation forward.
Part IV:
Forensic
Hacking
hack v.
Exploring the inner
workings of something
by using it in a way its
creators never imagined.
Look at the
Surviving Data

Reconstruct
Previous Data
 This previous data
is our deliverable.
Classical Forensics:
What do I want
to know about?
What behavior
is associated?
How does that
behavior affect
the system?
Measure those
effects...
Leading researchers have called to move from:
“What data can we find?”
To:
“What did this person do?”
Farmer & Venema, Forensic Discovery, 2005
Research Agenda
(i.e. a request for help)
1. Scientific testing
Automate, build corpus, confidence levels, validate
2. Fin...
Questions?
Comments?
Want More Info?
Please speak to me,
here at Black Hat
or jdgrier at grierforensics com.
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Catching Insider Data Theft with Stochastic Forensics 2012
Upcoming SlideShare
Loading in...5
×

Catching Insider Data Theft with Stochastic Forensics 2012

508

Published on

Company names mentioned herein are the property of, and may be trademarks of, their respective owners.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
508
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Catching Insider Data Theft with Stochastic Forensics 2012"

  1. 1. Catching Insider Data Theft with Stochastic Forensics Jonathan Grier
  2. 2. Confidentiality To preserve client confidentiality, case information (names, places, dates, and settings) has been omitted or altered. The data and techniques presented have not been altered.
  3. 3. Can you find the data thief?
  4. 4. Harlan Carvey, Windows Forensic Analysis, 2009
  5. 5. Harlan Carvey, Windows Forensic Analysis, 2009 No Artifacts = No Forensics
  6. 6. Harlan Carvey, Windows Forensic Analysis, 2009 No Artifacts = No Forensics???
  7. 7. Access timestamps updates during: Routine access
  8. 8. Access timestamps updates during: Copying a folder Routine access
  9. 9. Copying Folders Routine Access Nonselective All subfolders and files accessed Selective Temporally continuous Temporally irregular Recursive Random order Directory accessed before its files Files can be accessed without directory
  10. 10. COPIED NOT COPIED
  11. 11. “slap-your-head-and-say-'doh-wish-I'd-thought-of-that’” -- an anonymous reviewer No Artifacts Yes Forensics
  12. 12. Not so fast... 1. Timestamps are overwritten very quickly 2. There are other nonselective, recursive . activities (besides copying)
  13. 13. Not so fast... 1. Timestamps are overwritten very quickly Can we use this method months later? On a heavily used system? Won’t most of the timestamps have been overwritten?
  14. 14. Not so fast... 1. Timestamps are overwritten very quickly Can we use this method months later? On a heavily used system? Won’t most of the timestamps have been overwritten? YES! YES! Not really!
  15. 15. Two observations: 1. Timestamps values can increase, but never decrease. 2. A lot of files just collect dust. Most activity is on a minority of files.
  16. 16. Farmer & Venema, Forensic Discovery, 2005
  17. 17. At tcopying: • All files have access_timestamp = tcopying
  18. 18. At tcopying: • All files have access_timestamp = tcopying Several weeks later: • All files have access_timestamp ≥ tcopying
  19. 19. At tcopying: • All files have access_timestamp = tcopying Several weeks later: • All files have access_timestamp ≥ tcopying • Many files still have access_timestamp = tcopying
  20. 20. After 300 days of simulated activity Histogram of access timestamps
  21. 21. Copying creates a cutoff cluster cutoff – No file has timestamp < tcluster cluster – Many files have timestamp = tcluster
  22. 22. Aren’t there other recursive access patterns besides copying? Affirming the consequent A ⟶ B doesn’t prove B ⟶ A. The absence of a cutoff cluster can disprove copying, but the existence can’t prove copying. Perhaps they ran grep.
  23. 23. Indeed, there are! vs.Affirming the consequent A ⟶ B doesn’t prove B ⟶ A. Abductive reasoning An unusual observation supports inferring a likely cause. The absence of a cutoff cluster can disprove copying, but the existence can’t prove copying. Who’s trying to prove anything? Investigate! One clue leads to another until the case unravels. Perhaps they ran grep. Indeed! Check if grep is installed, if they’ve ever run it before, or after, on any folder. Check why they were still in the building at 11 PM.
  24. 24. Farmer & Venema, Forensic Discovery, 2005
  25. 25. An actual investigation...
  26. 26. Part II: Now for the real world...
  27. 27. NOISE
  28. 28. OpenSolaris cp command source code
  29. 29. Notice anything?
  30. 30. Notice anything?
  31. 31. OpenSolaris cp command source code writefile() function
  32. 32. Is all lost (on Windows at least) ?
  33. 33. a Directory is also a File!
  34. 34. Filter...
  35. 35. NOISE
  36. 36. ACCURACY?
  37. 37. ACCURACY? Who needs
  38. 38. Part III: Applying Stochastic Forensics
  39. 39. Eyeball?
  40. 40. Filter & Plot
  41. 41. Filter 1. By folder
  42. 42. Filter 1. By folder 2. Directories versus Files
  43. 43. Filter 1. By folder 2. Directories versus Files 3. Permissions
  44. 44. Filter 1. By folder 2. Directories versus Files 3. Permissions 4. Other
  45. 45. Plot Our visual cognition is amazingly robust Ploticus: http://ploticus.sourceforge.net
  46. 46. Interpret & Advance
  47. 47. No Cluster? Strong evidence of no copying
  48. 48. Found Cluster? 1. Check control folders 2. Search for causes 3. Fingerprint it
  49. 49. Found Cluster? A cluster defines a tight window of opportunity. Use it to propel the investigation forward.
  50. 50. Part IV: Forensic Hacking
  51. 51. hack v. Exploring the inner workings of something by using it in a way its creators never imagined.
  52. 52. Look at the Surviving Data  Reconstruct Previous Data  This previous data is our deliverable. Classical Forensics:
  53. 53. What do I want to know about? What behavior is associated? How does that behavior affect the system? Measure those effects. Draw a (quantifiable) inference.    Look at the Surviving Data  Reconstruct Previous Data  This previous data is our deliverable. Classical Forensics: Stochastic Forensics:
  54. 54. Leading researchers have called to move from: “What data can we find?” To: “What did this person do?”
  55. 55. Farmer & Venema, Forensic Discovery, 2005
  56. 56. Research Agenda (i.e. a request for help) 1. Scientific testing Automate, build corpus, confidence levels, validate 2. Fingerprinting We can distinguish copying from grep! 3. Probability value 4. What other questions can stochastic forensics address? Let’s find sloppy questions and answer them less precisely!
  57. 57. Questions? Comments? Want More Info? Please speak to me, here at Black Hat or jdgrier at grierforensics com.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×