New Forensics Method May Nab Insider Thieves

One of the biggest challenges of forensics investigations into insider theft is that the markers computer forensics investigators use to detect most attacks are typically not present in insider cases where an employee or other authorized user has legitimate access to sensitive data. Next month at Black Hat USA in Las Vegas, a presenter will bring forward a new methodology that compares normal file access patterns against patterns present when files are copied to detect when insiders have copied data inappropriately.

Typically, says presenter Jonathan Grier, most forensics investigations today depend upon what are called artifacts, which are basically the markers left on a machine that leave an evidence trail. For example, if you plug in a USB drive, there will be an artifact showing the USB drive serial number. Unfortunately, when insiders copy large amounts of data, there are very few usable artifacts available to an investigator, he says. Insider data exfiltration is tricky to detect after the fact because of this and because it is very difficult to show whether the user accessed data during the normal course of business, he says.

"Most people who look at the issue just stop there and say 'There are no artifacts, there's not much we can do now,'" says Grier, who runs his own consultancy, Grier Forensics. "But necessity is the mother of invention."

A forensic examiner with over a decade of experience, Grier saw the necessity to get creative when a client of his begged him to take a case. The client had heard rumors through the grapevine that a former employee who was fired under unpleasant circumstances had stolen some very valuable company assets on his way out the door. Of course, the big problem was that this was months after the theft would have occurred and the former employee had been authorized to access the data in question in order to get his job done.

Nevertheless, the client very badly needed to know whether or not this was true and told Grier to find out no matter what it took. That's exactly what he did, and in the process he came up with was a patent-pending insider forensics detection methodology that he believes will change the way forensics investigators approach these cases.

At is root, the idea behind his method is to compare the relatively random and chaotic time-of-access file usage statistics of a typical user's machine to the orderly patterns in time-of-access made by a machine when a user makes a wholesale copy of many files at once. He calls it stochastic forensics, in homage to similar analysis used in physics to use the statistics of the random unpredictability of molecules to predict the behavior of a gas.

"If you look at how computers are used, files are not used uniformly. There is what is called a heavy tail distribution, which means that certain files are popular and used every day, every hour, every minute and then there are a large number of files that no one bothers to use," Grier says. "There will be a number of files that have their timestamps overwritten because they were well-used and many files that were never opened. Whereas when you're copying something, that's not true. You open and copy everything inside the folder, not just what's of interest. The question was, could we use this to figure things out?"

In order to answer the question, Grier built a computer simulation of a user's activity within file structures over the course of a year. Then he reworked the simulation in such a way that the user had normal activity, but also made a large copy of files on the machine. After crunching the numbers and performing some statistical clean up of the data, he created a histogram that examined timestamp activity attached the files and saw that a huge spike occurred in the copying instance.

"You could graphically note exactly where the data was copied," he says.

Real-World Reality Check Using the method discovered in his lab, Grier took it to the real-world data on the previous employee's machine. On most folders, he got the normal usage pattern on his histogram that would indicate typical behavior. But for two folders he found something else.

"I got this huge spike that look like the data was copied," he says. "When I saw that I almost fell out of my chair because one of those folders was very innocuous, but one of them was the exact foler that the rumors were about," he says. "Of course, I had to investigate the first folder and that was pretty to find out (through old-fashioned investigative work) that it was copied but for legitimate reasons. That made me even more confident that something unusual happened with the other folder."

In the end, the stochastic forensics method Grier came up with was able to inform his client with a great degree of certainty that a copy was made within a small window of time. That knowledge helped them approach the former employee and convince him that they knew of his misdeeds—and convince him with threat of legal retribution should the data ever appear anywhere inappropriate.

"They didn't say it in so many words, but they made it very clear that they would be coming after him with everything they had," he says.

Now that he's shown what stochastic forensics can do, Grier hopes to turn it into more than a one-off service he can provide his client. With more research and potentially a financial backer, he'd like to turn it into a product that could have mass appeal to the forensics community.

"I'd really like to make it a product that any trained operator could use," he says. "That's going to take about two years of additional research and funding."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.