A stochastic process is, by definition, something unpredictable, but unpredictable in a precise way. Think of the molecules in a gas: we can't predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas's overall behavior.
What's this have to do with data theft? Insider data theft often leaves no artifacts or broken windows, making it invisible to traditional forensics. But copying large amounts of data will always affect the file system, and when we look through stochastic lenses, copying sticks out like a sore thumb. Stochastic forensics is a new technique which uses these patterns to detect insider data theft, despite its lack of artifacts.
I've used these techniques to catch data theft months after its occurrence. I'll show you the statistical patterns present on a typical filesystem, the distinct patterns induced by copying, and the mathematical technique which highlights the difference. You'll learn how to spot otherwise invisible data theft.
Jonathan Grier has been an independent security consultant and researcher for over a decade. He has conducted forensic investigations, performed security audits, trained programmers in secure application development, and advised clients on data security. He has forensically investigated employee dishonesty, network break-ins, data theft and industrial espionage. Jonathan has consulted for clients in health care, telecommunications, construction, and professional services, and taught classes sponsored by the US Department of Defense Cyber Crime Center. An active researcher, Jonathan has developed new methods used in forensics and application security. Microsoft Press, the Journal of Digital Investigation, Digital Forensics Magazine, Symantec, Information Week and the US Department of Defense have all featured his work.