Stochastic forensics can be used to determine if data was copied from a computer

Jul 10, 2012 14:51 GMT  ·  By

Insider data theft has become a major issue for most companies and identifying such incidents is certainly not an easy task. However, researchers have found a way to spot these cybercrimes based on stochastic forensics.

Jonathan Grier, an independent security researchers, will present his findings on July 26, at the Black Hat USA security conference.

“A stochastic process is, by definition, something unpredictable, but unpredictable in a precise way,” Grier wrote in the abstract of his presentation.

“Think of the molecules in a gas: we can't predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas's overall behavior.”

The same principle can be applied to insider data theft. When large amounts of data are copied, the statistical patterns present on the filesystem are affected. Stochastic forensics is used to analyze these patterns, allowing experts to highlight data thefts.