Journal
DIGITAL INVESTIGATION
Volume 8, Issue -, Pages S71-S77Publisher
ELSEVIER SCI LTD
DOI: 10.1016/j.diin.2011.05.009
Keywords
Data theft; Stochastic forensics; Data breach; Data exfiltration; Filesystem forensics; MAC times; Forensics of emergent properties
Ask authors/readers for more resources
We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfiltration in the field. Our method presents a new approach to forensics: by looking for stochastically emergent patterns, we can detect silent activities that lack artifacts. (C) 2011 Grier. Published by Elsevier Ltd. All rights reserved.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available