Very often, it is the “enemy within,” or rogue insiders that commit or facilitate cyber crimes. The fact that such rogue employees have legitimate access to the network makes it very difficult for forensics to detect the culprit.
The core of forensics investigations depend on the artifacts or the trail of evidence that criminals leave at the scene of the crime. For instance, the thief plugging in a USB drive to steal information would leave the USB drive serial number as an artifact. But when the thief is an insider authorized to insert USB drives and copy data, detection becomes next to impossible.
A new patent-pending, insider forensics detection methodology called “Stochastic Forensics” however makes it easy to detect such rogue insiders as well.
A normal user accesses files from a network or machine in a random and chaotic manner. Normally, computer files follow a heavy tail distribution, with some files used very frequently and a majority of the files used very rarely if at all. The new methodology identifies organized and systematic access and/or transfer of large volumes of data, which stand out from the individual’s normal usage.
Stochastic Forensics, to put it simply, creates a histogram that reveals timestamp activity, making huge spikes of data usage apparent. Needless to say, such histograms only give an indication. The huge spikes may after all be legitimate usage, but it does with a great degree of certainty, reveal the particulars of the data accessed within a small window of time. A follow up using the traditional old school manual verification would make the crime apparent.