dfm covers

Investigating Data Theft with Stochastic Forensics

Written by DFM Team

Investigating Data Theft with Stochastic Forensics

A new approach to forensics lets you reconstruct activity, even if it leaves no artifacts.

You must find out if Roger walked off with our data.” This mandate, handed to me by my (very nervous) client, was all I had to work with as I walked into my office Monday morning. My client, a large company headquartered in Manhattan, was very concerned about Roger (not his real name), a high level employee who had recently been forced to leave the company. Days after Roger’s ousting, rumors began to circulate that, before leaving, he walked off with data which was potentially very, very damaging to them; damaging enough to put them into a fit of panic. My task was to find out of if these rumors were true.

Insider data theft is much harder to forensically investigate than external penetrations. External penetrations leave the digital equivalent of broken windows, which all good forensics experts know how to identify. Insider data theft, however, often leaves no traces: the insider is authorized to use the data, routinely using it every day. Whether they’re stealing it or just using it to do their job, their access is, from the computer’s perspective, technically indistinguishable. Copying a file is a routine operation, forensically similar to simply reading it. Indeed, as I did my background research for this case, I saw that all experts had agreed: copying files on a standard Windows system leaves no artifacts. I was faced with one question: Is forensics possible when no artifacts are left behind?

Find out more - subscribe to DFM today and read the full article. Or if you're a subscriber, login and read the article online.

Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Hacking the Human

Full of ideas and angles that turn day-to-day security management on its head. Hacking the Human by Ian Mann.

Meet the Authors

Andrew Hoog

Andrew Hoog is the Chief Investigative Officer at viaForensics'


Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 25 on sale from November 2015:

Anti-Virus Evasion
In this series of articles about penetration testing, Andy Swift sheds some light on some of the more interesting techniques, with a focus on techniques that can be combined with basic tools to take an ordinary attack that few steps further. Read More »

DDoS Protection Using Corero
In this article Dan Protich, Senior Network Engineer at Hivelocity, describes Corero’s threat defence system as an “enterprise-grade DDoS mitigation tool”. Read More »

Subscribe today

A Marriage of Bioinformatics & Data Sequencing
In this article we learn all about how the new technology that marries bioinformatics to next-generation sequencing data, is unlocking the clues provided by DNA, using biomarkers to greatly reduce the pool of suspects. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue