| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 456453 | Digital Investigation | 2011 | 7 Pages |
Abstract
We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfiltration in the field. Our method presents a new approach to forensics: by looking for stochastically emergent patterns, we can detect silent activities that lack artifacts.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Jonathan Grier,