Author: Ross Moore

Posted on by

Stochastic Forensics

Chiswick Chap, CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0, via Wikimedia Commons; cropped to fit

Camouflage and Freezing

The Potoo bird has natural camouflage and employs a fascinating defense –  when a potential predator is nearby, it remains motionless, a tactic called freezing (even the baby potoo does this). With the camouflage and stillness (often imitating a branch), predators who detect motion can’t see them. Those predators would need another way to find it; they’d need to rely on something they knew wasn’t quite right, to detect some form of out-of-the-usual pattern.

Let’s say this Predator (P) travels that way every day and the potoo bird (B) is in a different spot every time. If P could take a photo of the scene each day, it wouldn’t notice B, but would potentially notice a change in each photo – an extra tree limb, a longer branch, etc. A branch could have grown, B might not be in the photo, a limb could have broken – so no photo is conclusive. But over time when all the photos are put together, P could potentially be able to a) know when B was there and b) know B’s pattern of movement. P could even potentially create a flipbook from all the photos to actually recreate the movement.

Signs of Random

This collation of seemingly random data points to see what information emerges is call “stochastic analysis” or “stochastic process.” and is a long-standing and time-honored mathematical model for making predictions (e.g., financial opportunities, bacterial growth patterns) based on random occurrences.

You may be familiar with the Monte Carlo simulation, which is a form of stochastic analysis. The Monte Carlo simulation is an estimation method where random variables are applied to potential situations to generate potential outcomes, often for long-term forecasting (e.g., finance, quality control) where there would be ample potentials situations and variables to account for over time. These predictions help industries to assess risk and make more accurate long-term forecasts.

In  forensic science we have what’s called Locard’s principle. This principle states that a criminal will a) bring something to the crime scene and b) leave with something from it – both of these can be used as forensic evidence. This was created by Dr. Edmond Locard (1877–1966), a pioneer in forensic science who became known as the “Sherlock Holmes” of Lyon, France.

When someone breaks into a house, there are obvious signs – glass on the floor inside the door, locks show tampering or even destruction,  drawers are emptied, and furniture is overturned. The criminals were looking for your valuables. There’s plenty of evidence of give and take.

Insider Threat

But what if the culprit is someone who lives there? Because the person lives there and knows where everything is, there’s no need to break in or turn out all the things. This is called Insider Threat, and can be – whether in physical or cyber security – a rather more difficult criminal to catch than external threats.

How in the world does an investigator know how to determine who did it? Enter “Stochastic Forensics.”

In traditional forensics, the forensics process relies on artifacts. The laptop of the missing person, the crushed cell phone on the floor, the emails of the suspect – there are often many clues available. It can be very difficult to retrace the steps and analyze the clues, but the clues are often there and readily available

With insider cybertheft, there are often no obvious clues – the person showed up and departed on time, there are no real clues left in email, no special accounts were created, no low-and-slow attacks from strange IP addresses, all files and folders are in place.

It gets even stranger – you know something was stolen, but you don’t know what. Among all the people still there and the people who have come and gone in the ordinary course of business, whodunnit? And how?

Analyze numerous scenarios and see what patterns emerge, aka Stochastic forensics.

Stochastic Forensics

Stochastic forensics is a method used in digital forensics to detect and investigate insider data theft without relying on digital artifacts. This technique involves analyzing and reconstructing digital activity to uncover unauthorized actions without the need for traditional digital traces that might be left behind by cybercriminals. Stochastic forensics is particularly useful in cases of insider threats where individuals may not leave typical digital footprints. By focusing on emergent patterns in digital behavior rather than specific artifacts, stochastic forensics provides a unique approach to identifying data breaches and unauthorized activities within digital systems.

Here’s an example:

A large-scale copying of files occurs, thereby disturbing the statistical distribution of filesystem metadata. By examining this disruption in the pattern of file access, stochastic forensics can identify and investigate data theft that would otherwise go unnoticed. This method has been successfully used to detect insider data theft where traditional forensic techniques may fail, showcasing its effectiveness in uncovering unauthorized activities within digital systems.

Stochastic Forensics was created in 2010 by Jonathan Grier when confronted by a months-old potentially cold case of insider threat. (You can find more information and a collection of links about Jonathan Grier, Stochastic Forensics, and related publications here: https://en.wikipedia.org/wiki/Stochastic_forensics#cite_note-7)

While stochastic forensics may not provide concrete proof of data theft, it offers evidence and indications that can guide further investigation, or even crack the case. While it has been criticized as being insufficient to provide credible evidence, it has proved its utility.

Detective, not Philosopher

This is where the phrase “think like Sherlock, not Aristotle” comes into play. Aristotle used logic to prove existence; Sherlock used observation to infer a likely cause. Lacking evidence, one must infer (aka, abductive reasoning). In stochastic forensics, think like Sherlock.

Stochastic forensics is only one part of an investigation, not the entirety. And it’s a specialty. But that doesn’t mean it’s to be disregarded. Law enforcement doesn’t seek to make their job harder by focusing initially and solely on niche or specialized knowledge – they begin with the quickest and easiest ways to attain their goal. But if those ways are unfruitful, or made downright impossible due to the lack of artifacts, then stochastic forensics is one of those tools to which they can turn.

Criminals never cease to find ways to commit crimes, and Protectors never cease to find ways to uncover those commissions. Creativity is a renewable resource.

Posted on by

Preserving the Chain of Custody

Chain of Custody

The Chain of Custody is the paperwork or paper trail (virtual and physical) that documents the order in which physical or electronic evidence is possessed, controlled, transferred, analyzed, and disposed of. Crucial in fields such as law enforcement, legal proceedings, and forensic science, here are several reasons to ensure a proper chain of custody:

1. Preservation of Evidence Integrity

Maintaining an unbroken chain of custody ensures that the integrity of the evidence is preserved. It proves that there hasn’t been any tampering, alteration, or contamination of the evidence during its handling and transfer from one person or location to another.

2. Admissibility in Court

A properly documented chain of custody is necessary for evidence to be admissible in court. It provides assurance to the court that the evidence presented is reliable and has not been compromised, which strengthens the credibility of the evidence and ensures a fair trial.

3. Establishing Accountability

Each individual or entity that comes into contact with the evidence is documented in the chain of custody. This helps track who had possession of the evidence at any given time and ensures transparency and accountability in the evidence handling.

4. Tracking Movement and Location

The chain of custody documents the movement and location of evidence from the time of collection until its presentation in court or disposition. Investigators, attorneys, and other stakeholders must be able to track the progress of the case and ensure that all necessary procedures are followed to the letter.

5. Protecting Against Contamination or Loss

Properly documenting the chain of custody helps prevent contamination or loss of evidence. By recording each transfer and handling the evidence, any discrepancies or irregularities can be identified and addressed promptly, minimizing the risk of compromising the evidence.

6. Ensuring Compliance with Legal Requirements

Many jurisdictions have specific legal requirements regarding the documentation and maintenance of the chain of custody for different types of evidence. Adhering to these requirements is essential to ensure that the evidence is legally admissible and that all necessary procedures are followed.

Maintaining the chain of custody involves the following typical steps:

1. Collection

One cannot understate the use of proper techniques and tools to avoid contaminating or damaging the evidence when collecting evidence from the crime scene or other relevant locations.

2. Documentation

Immediately after collection, the person collecting the evidence must document details such as the date, time, location, description of the evidence, and the names of those involved in the evidence collection. The CSI Linux investigation platform includes templates to help maintain the chain of custody.

3. Packaging and Sealing

The evidence must be properly packaged and sealed in containers or evidence bags to prevent tampering, contamination, or loss during transportation and storage. Each package should be labeled with unique identifiers and sealed with evidence tape or similar security measures.

4. Labeling

Each package or container should be labeled with identifying information, including the case number, item number, description of the evidence, and the initials or signature of the person who collected it.

5. Transfer

Whenever the evidence is transferred from one person or location to another, whether it’s from the crime scene to the laboratory or between different stakeholders in the investigation, the transfer must be documented. This includes recording the date, time, location, and the names of the individuals involved in the transfer.

6. Receipt and Acknowledgment

The recipient of the evidence must acknowledge receipt by signing a chain of custody form or evidence log. This serves as confirmation that the evidence was received intact and/or in the condition described.

7. Storage and Security

The evidence must be stored securely in designated storage facilities that are accessible only to authorized personnel, and physical security measures (e.g., locks, cameras, and alarms) should be in place to prevent unauthorized access.

8. Analysis and Testing

Any analysis or testing should be performed by qualified forensic experts following established procedures and protocols. The chain of custody documentation must accompany the evidence throughout the analysis process.

9. Documentation of Analysis Results

The results of analysis and testing conducted on the evidence must be documented along with the chain of custody information. This includes changes in the condition of the evidence or additional handling that occurred during analysis.

10. Court Presentation

If the evidence is presented in court, provide the chain of custody documentation to establish authenticity, integrity, and reliability. This could involve individual testimony from those involved in the chain of custody.

You can learn more about the proper chain of custody in the course “CSI Linux Certified Computer Forensic Investigator.” All CSI Linux courses are located here: https://shop.csilinux.com/academy/

Here are some other publicly available resources about the importance of maintaining rigor in the chain of custody:

· CISA Insights: Chain of Custody and Critical Infrastructure Systems

This resource defines chain of custody and highlights the possible consequences and risks that can arise from a broken chain of custody.

· NCBI Bookshelf – Chain of Custody

This resource explains that the chain of custody is essential for evidence to be admissible in court and must document every transfer and handling to prevent tampering.

· InfoSec Resources – Computer Forensics: Chain of Custody

This source discusses the process, considerations, and steps involved in establishing and preserving the chain of custody for digital evidence.

· LHH – How to Document Your Chain of Custody and Why It’s Important

LHH’s resource emphasizes the importance of documentation and key details that should be included in a chain of custody document, such as date/time of collection, location, names involved, and method of capture.

Best wishes in your chain of custody journey!