Self-similarity in file systems
SIGMETRICS '98/PERFORMANCE '98 Proceedings of the 1998 ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
File system usage in Windows NT 4.0
Proceedings of the seventeenth ACM symposium on Operating systems principles
Digital Evidence and Computer Crime
Digital Evidence and Computer Crime
Display-only file server: a solution against information theft due to insider attack
Proceedings of the 4th ACM workshop on Digital rights management
Forensic Discovery
The Rules of Time on NTFS File System
SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering
SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack
HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences
Windows Forensic Analysis DVD Toolkit, Second Edition
Windows Forensic Analysis DVD Toolkit, Second Edition
Tracking USB storage: Analysis of windows artifacts generated by USB storage devices
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
We present a method to examine a filesystem and determine if and when files were copied from it. We develop this method by stochastically modeling filesystem behavior under both routine activity and copying, and identifying emergent patterns in MAC timestamps unique to copying. These patterns are detectable even months afterwards. We have successfully used this method to investigate data exfiltration in the field. Our method presents a new approach to forensics: by looking for stochastically emergent patterns, we can detect silent activities that lack artifacts.