Skip to Main content Skip to Navigation
Conference papers

Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis

Abstract : This research tests the theory that volitional, malicious computer use based on insider threat activity can be detected via a time-series-based analysis of data and file type forensic artifacts that reside on a raw disk. In other words, statistical profiling of allocated and unallocated space pertaining to the types of files accessed and the data browsed, acquired and processed incident to espionage, intellectual property theft, fraud or organizational computer abuse can help detect insider threats. The t-test approach is used to compare the means of two time windows using the split and sliding window methods along with first-order autoregressive modeling. Empirical testing against the nineteen-day snapshots of the M57-Patents case provides support for all three methods, but the results suggest that the first-order autoregressive modeling method is the most robust. Additionally, the autoregressive modeling approach is likely to generate more intuitive results for an analyst. Ground truth analysis confirms nearly all of the outliers that were detected. While the majority of the outliers were due to benign and easily explainable situations and system contexts and the minority were due to malicious activity, the approach does not yield an inordinate amount of search hits to examine and validate. This research thus provides a new computational approach for locating digital forensic evidence.
Document type :
Conference papers
Complete list of metadata

Cited literature [21 references]  Display  Hide  Download
Contributor : Hal Ifip <>
Submitted on : Friday, February 23, 2018 - 3:50:27 PM
Last modification on : Friday, February 23, 2018 - 3:51:59 PM
Long-term archiving on: : Friday, May 25, 2018 - 1:10:42 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Nicole Beebe, Lishu Liu, Zi Ye. Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis. 13th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2017, Orlando, FL, United States. pp.149-167, ⟨10.1007/978-3-319-67208-3_9⟩. ⟨hal-01716401⟩



Record views


Files downloads