Insider attacks are a critical issue for companies and governments in scenarios involving trade secrets, sensitive information, intellectual property, personally identifiable information, classified documents, and more. Too many existing approaches for responding to these attacks rely on mechanisms that assume the recovery of locally stored, unencrypted data. These techniques fail on the growing number of devices that employ file system encryption and cloud storage. This project advances novel methods of offering to an attacker's system covert evidence of their attack that may remain after primary data and documents are encrypted or securely wiped. The data has precise meaning to investigators that is demonstrable in court and to other third parties. The data is obfuscated from interpretation by third parties without investigator assistance, and thus is privacy preserving. The long-range outcome of this project will be the enabling of research including:  generalized methods of attack response when the computers involved are outside or partially outside the administrator's control, automated methods of discovering channels for offering evidence, and defenses against these techniques. Our research is an important stepping stone towards the broader topic of privacy-preserving, proactive investigation of attacks committed using networked computer systems.
