An Evaluation of Side-Information Assisted Forensic Hash Matching
2014 (English)In: Computer Software and Applications Conference Workshops (COMPSACW), 2014 IEEE 38th International) / [ed] Chang, CK; Gao, Y; Hurson, A; Matskin, M; McMillin, B; Okabe, Y; Seceleanu, C; Yoshida, K, IEEE Press, 2014, 331-336 p.Conference paper (Refereed)
Investigations involving digital forensics typically include file hash matching procedures at one or more steps in the examination. File hash matching is typically done by computing a complete file hash value for each file on a storage device and comparing that to a pre-computed hash list. This work examines how various improvements to the basic technique impact the time required to perform hash matching. Specifically, side-information assisted approaches are evaluated in this work. By utilizing side-information such as file sizes and pre-hashes in addition to the traditional hash values, we find that it is possible to considerably decrease the amount of time required to perform file hash matching. A simulation model is used to evaluate the potential time saving over a range of storage devices and using five different empirically derived file size distribution datasets totaling 36 million file sizes. The results indicate that side-information assisted hashing provides a considerable reduction of the time required, ranging between 5% and 99%, with the majority of cases providing reductions with more than 50%.
Place, publisher, year, edition, pages
IEEE Press, 2014. 331-336 p.
Computer Science, Software Engineering; Computer Science, Theory & Methods; Engineering, Electrical & Electronic
Research subject Computer Science
IdentifiersURN: urn:nbn:se:kau:diva-40975DOI: 10.1109/COMPSACW.2014.58ISI: 000352787700056OAI: oai:DiVA.org:kau-40975DiVA: diva2:909300
COMPSACW 2014 IEEE 38th International Computer Software and Applications Conference Workshops, Västerås Sweden,Jul 21-25, 2014