Using Distinct Sectors in Media Sampling and Full Media Analysis to Detect Presence of Documents from a Corpus
Download
Author
Foster, Kristina
Date
2012-09Advisor
Garfinkel, Simson
Second Reader
Ziring, Neal
Metadata
Show full item recordAbstract
Forensics examiners frequently search for known content by comparing each file from a target media to a known file hash database. We propose using sector hashing to rapidly identify content of interest. Using this method, we hash 512 B or 4 KiB disk sectors of the target media and compare those to a hash database of known file blocks, fixed-sized file fragments of the same size. Sector-level analysis is fast because it can be parallelized and we can sample a sufficient number of sectors to determine with high probability if a known file exists on the target. Sector hashing is also file system agnostic and allows us to identify evidence that a file once existed even if it is not fully recoverable. In this thesis we analyze the occurrence of distinct file blocksヨblocks that only occur as a copy of the original fileヨin three multi-million file corpora and show that most files, including documents, legitimate and malicious software, consist of distinct blocks. We also determine the relative performanceof several conventional SQL and NoSQL databases with a set of one billion file block hashes.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, is not copyrighted in the U.S.Related items
Showing items related by title, author, creator and subject.
-
Large scale cross-drive correlation of digital media
Bruaene, Joseph Van (Monterey, California: Naval Postgraduate School, 2016-03);Traditional digital forensic practices have focused on individual hard disk analysis. As the digital universe continues to grow, and cyber crimes become more prevalent, the ability to make large scale cross-drive correlations ... -
Analysis of defense industry consolidation effects on program acquisition costs
Hoff, Russell V. (Monterey, California. Naval Postgraduate School, 2007-12);Massive consolidation within the defense industry began after the end of the Cold War. The defense industry felt economic pressures and responded by consolidating at various levels. Merging companies should create a ... -
Transforming counterterrorism training in the FBI : preserving institutional memory and enhancing knowledge management
Paulling, Kristen Cederholm. (Monterey, California. Naval Postgraduate School, 2009-03);The Federal Bureau of Investigation (FBI) remains committed to working seamlessly with its international, federal, state and local partners to counter terrorism, the number one priority of the FBI. In order to more ...