Exploration and validation of the sdhash parameter space
Loading...
Authors
McCarrin, Michael R.
Subjects
Digital Forensics
Digital Fingerprinting
Approximate Matching
Fuzzy Hashing
Similarity Digests
sdhash
FRASH
Digital Fingerprinting
Approximate Matching
Fuzzy Hashing
Similarity Digests
sdhash
FRASH
Advisors
Young, Joel D.
Garfinkel, Simson L.
Date of Issue
2013-06
Date
Jun-13
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
Cryptographic hashes are commonly used to aid in the examination of digital evidence by providing a method of rapidly identifying targeted content (e.g., incriminating materials) in large quantities of data. Because only exact matches can be detected, this method is easily defeated by even the smallest modification to the data. Approximate matching techniques maintain nearly the speed and space efficiency advantages of cryptographic hashes, while offering a more robust scheme for detecting similar objects. We seek to validate design choices in sdhash, the current state-of-the-art approximate matching algorithm, and suggest alternatives where appropriate. In addition, we clarify various nuances regarding the interpretation of its output so that it can be more effectively applied to forensic analysis. To this end, we provide a detailed analysis of sdhash’s behavior across a variety of relevant scenarios using the FRASH testing framework, and propose strategies for extracting more relevant and granular feedback.
Type
Description
Series/Report No
Department
Computer Science
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.