Practical Applications of Bloom filters to the NIST RDS and hard drive triage
Authors
Farrell, Paul
Garfinkel, Simson L.
White, Douglas
Advisors
Second Readers
Subjects
Date of Issue
2008-12
Date
Publisher
Language
Abstract
Much effort has been expended in recent years to create large sets of hash codes from known files. Distributing these sets has become more difficult as these sets grow larger. Meanwhile the value of these sets for eliminating the need to analyze "known goods" has decreased as hard drives have dramatically increased in storage capacity. This paper evaluates the use of Bloom filters (BFs) to distribute the National Software Reference Library's (NSRL) Reference Data Set (RDS) version 2.19, with 13 million SHA-1 hashes. We present an open source reference BF implementation and validate it against a large collection of disk images. We discuss the tuning of the filters, discuss how they can be used to enable new forensic functionality, and present a novel attack against bloom filters.
Type
Conference Paper
Description
Annual Computer Security Applications Conference 2008, Anaheim, California, December 2008.
Refereed Conference Paper
Refereed Conference Paper
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
This research was supported in part by the Naval Postgraduate School's Research Initiation Program.
Funding
Format
Citation
Farrell, P., Garfinkel, S., White, D. Practical Applications of Bloom filters to the NIST RDS and hard drive triage, Annual Computer Security Applications Conference 2008, Anaheim, California, December 2008. (Acceptance rate: 24%, 42/173)
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.