Using Distinct Sectors in Media Sampling and Full Media Analysis to Detect Presence of Documents from a Corpus
MetadataShow full item record
Forensics examiners frequently search for known content by comparing each file from a target media to a known file hash database. We propose using sector hashing to rapidly identify content of interest. Using this method, we hash 512 B or 4 KiB disk sectors of the target media and compare those to a hash database of known file blocks, fixed-sized file fragments of the same size. Sector-level analysis is fast because it can be parallelized and we can sample a sufficient number of sectors to determine with high probability if a known file exists on the target. Sector hashing is also file system agnostic and allows us to identify evidence that a file once existed even if it is not fully recoverable. In this thesis we analyze the occurrence of distinct file blocksﾖblocks that only occur as a copy of the original fileﾖin three multi-million file corpora and show that most files, including documents, legitimate and malicious software, consist of distinct blocks. We also determine the relative performanceof several conventional SQL and NoSQL databases with a set of one billion file block hashes.
Approved for public release; distribution is unlimited
Showing items related by title, author, creator and subject.
Bruaene, Joseph Van (Monterey, California: Naval Postgraduate School, 2016-03);Traditional digital forensic practices have focused on individual hard disk analysis. As the digital universe continues to grow, and cyber crimes become more prevalent, the ability to make large scale cross-drive correlations ...
Hoff, Russell V. (Monterey, California. Naval Postgraduate School, 2007-12);Massive consolidation within the defense industry began after the end of the Cold War. The defense industry felt economic pressures and responded by consolidating at various levels. Merging companies should create a ...
Transforming counterterrorism training in the FBI : preserving institutional memory and enhancing knowledge management Paulling, Kristen Cederholm. (Monterey, California. Naval Postgraduate School, 2009-03);The Federal Bureau of Investigation (FBI) remains committed to working seamlessly with its international, federal, state and local partners to counter terrorism, the number one priority of the FBI. In order to more ...