Using purpose-built functions and block hashes to enable small block and sub-file forensics
MetadataShow full item record
This paper explores the use of purpose-built functions and cryptographic hashes of small data blocks for identifying data in sectors, file fragments, and entire files. It introduces and defines the concept of a "distinct" disk sectorda sector that is unlikely to exist elsewhere except as a copy of the original. Techniques are presented for improved detection of JPEG, MPEG and compressed data; for rapidly classifying the forensic contents of a drive using random sampling: and for carving data based on sector hashes.
DFRWS 2010, Portland, ORThe article of record as published may be found at http://dx.doi.org/10.1016/j.diin.2010.05.003Refereed Conference Paper