Improving sector hash carving with rule-based and entropy-based non-probative block filters
Gutierrez-Villarreal, Francisco Javier
McCarrin, Michael R.
Young Joel D.
MetadataShow full item record
Digital forensic investigators have traditionally used file hashes to identify known content on searched media. Recently, sector hashing has been proposed as an alternative identification method, in which files are broken up into blocks, which are then compared to sectors on searched media. Since sectors are read sequentially without accessing the file system, sector hashing can be parallelized easily and is faster than traditional methods. In addition, sector hashing can identify partial files, and does not require an exact file match. In some cases, the presence of even a single block is sufficient to demonstrate with high probability that a file resides on a drive. However, non-probative blocks, common across many files, generate false positive matches; a problem that must be addressed before sector hashing can be adopted. We conduct 7 experiments in two phases to filter non-probative blocks. Our first phase uses rule-based and entropy-based non-probative block filters to improve matching against all file types. In the second phase, we restrict the problem to JPEG files. We find that for general hash-based carving, a rule-based approach outperforms a simple entropy threshold. When searching for JPEGs, we find that an entropy threshold of 10.9 gives a precision of 80% and an accuracy of 99%.
Approved for public release; distribution is unlimited
Showing items related by title, author, creator and subject.
Morozov, Andrey K.; Colosi, John A. (Acoustical Society of America, 2015-09-08);The reduction of information capacity of the ocean sound channel due to scattering by internal waves is a potential problem for acoustic communication, navigation, and remote sensing over long ranges. In spite of recent ...
Paul, Calvin B. (Monterey, California: Naval Postgraduate School, 2017-06);The need for file identification and partitioning in the digital forensic, reverse engineering, and security analyst fields cannot be overstated. In this research, we investigate the use of the Shannon entropy profile ...
Justamante, David (Monterey, California: Naval Postgraduate School, 2017-03);Randomness is at the heart of today's computing. There are two categorical methods to generate random numbers: pseudorandom number generation (PRNG) methods and true random number generation (TRNG) methods. While PRNGs ...