Loading [MathJax]/extensions/MathMenu.js
An Evaluation of Side-Information Assisted Forensic Hash Matching | IEEE Conference Publication | IEEE Xplore

An Evaluation of Side-Information Assisted Forensic Hash Matching


Abstract:

Investigations involving digital forensics typically include file hash matching procedures at one or more steps in the examination. File hash matching is typically done b...Show More

Abstract:

Investigations involving digital forensics typically include file hash matching procedures at one or more steps in the examination. File hash matching is typically done by computing a complete file hash value for each file on a storage device and comparing that to a pre-computed hash list. This work examines how various improvements to the basic technique impact the time required to perform hash matching. Specifically, side-information assisted approaches are evaluated in this work. By utilizing side-information such as file sizes and pre-hashes in addition to the traditional hash values, we find that it is possible to considerably decrease the amount of time required to perform file hash matching. A simulation model is used to evaluate the potential time saving over a range of storage devices and using five different empirically derived file size distribution datasets totaling 36 million file sizes. The results indicate that side-information assisted hashing provides a considerable reduction of the time required, ranging between 5% and 99%, with the majority of cases providing reductions with more than 50%.
Date of Conference: 21-25 July 2014
Date Added to IEEE Xplore: 22 September 2014
Electronic ISBN:978-1-4799-3578-9
Conference Location: Vasteras, Sweden

Contact IEEE to Subscribe

References

References is not available for this document.