TY - GEN
T1 - Detecting similar files based on hash and statistical analysis for digital forensic investigation
AU - Seo, Kimin
AU - Lim, Kyungsoo
AU - Choi, Jaemin
AU - Chang, Kisik
AU - Lee, Sangjin
PY - 2009
Y1 - 2009
N2 - In modern society, rapid increase in using mass storage devices, and it makes forensic examiners find important evidence hardly in the focus of time-consuming. Examiners spend much time to search files related to the case in variety of storage devices. Recently, NIST(National Institute of Standards and Technology) has developed a new database, called NSRL(National Software Reference Library), which contains hash values of trusted operating systems and programs[1]. As establishing this database service in public, NIST contribute to reduce time-consuming in searching file and detecting forgery on the devices. On the other hand, the hash value based detection technique cannot be distinguished the similarity from other files perfectly. In this paper, therefore, we present novel methods for detecting similar files considering the known fuzzy hashing and statistical analysis and developed out prototype tool, called SimFD.
AB - In modern society, rapid increase in using mass storage devices, and it makes forensic examiners find important evidence hardly in the focus of time-consuming. Examiners spend much time to search files related to the case in variety of storage devices. Recently, NIST(National Institute of Standards and Technology) has developed a new database, called NSRL(National Software Reference Library), which contains hash values of trusted operating systems and programs[1]. As establishing this database service in public, NIST contribute to reduce time-consuming in searching file and detecting forgery on the devices. On the other hand, the hash value based detection technique cannot be distinguished the similarity from other files perfectly. In this paper, therefore, we present novel methods for detecting similar files considering the known fuzzy hashing and statistical analysis and developed out prototype tool, called SimFD.
KW - Block-based hash
KW - CTPH algorithm
KW - Digital forensics
KW - Hash
KW - Similar files
UR - http://www.scopus.com/inward/record.url?scp=80655148030&partnerID=8YFLogxK
U2 - 10.1109/CSA.2009.5404198
DO - 10.1109/CSA.2009.5404198
M3 - Conference contribution
AN - SCOPUS:80655148030
SN - 9781424449460
T3 - Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
BT - Proceedings of the 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
T2 - 2009 2nd International Conference on Computer Science and Its Applications, CSA 2009
Y2 - 10 December 2009 through 12 December 2009
ER -