Using purpose-built functions and block hashes to enable small block and sub-file forensics |
| |
| Institution: | 1. Naval Postgraduate School, Graduate School of Operational and Informational Science, Department of Computer Science, Monterey CA 93943, USA;2. Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA |
| |
| Abstract: | This paper explores the use of purpose-built functions and cryptographic hashes of small data blocks for identifying data in sectors, file fragments, and entire files. It introduces and defines the concept of a “distinct” disk sector—a sector that is unlikely to exist elsewhere except as a copy of the original. Techniques are presented for improved detection of JPEG, MPEG and compressed data; for rapidly classifying the forensic contents of a drive using random sampling; and for carving data based on sector hashes. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
