Hash Based Block Matching for Digital Evidence Image Files from Forensic Software Tools
Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32771
Hash Based Block Matching for Digital Evidence Image Files from Forensic Software Tools

Authors: M. Kaya, M. Eris

Abstract:

Internet use, intelligent communication tools, and social media have all become an integral part of our daily life as a result of rapid developments in information technology. However, this widespread use increases crimes committed in the digital environment. Therefore, digital forensics, dealing with various crimes committed in digital environment, has become an important research topic. It is in the research scope of digital forensics to investigate digital evidences such as computer, cell phone, hard disk, DVD, etc. and to report whether it contains any crime related elements. There are many software and hardware tools developed for use in the digital evidence acquisition process. Today, the most widely used digital evidence investigation tools are based on the principle of finding all the data taken place in digital evidence that is matched with specified criteria and presenting it to the investigator (e.g. text files, files starting with letter A, etc.). Then, digital forensics experts carry out data analysis to figure out whether these data are related to a potential crime. Examination of a 1 TB hard disk may take hours or even days, depending on the expertise and experience of the examiner. In addition, it depends on examiner’s experience, and may change overall result involving in different cases overlooked. In this study, a hash-based matching and digital evidence evaluation method is proposed, and it is aimed to automatically classify the evidence containing criminal elements, thereby shortening the time of the digital evidence examination process and preventing human errors.

Keywords: Block matching, digital evidence, hash list.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1132357

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1293

References:


[1] United Nations Human Rights Office of The High Commissioners “Basic Human Rights Reference Guide”, CTITF Publication Series, Published by the United Nations, New York 13-11484—March 2014. Last accessed on 15.08.2017. https://www.un.org/counterterrorism/ctitf/sites/www.un.org.counterterrorism.ctitf/files/FairTrial.pdf.
[2] Garfinkel, S., Nelson, A., White, D., & Roussev, V. (2010). Using purpose-built functions and block hashes to enable small block and sub-file forensics. digital investigation, 7, S13-S23.
[3] Garfinkel, S. L., & McCarrin, M. Hash-Based Carving: Searching media for complete files and fragments with sector hashing and hashdb, Digital Investigation, Elsevier, Volume 14, Supplement 1, August 2015, Pages S95-S105.
[4] Chen, L., & Wang, G. (2008, January). An efficient piecewise hashing method for computer forensics. In Knowledge Discovery and Data Mining, 2008. WKDD 2008. First International Workshop on (pp. 635-638). IEEE.
[5] Young, J., Foster, K., Garfinkel, S., & Fairbanks, K. (2012). Distinct sector hashes for target file detection. Computer, 45(12), 28-35.
[6] Taguchi, J. K. (2013). Optimal sector sampling for drive triage.
[7] White, D. (2008, February). Hashing of file blocks: When exact matches are not useful. In Presentation notes, American Academy of Forensic Sciences 60th Anniversary Meeting. http://www.nsrl.nist.gov/Presentations.html, Accessed on 15.08.2017.
[8] S. L. Garfinkel. Digital forensics research: The next 10 years. digital investigation, 7:S64–S73, 2010.
[9] IFAC Proceedings Volumes, 42(1), 45-50.
[10] Pamula, D., & Ziebinski, A. (2009). Hardware implementation of the MD5 algorithm.
[11] Salgado, R. P. (2005). Fourth Amendment Search and the Power of the Hash. Harv. L. Rev. F., 119, 38.
[12] Forensic Explorer User Manual,2015, Link: http://www.forensicexplorer.com/forensic-explorer-user-guide.en.pdf, Accessed on 15.08.2017.
[13] EnCase Forensic Version 6.11 User's Guide, 2008, Link: http://www.thecybercrimeinvestigator.com/crj455/EnCase%20Forensic%20Version%206.11%20User%27s%20Guide.pdf, Accessed on 15.08.2017.
[14] Link: http://www.imageprocessingplace.com/root_files_V3/image_databases.htm , Accessed on 28.07.2017.
[15] Kim, Y., & Ross, S. (2012). Digital forensics formats: seeking a digital preservation storage container format for web archiving. International Journal of Digital Curation, 7(2), 21-39.