Hash-based carving: Searching media for complete files and file fragments with sector hashing and hashdb

Garfinkel, Simson L.; McCarrin, Michael

doi:10.1016/j.diin.2015.05.001

Cited by 41 publications

(30 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition to random sampling, rather exploiting the hash values of the entire file, the block‐based hashing approach has been effectively used in literature for identifying the existence of known contents on digital media or forensic images. The hash‐based carving technique presented in Garfinkel and McCarrin detects the presence of blacklisted files by evaluating and matching the hash values of overlapping blocks from disk images. For illustration, the features of hash‐based carving method were made compatible with the bulk_extractor forensic tool and hashdb database using an integrator python script.…”

Section: Background and Related Workmentioning

confidence: 99%

“…For detection the comparison between the sector and block hashes can be accomplished by utilizing any of the available cryptographic hash algorithms (verification methods), for example, Message Digest (MD5) and Secure Hash Algorithm (SHA1). Here, we followed computation of MD5 hash values because of its computational efficiency and vast adaptability in the forensics community . Since the sector is the smallest unit to represent data in the disk drive, the evaluation of small‐sized sector or block is advised because file blocks should efficiently map with drive sectors .…”

Section: Background and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

An intelligent approach for examining and detecting target data fragments in suspected large storage drives

Bharadwaj

Singh

2019

Security and Privacy

View full text Add to dashboard Cite

The ever increasing capacity of storage devices is becoming a formidable obstruction to the digital forensic community due to its substantial investigation time and preservation space requirements. However, the investigation process becomes more complicated, whenever the fragmented or partially overwritten drives need forensic consideration. It is becoming extremely necessary to unfold novel methods the examination of storage drives involving a bulk volume of data. In this paper, the differential evolution (DE) technique is utilized with an unsupervised mean-shift clustering approach in the field of digital forensics for intelligently locating the traces of target file in suspected storage drives or raw images. The proposed methodology leverages the drives' geometrical information in DE for obtaining random sector samples followed by fitness value and sector hash computation. The clustering algorithm evaluates the obtained intelligence and assists in estimating the regions of forensic significance in the drive, instead of considering the entire drive contents. As an outcome, a proof-of-concept Python based command line tool has been developed and released to support the study and further enhancement. The experiments and case studies demonstrated using the drives of different capacities demonstrates the efficacy of the proposed method. K E Y W O R D Sdifferential evolution, digital forensics, huge data volumes, mean shift clustering, storage drive, target file 1 Security Privacy. 2019;2:e71.wileyonlinelibrary.com/journal/spy2

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Section: Background and Related Workmentioning

confidence: 99%

An intelligent approach for examining and detecting target data fragments in suspected large storage drives

Bharadwaj

Singh

2019

Security and Privacy

View full text Add to dashboard Cite

show abstract

“…One method to tackle the problem is the combination of parallel processing without file system information and conventional standalone forensic tools based on the file system information. In this paper, we employ sector hashing with random sampling [24][25][26][27]42] to search for an evidence file in a large amount of write logs by using a MapReduce cluster. Moreover, we propose the restoration function of a previous virtual block device at an arbitrary point in the past so that investigators will be able to perform detailed analysis of the restored disk using conventional forensic tools based on the file system information.…”

Section: Problems Of Increasing Volume Of Datamentioning

confidence: 99%

LogDrive: a proactive data collection and analysis framework for time-traveling forensic investigation in IaaS cloud environments

et al. 2018

View full text Add to dashboard Cite

This paper presents the LogDrive framework for mitigating the following problems of storage forensics in Infrastructure-as-a-Service (IaaS) cloud environments: volatility, increasing volume of forensic data, and anti-forensic attacks that hide traces of incidents in virtual machines. The proposed proactive data collection function of virtual block devices mitigates the problem of volatility within the cloud environments and enables a time-traveling investigation to reveal overwritten or deleted evidence files. We employ a sector-hash-based file detection method with random sampling to search for an evidence file in the record of the write logs of the virtual storage. The problem formulation, the investigation context, and the design with five algorithms are presented. We explore the performance of LogDrive through a detailed evaluation. Finally, security analysis of LogDrive is presented based on the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) threats model and related work. We posted the source code of LogDrive on GitHub.

show abstract

“…Since entropy can be similar for two different data items, researchers have used hash values because of their reduced collision probabilities to match known files from large datasets. For example, authors in Reference have used MD5 message digests for hash‐based file carving approach. Nevertheless, in this work, entropy is used to estimate the amount of information contained in each randomly selected sector.…”

Section: Introductionmentioning

confidence: 99%

Significant data region identification and analysis using k‐means in large storage drive forensics

Bharadwaj

Singh

2018

Security and Privacy

View full text Add to dashboard Cite

The recent technological advancement with less implementation cost has completely changed the scenario of information being generated, stored, or manipulated digitally by using the storage devices. Today the criminal activities are directly or indirectly associated with the storage devices, thus it is now recognized as an essential evidence in court-of-law throughout the world. However, the massive capacities of modern storage devices significantly increase the time and effort required to preserve and analyze the evidence. This paper proposes a methodology based on the random sector sampling and k-means clustering approaches to efficiently identify and evaluate the significant data regions instead of the entire storage drive. The random sampling and clustering methods efficiently reveal the unseen resident data pattern and intelligence about the regions of the drive which may be of investigator's interest. Experiments involving storage drives of various capacities demonstrate the efficacy of the methodology. Moreover, we generalize our discussion to represent that the extracted hidden patterns of storage drive data can assist an investigator in achieving the desired performance requirements. KEYWORDS k-means clustering, large storage drives, random sector sampling, selective examination, significant regions identification, storage drive forensics, stored data pattern 1 Security Privacy. 2018;1:e40.wileyonlinelibrary.com/journal/spy2

show abstract

Hash-based carving: Searching media for complete files and file fragments with sector hashing and hashdb

Cited by 41 publications

References 5 publications

An intelligent approach for examining and detecting target data fragments in suspected large storage drives

An intelligent approach for examining and detecting target data fragments in suspected large storage drives

LogDrive: a proactive data collection and analysis framework for time-traveling forensic investigation in IaaS cloud environments

Significant data region identification and analysis using k‐means in large storage drive forensics

Contact Info

Product

Resources

About