Identifying forensically uninteresting files in a large corpus

Rowe, Neil C.

doi:10.4108/eai.8-12-2016.151725

Cited by 3 publications

(1 citation statement)

References 14 publications

(22 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For each file in the NSRL collection, the RDS includes 1) cryptographic hash values of the file's content, 2) information about the software package(s) containing the file, 3) the manufacturer of the package, 4) the original name, and 5) the size of the file. Many studies have used the hash list of RDS to identify and filter known benign files [3], [11], [30], and [31].…”

Section: A Index Searching and Filteringmentioning

confidence: 99%

Developing Software Signature Search Engines Using Paragraph Vector Model: A Triage Approach for Digital Forensics

2021

View full text Add to dashboard Cite

Today, with the growth of information and communication technology, digital crimes have also spread. Advanced storage technologies and their low cost have led to a significant increase in their use. Therefore, the high volume of digital data to be analyzed is a challenge facing digital forensic investigators. Digital forensic triage solutions aim to alleviate the forensic backlog. A promising triage technique is to quickly find the software packages run on the target system to narrow down the search space. In this paper, we propose a software signature search engine (S3E) to identify software on the system under investigation. The document collection of this search engine consists of software signatures, and the query is the features extracted from the system's hard disk. We propose a forensic differential analysis model to build software signatures. Besides, we use the paragraph vector model to construct the corresponding vectors of each software signature and find similarities between the query vector and the signature vectors. Different design parameters are involved in making software signature search engines, and distinct values of these parameters lead to different models. We have measured the performance of these S3E models against several controlled systems and some pseudo-real systems. The experimental results on both datasets show that some S3E models achieve perfect recall, and many of them have a recall of more than 90%. Besides, we find that the recall rate of the S3E models in both datasets is higher than the averaged word2vec model and the TF-IDF model.

show abstract