Using Purpose-Built Functions and Block Hashes to Enable Small Block and Sub-file Forensics

Abstract

This paper explores the use of purpose-built functions and cryptographic hashes of small data blocks for identifying data in sectors, file fragments, and entire files. It introduces and defines the concept of a 'distinct' disk sector--a sector that is unlikely to exist elsewhere except as a copy of the original. Techniques are presented for improved detection of JPEG, MPEG and compressed data; for rapidly classifying the forensic contents of a drive using random sampling; and for carving data based on sector hashes.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2010
Accession Number
ADA549441

Entities

People

  • Alex Nelson
  • Douglas White
  • Simson Garfinkel
  • Vassil Roussev

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Algorithms
  • Computational Forensics
  • Computer Networks
  • Computer Programming
  • Computer Science
  • Computers
  • Databases
  • Identification
  • Information Science
  • Network Science
  • Operating Systems
  • Recognition
  • Sampling
  • Standards
  • Statistical Analysis
  • Statistical Sampling
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Computer Vision.
  • Cybersecurity.
  • Database Systems and Applications