File Type Identification of Data Fragments by Their Binary Structure

Karresand, Martin; Shahmehri, Nahid

doi:10.1109/iaw.2006.1652088

Cited by 60 publications

(37 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…[11,12] introduced the idea of using the data of the file itself for classifying file fragments. In doing so they focused exclusively on developing the Oscar method for identifying jpg file fragments (that used special information about the structure of jpg files).…”

Section: Related Workmentioning

confidence: 99%

The Normalised Compression Distance as a file fragment classifier

Axelsson

2010

Digital Investigation

View full text Add to dashboard Cite

We have applied the generalised and universal distance measure NCD-Normalised Compression Distance-to the problem of determining the type of file fragments. To enable later comparison of the results, the algorithm was applied to fragments of a publicly available corpus of files. The NCD algorithm in conjunction with the k-nearest-neighbour (k ranging from one to ten) as the classification algorithm was applied to a random selection of circa 3000 512-byte file fragments from 28 different file types. This procedure was then repeated ten times. While the overall accuracy of the n-valued classification only improved the prior probability from approximately 3.5% to circa 32%-36%, the classifier reached accuracies of circa 70% for the most successful file types.A prototype of a file fragment classifier was then developed and evaluated on new set of data (from the same corpus). Some circa 3000 fragments were selected at random and the experiment repeated five times. This prototype classifier remained successful at classifying individual file types with accuracies ranging from only slightly lower than 70% for the best class, down to similar accuracies as in the prior experiment.

show abstract

Section: Related Workmentioning

confidence: 99%

The Normalised Compression Distance as a file fragment classifier

Axelsson

2010

Digital Investigation

View full text Add to dashboard Cite

show abstract

“…Unfortunately, RoC does nothing to improve the rather modest classification success of other file formats considered. For Windows executables, the false positive rate actually exceeded the detection rate for most points shown ( [5] Fig 3), although the peak detection rate of 70% is equal to a false positive rate of 70%. For zip files, things look a little better with false positive rate of 70% when the detection rate reaches 100% ( [5] Fig 4).…”

Section: Byte Frequency Distribution (Bfd) Approachesmentioning

confidence: 99%

“…This was shortly extended [5] with the introduction of a new metric called rate-ofchange (RoC), which was defined as the difference of the ASCII values of consecutive bytes. This was done squarely to improve the accuracy of jpeg recognition, which becomes near perfect.…”

Section: Byte Frequency Distribution (Bfd) Approachesmentioning

confidence: 99%

File Fragment Classification-The Case for Specialized Approaches

Roussev

Garfinkel

2009

2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering

View full text Add to dashboard Cite

“…When these measures are put together, they form a model which is used to identify unknown data fragments. In [5], the same authors extended this approach by calculating the rate of change (RoC) (i.e., the absolute value of the difference between two consecutive byte values in a data fragment). RoC allows incorporating the ordering of the bytes into the identification process.…”

Section: Previous Workmentioning

confidence: 99%

GP-Fileprints: File Types Detection Using Genetic Programming

Kattan

Galván

Poli

et al. 2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose a novel application of Genetic Programming (GP): the identification of file types via the analysis of raw binary streams (i.e., without the use of meta data). GP evolves programs with multiple components. One component analyses statistical features extracted from the raw byte-series to divide the data into blocks. These blocks are then analysed via another component to obtain a signature for each file in a training set. These signatures are then projected onto a two-dimensional Euclidean space via two further (evolved) program components. K-means clustering is applied to group similar signatures. Each cluster is then labelled according to the dominant label for its members. Once a program that achieves good classification is evolved it can be used on unseen data without requiring any further evolution. Experimental results show that GP compares very well with established file classification algorithms (i.e., Neural Networks, Bayes Networks and J48 Decision Trees).

show abstract

File Type Identification of Data Fragments by Their Binary Structure

Cited by 60 publications

References 7 publications

The Normalised Compression Distance as a file fragment classifier

The Normalised Compression Distance as a file fragment classifier

File Fragment Classification-The Case for Specialized Approaches

GP-Fileprints: File Types Detection Using Genetic Programming

Contact Info

Product

Resources

About