Practical use of Approximate Hash Based Matching in digital investigations

Bjelland, Petter Christian; Franke, Katrin; Årnes, André

doi:10.1016/j.diin.2014.03.003

Cited by 14 publications

(10 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As discussed by Bjelland et al (2014), there are scenarios where headers share relevant information: "similar conversation" (i.e., caused by the 'from', 'to' and 'cc' fields in the header). Therefore, we changed our preprocessing so that now only header information is considered.…”

Section: Assessment For E-mail (Metadata)mentioning

confidence: 99%

“…X-Headers are additional personalized information in the header that can be added. An example is given in the following: As indicated by Bjelland et al (2014), "the majority of the resulting matches fell into one of these three manually defined categories:…”

Section: E-mail Structure and Their Similaritymentioning

confidence: 99%

“…Therefore, the categorization process is based on two steps. First, we adopt the idea from Bjelland et al (2014) and second, do a manual comparison. More precisely, we did the following:…”

Section: Assessment For E-mail (Content)mentioning

confidence: 99%

See 2 more Smart Citations

Towards Syntactic Approximate Matching - A Pre-Processing Experiment

Jeong¹,

Breitinger

Kang³

et al. 2016

JDFSL

View full text Add to dashboard Cite

Over the past few years, the popularity of approximate matching algorithms (a.k.a. fuzzy hashing) has increased. Especially within the area of bytewise approximate matching, several algorithms were published, tested, and improved. It has been shown that these algorithms are powerful, however they are sometimes too precise for real world investigations. That is, even very small commonalities (e.g., in the header of a file) can cause a match. While this is a desired property, it may also lead to unwanted results. In this paper, we show that by using simple pre-processing, we significantly can influence the outcome. Although our test set is based on text-based file types (cause of an easy processing), this technique can be used for other, well-documented types as well. Our results show that it can be beneficial to focus on the content of files only (depending on the use-case). While for this experiment we utilized text files, Additionally, we present a small, self-created dataset that can be used in the future for approximate matching algorithms since it is labeled (we know which files are similar and how).

show abstract

Section: Assessment For E-mail (Metadata)mentioning

confidence: 99%

Section: E-mail Structure and Their Similaritymentioning

confidence: 99%

See 1 more Smart Citation

Towards Syntactic Approximate Matching - A Pre-Processing Experiment

Jeong¹,

Breitinger

Kang³

et al. 2016

JDFSL

View full text Add to dashboard Cite

show abstract

“…One can use them in identifying new versions of documents and software, embedded objects (e.g., jpg file inside a word document), objects in network packets (without reconstructing the packet flow), locating variants of malware families, clustering, code reuse (intellectual property protection and/or bug detection), detection of deleted objects (fragments remaining on disk), deduplication on storage systems (e.g., cloud computing: save storage and bandwidth), and cross-device deduplication, among others [10][11][12]. Also, Bjelland et al [13] present other common scenarios in which approximate matching can be used, showing practical experiments in which forensics can benefit from this technology. In one experiment, they look for emails using a small set given as leads to figure out other similar ones.…”

Section: Applicationsmentioning

confidence: 99%

“…13) , in this case, is the load factor (0 ≤ ≤ 1) used to express the percentage of the filter currently used.…”

Section: A7 Mrsh-cfmentioning

confidence: 99%

Similarity Digest Search: A Survey and Comparative Analysis of Strategies to Perform Known File Filtering Using Approximate Matching

Moia

Henriques

2017

Security and Communication Networks

View full text Add to dashboard Cite

Digital forensics is a branch of Computer Science aiming at investigating and analyzing electronic devices in the search for crime evidence. There are several ways to perform this search. Known File Filter (KFF) is one of them, where a list of interest objects is used to reduce/separate data for analysis. Holding a database of hashes of such objects, the examiner performs lookups for matches against the target device. However, due to limitations over hash functions (inability to detect similar objects), new methods have been designed, called approximate matching. This sort of function has interesting characteristics for KFF investigations but suffers mainly from high costs when dealing with huge data sets, as the search is usually done by brute force. To mitigate this problem, strategies have been developed to better perform lookups. In this paper, we present the state of the art of similarity digest search strategies, along with a detailed comparison involving several aspects, as time complexity, memory requirement, and search precision. Our results show that none of the approaches address at least these main aspects. Finally, we discuss future directions and present requirements for a new strategy aiming to fulfill current limitations.

show abstract

References

2017

Digital Forensics

View full text Add to dashboard Cite

Practical use of Approximate Hash Based Matching in digital investigations

Cited by 14 publications

References 11 publications

Towards Syntactic Approximate Matching - A Pre-Processing Experiment

Towards Syntactic Approximate Matching - A Pre-Processing Experiment

Similarity Digest Search: A Survey and Comparative Analysis of Strategies to Perform Known File Filtering Using Approximate Matching

References

Contact Info

Product

Resources

About