TU Darmstadt / ULB / TUbiblio

Using Approximate Matching to Reduce the Volume of Digital Data

Breitinger, Frank and Winter, Christian and Yannikos, York and Fink, Tobias and Seefried, Michael
Peterson, Gilbert and Shenoi, Sujeet (eds.) (2014):
Using Approximate Matching to Reduce the Volume of Digital Data.
In: Advances in Digital Forensics X, 10th IFIP WG 11.9 International Conference on Digital Forensics, Vienna, Austria, January 8–10, 2014, Springer, Vienna, Austria, In: IFIP Advances in Information and Communication Technology, 433, [Conference or Workshop Item]

Abstract

Forensic investigations are often comparable to find the needle in the haystack – the agents are overwhelmed with information and need to identify relevant files. In order to solve this challenge, investigators apply cryptographic hash functions to identify known files automatically. However, cryptographic hashing was never designed for forensic investigations and allows to detect identical files only (due to its security properties).

This paper shows the benefits of using approximate matching for this challenge. We set up three test images using Windows XP, Windows 7 and Ubuntu 12.04 and performed several fingerprint-based comparisons, e.g., operation system installations against ssdeep reference dataset from the National Institute of Standards and Technology (NIST). All comparisons showed a much better identification rate using approximate matching, e.g., in one case the identification rate increased from 1.82% to 23.76%.

Item Type: Conference or Workshop Item
Erschienen: 2014
Editors: Peterson, Gilbert and Shenoi, Sujeet
Creators: Breitinger, Frank and Winter, Christian and Yannikos, York and Fink, Tobias and Seefried, Michael
Title: Using Approximate Matching to Reduce the Volume of Digital Data
Language: ["languages_typename_1" not defined]
Abstract:

Forensic investigations are often comparable to find the needle in the haystack – the agents are overwhelmed with information and need to identify relevant files. In order to solve this challenge, investigators apply cryptographic hash functions to identify known files automatically. However, cryptographic hashing was never designed for forensic investigations and allows to detect identical files only (due to its security properties).

This paper shows the benefits of using approximate matching for this challenge. We set up three test images using Windows XP, Windows 7 and Ubuntu 12.04 and performed several fingerprint-based comparisons, e.g., operation system installations against ssdeep reference dataset from the National Institute of Standards and Technology (NIST). All comparisons showed a much better identification rate using approximate matching, e.g., in one case the identification rate increased from 1.82% to 23.76%.

Title of Book: Advances in Digital Forensics X, 10th IFIP WG 11.9 International Conference on Digital Forensics, Vienna, Austria, January 8–10, 2014
Series Name: IFIP Advances in Information and Communication Technology
Volume: 433
Publisher: Springer
Uncontrolled Keywords: Secure Data;Approximate matching, ssdeep, reference dataset, RDS, file identification
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Event Location: Vienna, Austria
Date Deposited: 30 Dec 2016 20:23
Identification Number: TUD-CS-2014-0925
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item