TU Darmstadt / ULB / TUbiblio

Towards a Process Model for Hash Functions in Digital Forensics

Breitinger, Frank and Liu, Huajian and Winter, Christian and Baier, Harald and Rybalchenko, Alexey and Steinebach, Martin
Gladyshev, Pavel and Marrington, Andrew and Baggili, Ibrahim (eds.) (2014):
Towards a Process Model for Hash Functions in Digital Forensics.
In: Digital Forensics & Cyber Crime (ICDF2C 2013), 5th ICST International Conference, September 26–27, 2013, Moscow, Russia, Springer, Moscow, Russia, In: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST), 132, ISBN 978-3-319-14288-3 (print) and 978-3-319-14289-0 (e-book),
DOI: 10.1007/978-3-319-14289-0_12,
[Conference or Workshop Item]

Abstract

Handling forensic investigations gets more and more difficult as the amount of data one has to analyze is increasing continuously. A common approach for automated file identification are hash functions. The proceeding is quite simple: a tool hashes all files of a seized device and compares them against a database. Depending on the database, this allows to discard non-relevant (whitelisting) or detect suspicious files (blacklisting).

One can distinguish three kinds of algorithms: (cryptographic) hash functions, bytewise approximate matching and semantic approximate matching (a.k.a perceptual hashing) where the main difference is the operation level. The latter one operates on the semantic level while both other approaches consider the byte-level. Hence, investigators have three different approaches at hand to analyze a device.

First, this paper gives a comprehensive overview of existing approaches for bytewise approximate matching in general and semantic approximate matching for images. Second, we compare implementations and summarize the strengths and weaknesses of all approaches. Third, we show how to integrate these functions based on a sample use case into one existing process model, the computer forensics field triage process model.

Item Type: Conference or Workshop Item
Erschienen: 2014
Editors: Gladyshev, Pavel and Marrington, Andrew and Baggili, Ibrahim
Creators: Breitinger, Frank and Liu, Huajian and Winter, Christian and Baier, Harald and Rybalchenko, Alexey and Steinebach, Martin
Title: Towards a Process Model for Hash Functions in Digital Forensics
Language: ["languages_typename_1" not defined]
Abstract:

Handling forensic investigations gets more and more difficult as the amount of data one has to analyze is increasing continuously. A common approach for automated file identification are hash functions. The proceeding is quite simple: a tool hashes all files of a seized device and compares them against a database. Depending on the database, this allows to discard non-relevant (whitelisting) or detect suspicious files (blacklisting).

One can distinguish three kinds of algorithms: (cryptographic) hash functions, bytewise approximate matching and semantic approximate matching (a.k.a perceptual hashing) where the main difference is the operation level. The latter one operates on the semantic level while both other approaches consider the byte-level. Hence, investigators have three different approaches at hand to analyze a device.

First, this paper gives a comprehensive overview of existing approaches for bytewise approximate matching in general and semantic approximate matching for images. Second, we compare implementations and summarize the strengths and weaknesses of all approaches. Third, we show how to integrate these functions based on a sample use case into one existing process model, the computer forensics field triage process model.

Title of Book: Digital Forensics & Cyber Crime (ICDF2C 2013), 5th ICST International Conference, September 26–27, 2013, Moscow, Russia
Series Name: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (LNICST)
Volume: 132
Publisher: Springer
ISBN: 978-3-319-14288-3 (print) and 978-3-319-14289-0 (e-book)
Uncontrolled Keywords: Secure Data;Digital forensics, hashing, similarity hashing, robust hashing, perceptual hashing, approximate matching, process model
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Event Location: Moscow, Russia
Date Deposited: 30 Dec 2016 20:23
DOI: 10.1007/978-3-319-14289-0_12
Identification Number: TUD-CS-2013-0296
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item