Breitinger, Frank ; Baier, Harald (2011)
Performance Issues about Context-Triggered Piecewise Hashing.
Dublin
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
A hash function is a well-known method in computer science to map arbitrary large data to bit strings of a fixed short length. This property is used in computer forensics to identify known files on base of their hash value. As of today, in a pre-step process hash values of files are generated and stored in a database; typically a cryptographic hash func- tion like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. Due to security properties of cryptographic hash functions, they can not be used to identify similar files. Therefore Jesse Kornblum proposed a similarity preserving hash function to identify sim- ilar files. This paper discusses the efficiency of Kornblum’s approach. We present some enhancements that increase the performance of his algo- rithm by 55% if applied to a real life scenario. Furthermore, we discuss some characteristics of a sample Windows XP system, which are relevant for the performance of Kornblum’s approach.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2011 |
| Autor(en): | Breitinger, Frank ; Baier, Harald |
| Art des Eintrags: | Bibliographie |
| Titel: | Performance Issues about Context-Triggered Piecewise Hashing |
| Sprache: | Englisch |
| Publikationsjahr: | Oktober 2011 |
| Buchtitel: | 3rd International ICST Conference on Digital Forensics & Cyber Crime |
| Veranstaltungsort: | Dublin |
| Kurzbeschreibung (Abstract): | A hash function is a well-known method in computer science to map arbitrary large data to bit strings of a fixed short length. This property is used in computer forensics to identify known files on base of their hash value. As of today, in a pre-step process hash values of files are generated and stored in a database; typically a cryptographic hash func- tion like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. Due to security properties of cryptographic hash functions, they can not be used to identify similar files. Therefore Jesse Kornblum proposed a similarity preserving hash function to identify sim- ilar files. This paper discusses the efficiency of Kornblum’s approach. We present some enhancements that increase the performance of his algo- rithm by 55% if applied to a real life scenario. Furthermore, we discuss some characteristics of a sample Windows XP system, which are relevant for the performance of Kornblum’s approach. |
| Freie Schlagworte: | Secure Data;Digital forensics techniques and tools, context-triggered piecewise hash functions, fuzzy-hashing, efficiency of ssdeep, subtleties of fuzzy-hashing. |
| ID-Nummer: | TUD-CS-2011-0256 |
| Fachbereich(e)/-gebiet(e): | LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt LOEWE > LOEWE-Zentren LOEWE |
| Hinterlegungsdatum: | 30 Dez 2016 20:23 |
| Letzte Änderung: | 17 Mai 2018 13:02 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum