TU Darmstadt / ULB / TUbiblio

Performance Issues about Context-Triggered Piecewise Hashing

Breitinger, Frank and Baier, Harald (2011):
Performance Issues about Context-Triggered Piecewise Hashing.
In: 3rd International ICST Conference on Digital Forensics & Cyber Crime, Dublin, [Conference or Workshop Item]

Abstract

A hash function is a well-known method in computer science to map arbitrary large data to bit strings of a fixed short length. This property is used in computer forensics to identify known files on base of their hash value. As of today, in a pre-step process hash values of files are generated and stored in a database; typically a cryptographic hash func- tion like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. Due to security properties of cryptographic hash functions, they can not be used to identify similar files. Therefore Jesse Kornblum proposed a similarity preserving hash function to identify sim- ilar files. This paper discusses the efficiency of Kornblum’s approach. We present some enhancements that increase the performance of his algo- rithm by 55% if applied to a real life scenario. Furthermore, we discuss some characteristics of a sample Windows XP system, which are relevant for the performance of Kornblum’s approach.

Item Type: Conference or Workshop Item
Erschienen: 2011
Creators: Breitinger, Frank and Baier, Harald
Title: Performance Issues about Context-Triggered Piecewise Hashing
Language: ["languages_typename_1" not defined]
Abstract:

A hash function is a well-known method in computer science to map arbitrary large data to bit strings of a fixed short length. This property is used in computer forensics to identify known files on base of their hash value. As of today, in a pre-step process hash values of files are generated and stored in a database; typically a cryptographic hash func- tion like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. Due to security properties of cryptographic hash functions, they can not be used to identify similar files. Therefore Jesse Kornblum proposed a similarity preserving hash function to identify sim- ilar files. This paper discusses the efficiency of Kornblum’s approach. We present some enhancements that increase the performance of his algo- rithm by 55% if applied to a real life scenario. Furthermore, we discuss some characteristics of a sample Windows XP system, which are relevant for the performance of Kornblum’s approach.

Title of Book: 3rd International ICST Conference on Digital Forensics & Cyber Crime
Uncontrolled Keywords: Secure Data;Digital forensics techniques and tools, context-triggered piecewise hash functions, fuzzy-hashing, efficiency of ssdeep, subtleties of fuzzy-hashing.
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Event Location: Dublin
Date Deposited: 30 Dec 2016 20:23
Identification Number: TUD-CS-2011-0256
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item