TU Darmstadt / ULB / TUbiblio

Using Approximate Matching to Reduce the Volume of Digital Data

Breitinger, Frank ; Winter, Christian ; Yannikos, York ; Fink, Tobias ; Seefried, Michael
eds.: Peterson, Gilbert ; Shenoi, Sujeet (2014)
Using Approximate Matching to Reduce the Volume of Digital Data.
Vienna, Austria
Conference or Workshop Item, Bibliographie

Abstract

Forensic investigations are often comparable to find the needle in the haystack – the agents are overwhelmed with information and need to identify relevant files. In order to solve this challenge, investigators apply cryptographic hash functions to identify known files automatically. However, cryptographic hashing was never designed for forensic investigations and allows to detect identical files only (due to its security properties).

This paper shows the benefits of using approximate matching for this challenge. We set up three test images using Windows XP, Windows 7 and Ubuntu 12.04 and performed several fingerprint-based comparisons, e.g., operation system installations against ssdeep reference dataset from the National Institute of Standards and Technology (NIST). All comparisons showed a much better identification rate using approximate matching, e.g., in one case the identification rate increased from 1.82% to 23.76%.

Item Type: Conference or Workshop Item
Erschienen: 2014
Editors: Peterson, Gilbert ; Shenoi, Sujeet
Creators: Breitinger, Frank ; Winter, Christian ; Yannikos, York ; Fink, Tobias ; Seefried, Michael
Type of entry: Bibliographie
Title: Using Approximate Matching to Reduce the Volume of Digital Data
Language: English
Date: August 2014
Publisher: Springer
Book Title: Advances in Digital Forensics X, 10th IFIP WG 11.9 International Conference on Digital Forensics, Vienna, Austria, January 8–10, 2014
Series: IFIP Advances in Information and Communication Technology
Series Volume: 433
Event Location: Vienna, Austria
Abstract:

Forensic investigations are often comparable to find the needle in the haystack – the agents are overwhelmed with information and need to identify relevant files. In order to solve this challenge, investigators apply cryptographic hash functions to identify known files automatically. However, cryptographic hashing was never designed for forensic investigations and allows to detect identical files only (due to its security properties).

This paper shows the benefits of using approximate matching for this challenge. We set up three test images using Windows XP, Windows 7 and Ubuntu 12.04 and performed several fingerprint-based comparisons, e.g., operation system installations against ssdeep reference dataset from the National Institute of Standards and Technology (NIST). All comparisons showed a much better identification rate using approximate matching, e.g., in one case the identification rate increased from 1.82% to 23.76%.

Uncontrolled Keywords: Secure Data;Approximate matching, ssdeep, reference dataset, RDS, file identification
Identification Number: TUD-CS-2014-0925
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
LOEWE > LOEWE-Zentren
LOEWE
Date Deposited: 30 Dec 2016 20:23
Last Modified: 17 May 2018 13:02
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details