Options
2014
Conference Paper
Titel
Towards a process model for hash functions in digital forensics
Abstract
Handling forensic investigations gets more and more difficult as the amount of data one has to analyze is increasing continuously. A common approach for automated file identification are hash functions. The proceeding is quite simple: hash all files of a seized device and compare them against a database. Depending on the database, this allows to discard non-relevant (whitelist) or detect suspicious (blacklist) files. One can distinguish three kinds of algorithms: (cryptographic) hash functions, bytewise approximate matching and semantic approximate matching (a.k.a perceptual hashing) where the main difference is the operation level. The latter one operates on the semantic level while both other approaches consider the byte-level. Hence, investigators have three different approaches at hand to analyze a device. First, this paper gives a comprehensive overview of existing approaches for bytewise approximate matching in general and semantic approximate matching for images. Second, we compare implementations and summarize the strengths and weaknesses of all approaches. Third, we show how to integrate these functions based on a sample use case into one existing process model, the computer forensics field triage process model.
Author(s)