FORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints
Computer forensics is emerging as an important tool in the fight against crime. Increasingly, computers are being used to facilitate new criminal activity, or used in the commission of existing crimes. The networked world has seen increases in, and the volume of, information that may be shared amongst hosts. This has given rise to major concerns over paedophile activity, and in particular the spread of multimedia files amongst this community. This paper presents a novel scheme for the automated analysis of storage media for digital pictures or files of interest using forensic signatures. The scheme first identifies potential multimedia files of interest and then compares the data to file signatures to ascertain whether a malicious file is resident on the computer. A case study of the forsigs application presented within this paper demonstrates the applicability of the approach for identification and retrieval of malicious multimedia files.
KeywordsHard Drive Signature Block Comparison Block Multimedia File Signature Search
- 1.Li, X. & Seberry, J., “Forensic Computing”, Proceedings of INDOCRYPT, New Delhi, India, 8-10 Dec 2003, LNCS 2904, Springer, 2003, pp. 18–35.Google Scholar
- 2.Mohay, G., Anderson, A., Collie, B., De Vel, O. & McKemmish, R., Computer and Intrusion Forensics, Artech House, MA, USA, 2003.Google Scholar
- 3.Chen, H., Chung, W., Xu, J.L., Wang, G., Qin, Y. & Chau, M., “Crime Data Mining: A General Framework and Some Examples”, Computer, April 2004, pp. 50–56.Google Scholar
- 4.Burr, W.E., “Cryptographic Hash Standards Where Do We Go from Here?”, IEEE Security and Privacy, March/April, 2006, pp. 88–91.Google Scholar
- 5.The Forensics Toolkit, available from http://www.accessdata.com, accessed October 2006.
- 6.Guidance Software Encase, available from http://www.guidancesoftware.com, accessed October 2006.
- 7.Jhead, available from http://www.sentex.net/mwandel/jhead, last updated April 2006, accessed October 2006.
- 8.DataLifter Computer Forensic Software, available from http://datalifter.com/products.htm, accessed October 2006.
- 9.Li, W. J., Wang, K., Stolfo, S. & Herxog, B., “Fileprints: Identifying File Types by n-gram Analysis”, Proceedings of the 6th IEEE Systems, Man and Cybernetics Assurance Workshop, West Point, NY, USA, June, 2005.Google Scholar
- 10.Karresand, M. & Shahmehri, N., “Oscar — File Type Identification of Binary Data in Disk Clusters and RAM Pages”, Proceedings of IFIP SEC 2006, Karlstadt, Sweden, 22 — 24 May, 2006.Google Scholar
- 11.Karresand, M. & Shahmehri, N., “File Type Identification of Data Fragments by their Binary Structure”, Proceedings of the 2006 IEEE Workshop on Information Assurance, US Military Academy, West Point, NY, 21-23 June, 2006.Google Scholar
- 12.Haggerty, J., Berry, T. & Gresty, D., “Forensic Signature Analysis of Digital Image Files”, Proceedings of the Ist Conference on Advances in Computer Security and Forensics, Liverpool, UK, 13-14 July, 2006.Google Scholar
- 13.Zhang, Y. & Paxson, V., “Detecting Backdoors”, Proceedings of USENIX Security Symposium, Denver, CO, USA, 2000.Google Scholar