FORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints

  • John Haggerty
  • Mark Taylor
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


Computer forensics is emerging as an important tool in the fight against crime. Increasingly, computers are being used to facilitate new criminal activity, or used in the commission of existing crimes. The networked world has seen increases in, and the volume of, information that may be shared amongst hosts. This has given rise to major concerns over paedophile activity, and in particular the spread of multimedia files amongst this community. This paper presents a novel scheme for the automated analysis of storage media for digital pictures or files of interest using forensic signatures. The scheme first identifies potential multimedia files of interest and then compares the data to file signatures to ascertain whether a malicious file is resident on the computer. A case study of the forsigs application presented within this paper demonstrates the applicability of the approach for identification and retrieval of malicious multimedia files.


Hard Drive Signature Block Comparison Block Multimedia File Signature Search 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Li, X. & Seberry, J., “Forensic Computing”, Proceedings of INDOCRYPT, New Delhi, India, 8-10 Dec 2003, LNCS 2904, Springer, 2003, pp. 18–35.Google Scholar
  2. 2.
    Mohay, G., Anderson, A., Collie, B., De Vel, O. & McKemmish, R., Computer and Intrusion Forensics, Artech House, MA, USA, 2003.Google Scholar
  3. 3.
    Chen, H., Chung, W., Xu, J.L., Wang, G., Qin, Y. & Chau, M., “Crime Data Mining: A General Framework and Some Examples”, Computer, April 2004, pp. 50–56.Google Scholar
  4. 4.
    Burr, W.E., “Cryptographic Hash Standards Where Do We Go from Here?”, IEEE Security and Privacy, March/April, 2006, pp. 88–91.Google Scholar
  5. 5.
    The Forensics Toolkit, available from, accessed October 2006.
  6. 6.
    Guidance Software Encase, available from, accessed October 2006.
  7. 7.
    Jhead, available from, last updated April 2006, accessed October 2006.
  8. 8.
    DataLifter Computer Forensic Software, available from, accessed October 2006.
  9. 9.
    Li, W. J., Wang, K., Stolfo, S. & Herxog, B., “Fileprints: Identifying File Types by n-gram Analysis”, Proceedings of the 6th IEEE Systems, Man and Cybernetics Assurance Workshop, West Point, NY, USA, June, 2005.Google Scholar
  10. 10.
    Karresand, M. & Shahmehri, N., “Oscar — File Type Identification of Binary Data in Disk Clusters and RAM Pages”, Proceedings of IFIP SEC 2006, Karlstadt, Sweden, 22 — 24 May, 2006.Google Scholar
  11. 11.
    Karresand, M. & Shahmehri, N., “File Type Identification of Data Fragments by their Binary Structure”, Proceedings of the 2006 IEEE Workshop on Information Assurance, US Military Academy, West Point, NY, 21-23 June, 2006.Google Scholar
  12. 12.
    Haggerty, J., Berry, T. & Gresty, D., “Forensic Signature Analysis of Digital Image Files”, Proceedings of the Ist Conference on Advances in Computer Security and Forensics, Liverpool, UK, 13-14 July, 2006.Google Scholar
  13. 13.
    Zhang, Y. & Paxson, V., “Detecting Backdoors”, Proceedings of USENIX Security Symposium, Denver, CO, USA, 2000.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • John Haggerty
    • 1
  • Mark Taylor
    • 1
  1. 1.School of Computing & Mathematical SciencesLiverpool John Moores UniversityLiverpool

Personalised recommendations