Towards a Process Model for Hash Functions in Digital Forensics

Authors

Frank Breitinger, University of New HavenFollow
Huajian Liu, Fraunhofer Institute for Systems and Innovation Research
Christian Winter, Fraunhofer Institute for Secure Information Technology
Harald Baier, Hochschule Darmstadt
Alexey Ryibalchenko, Hochschule Darmstadt
Martin Steinebach, Hochschule Darmstadt

Author URLs

Professor Breitinger's Faculty Profile

Professor Breitinger's web page

Professor Breitinger's full bibliography

Document Type

Book Chapter

Publication Date

2014

Subject: LCSH

Computer forensics, Cyber forensics, Hashing (Computer science)

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

Handling forensic investigations gets more and more difficult as the amount of data one has to analyze is increasing continuously. A common approach for automated file identification are hash functions. The proceeding is quite simple: a tool hashes all files of a seized device and compares them against a database. Depending on the database, this allows to discard non-relevant (whitelisting) or detect suspicious files (blacklisting).

One can distinguish three kinds of algorithms: (cryptographic) hash functions, bytewise approximate matching and semantic approximate matching (a.k.a perceptual hashing) where the main difference is the operation level. The latter one operates on the semantic level while both other approaches consider the byte-level. Hence, investigators have three different approaches at hand to analyze a device.

First, this paper gives a comprehensive overview of existing approaches for bytewise and semantic approximate matching (for semantic we focus on images functions). Second, we compare implementations and summarize the strengths and weaknesses of all approaches. Third, we show how to integrate these functions based on a sample use case into one existing process model, the computer forensics field triage process model.

Comments

Purchase book here.

Buy the chapter here.

Find the book in a library.

Find the book, Digital Forensics and Cyber Crime 2013, in the UNH library.

Series title: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, No. 132.

DOI

10.1007/978-3-319-14289-0_12

Repository Citation

Breitinger, Frank; Liu, Huajian; Winter, Christian; Baier, Harald; Ryibalchenko, Alexey; and Steinebach, Martin, "Towards a Process Model for Hash Functions in Digital Forensics" (2014). Electrical & Computer Engineering and Computer Science Faculty Publications. 66.
https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/66

Publisher Citation

Rybalchenko, A., & Steinebach, M., et al (2014, December). Towards a Process Model for Hash Functions in Digital Forensics. In Gladyshev, P., Marrington, A., and Baggili, I. Digital Forensics and Cyber Crime: Fifth International Conference, ICDF2C 2013, Moscow, Russia, September 26-27, 2013, Revised Selected Papers (Vol. 132, p. 170-186). Springer.