Philip Penrose
Approaches to the classification of high entropy file fragments.
Penrose, Philip; Macfarlane, Richard; Buchanan, William J
Authors
Rich Macfarlane R.Macfarlane@napier.ac.uk
Associate Professor
Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Abstract
In this paper we propose novel approaches to the problem of classifying high entropy file fragments. We achieve 97% correct classification for encrypted fragments and 78% for compressed. Although classification of file fragments is central to the science of Digital Forensics, high entropy types have been regarded as a problem. Roussev and Garfinkel [1] argue that existing methods will not work on high entropy fragments because they have no discernible patterns to exploit. We propose two methods that do not rely on such patterns. The NIST statistical test suite is used to detect randomness in 4KB fragments. These test results were analysed using Support Vector Machines, k-Nearest-Neighbour analysis and Artificial Neural Networks (ANN). We compare the performance of each of these analysis methods. Optimum results were obtained using an ANN for analysis giving 94% and 74% correct classification rates for encrypted and compressed fragments respectively. We also use the compressibility of a fragment as a measure of its randomness. Correct classification was 76% and 70% for encrypted and compressed fragments respectively. Although it gave poorer results for encrypted fragments we believe that this method has more potential for future work. We have used subsets of the publicly available GovDocs1 Million File Corpus‘ so that any future research may make valid comparisons with the results obtained here.
Citation
Penrose, P., Macfarlane, R., & Buchanan, W. J. (2013). Approaches to the classification of high entropy file fragments. Digital Investigation, 10(4), 372-384. https://doi.org/10.1016/j.diin.2013.08.004
Journal Article Type | Article |
---|---|
Acceptance Date | Aug 24, 2013 |
Online Publication Date | Oct 3, 2013 |
Publication Date | 2013-12 |
Deposit Date | Nov 5, 2013 |
Publicly Available Date | May 16, 2017 |
Journal | Digital Investigation |
Print ISSN | 1742-2876 |
Electronic ISSN | 1873-202X |
Publisher | Elsevier |
Peer Reviewed | Peer Reviewed |
Volume | 10 |
Issue | 4 |
Pages | 372-384 |
DOI | https://doi.org/10.1016/j.diin.2013.08.004 |
Keywords | Digital forensics; File fragments; Encrpyted files; File forensics; Encryption detection; |
Public URL | http://researchrepository.napier.ac.uk/id/eprint/6477 |
Publisher URL | http://dx.doi.org/10.1016/j.diin.2013.08.004 |
Files
Approaches to the classification of high entropy file fragments.
(413 Kb)
PDF
You might also like
Formal security policy implementations in network firewalls.
(2011)
Journal Article
Evaluation of the DFET Cloud.
(2015)
Presentation / Conference Contribution
Teaching penetration and malware analysis in a cloud-based environment.
(2015)
Presentation / Conference Contribution
Evaluating Digital Forensic Tools (DFTs).
(2014)
Presentation / Conference Contribution
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search