Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor
Experimental evaluation of disk sector hash comparison for forensic triage using a Bloom filter.
Buchanan, William J; Macfarlane, Richard; Clayton, John
Authors
Rich Macfarlane R.Macfarlane@napier.ac.uk
Associate Professor
John Clayton
Contributors
George Weir
Editor
Michael Daley
Editor
Abstract
There is a problem in the world of digital forensics. The demands on digital forensic investigators and resources will continue to increase as the use of computers and other electronic devices increases, and as the storage capacity of these devices increases. The digital forensic process requires that evidence be identified and examined, and resources to do this are constrained. This is creating a backlog of work as seized media and devices wait to be analysed, and some investigations or checks 'in the field' may be reduced or discarded as impractical. There is a technique which can be used to help quickly to collect and examine data to see if it is of interest. This technique combines statistical sampling and hashes as described by Garfinkel et al (2010). This tool can use a Bloom filter to match the hashes from disk sectors against the stored hashes for a file which is being searched for. The tool was successfully implemented and the Bloom filter false positive rate was as predicted by theory (Roussev, Chen, Bourg, & Richard, 2006) which confirmed that the Bloom filter had been correctly implemented. This tool was written in Python which proved a simple to use programming language. This prototype tool can provide the basis for further work on a practical tool for use in real world digital forensics investigation.
Citation
Buchanan, W. J., Macfarlane, R., & Clayton, J. (2013, June). Experimental evaluation of disk sector hash comparison for forensic triage using a Bloom filter. Presented at Cyberforensics 2013, Cardiff, UK
| Presentation Conference Type | Conference Paper (published) |
|---|---|
| Conference Name | Cyberforensics 2013 |
| Start Date | Jun 10, 2013 |
| End Date | Jun 11, 2013 |
| Publication Date | 2013 |
| Deposit Date | Nov 5, 2013 |
| Publicly Available Date | Dec 31, 2013 |
| Peer Reviewed | Peer Reviewed |
| Book Title | Cyberforensics Perspectives : Proceedings of the 3rd International Conference on Cybercrime, Security and Digital Forensics (Cyberforensics 2013) |
| ISBN | 9780947649975 |
| Keywords | Digital forensics; statistical sampling; hashes; Boom filter; |
| Public URL | http://researchrepository.napier.ac.uk/id/eprint/6466 |
| Publisher URL | https://pureportal.strath.ac.uk/en/publications/cyberforensics-perspectives-proceedings-of-the-3rd-international- |
| Contract Date | Nov 5, 2013 |
Files
Experimental evaluation of disk sector hash comparison for forensic triage using a Bloom filter.
(219 Kb)
PDF
Publisher Licence URL
http://creativecommons.org/licenses/by-nc/4.0/
You might also like
Securing IoT: Mitigating Sybil Flood Attacks with Bloom Filters and Hash Chains
(2024)
Journal Article
A DNA Based Colour Image Encryption Scheme Using A Convolutional Autoencoder
(2023)
Journal Article
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search