Towards a Process Model for Hash Functions in Digital Forensics

  • Frank Breitinger
  • Huajian Liu
  • Christian Winter
  • Harald Baier
  • Alexey Rybalchenko
  • Martin Steinebach
Conference paper

DOI: 10.1007/978-3-319-14289-0_12

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 132)
Cite this paper as:
Breitinger F., Liu H., Winter C., Baier H., Rybalchenko A., Steinebach M. (2014) Towards a Process Model for Hash Functions in Digital Forensics. In: Gladyshev P., Marrington A., Baggili I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 132. Springer, Cham

Abstract

Handling forensic investigations gets more and more difficult as the amount of data one has to analyze is increasing continuously. A common approach for automated file identification are hash functions. The proceeding is quite simple: a tool hashes all files of a seized device and compares them against a database. Depending on the database, this allows to discard non-relevant (whitelisting) or detect suspicious files (blacklisting).

One can distinguish three kinds of algorithms: (cryptographic) hash functions, bytewise approximate matching and semantic approximate matching (a.k.a perceptual hashing) where the main difference is the operation level. The latter one operates on the semantic level while both other approaches consider the byte-level. Hence, investigators have three different approaches at hand to analyze a device.

First, this paper gives a comprehensive overview of existing approaches for bytewise and semantic approximate matching (for semantic we focus on images functions). Second, we compare implementations and summarize the strengths and weaknesses of all approaches. Third, we show how to integrate these functions based on a sample use case into one existing process model, the computer forensics field triage process model.

Keywords

Digital forensics Hashing Similarity hashing Robust hashing Perceptual hashing Approximate matching Process model 

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2014

Authors and Affiliations

  • Frank Breitinger
    • 1
  • Huajian Liu
    • 2
  • Christian Winter
    • 2
  • Harald Baier
    • 1
  • Alexey Rybalchenko
    • 1
  • Martin Steinebach
    • 2
  1. 1.da/sec - Biometrics and Internet Security Research Group, Hochschule DarmstadtDarmstadtGermany
  2. 2.Fraunhofer Institute for Secure Information TechnologyDarmstadtGermany

Personalised recommendations