EFFICIENT N-BYTE SLACK SPACE HASHING IN RETRIEVING AND IDENTIFYING PARTIALLY RECOVERED DATA

Ireneusz Jozwiak, Michal Kedziora

2011

Abstract

This paper describes modification of slack space block hashing algorithm which improves performance in the handling with process of identification of recovered data. In our research we relied on hash block algorithm and present improvements which allow increase efficiency by analyzing time reduction. N-Byte Slack Space Hashing is especially useful in data recovery process where due to a file system limitations, it is possible to recover only fragments of data which was erased and partially overwritten. The Algorithm is faster than block hashing and allows to identify partially erased files using modified hash sets.

References

  1. Kornblum, J., 2006. Identifying almost identical files using context triggered piecewise hashing, DFRWS Digital Investigation, Elsevier, 91 -97.
  2. Stein, B., 2005. Fuzzy-Fingerprints for Text-Based Information Retrieval, Bauhaus University Weimar, Germany, Journal of Universal Computer Science, 572-579, ISSN 0948-695.
  3. Bunting, S., 2008. The Official EnCase Certified Examiner Study Guide, Wiley Publishing, ISBN: 978- 0-470-18145-4.
  4. Gladyshev P., 2005. Finite State Machine Analysis of a Blackmail Investigation, International Journal of Digital Evidence, 4(1).
  5. White, D., 2005. NIST National Software Reference Library. National Institute of Standards and Technology.
  6. Menezes, A., 1996. Handbook of Applied Cryptography, CRC Press.
  7. Henson, V., 2003. An Analysis of Compare-by-hash, Ninth Workshop on Hot Topics in Operating Systems HotOS-IX, Lihue, Hawaii, USA.
  8. Microsoft, 2004. Description of the FAT32, ID310524, Microsoft.
  9. Breeuwsma, M., 2007. Forensic Data Recovery from Flash Memory, Small Scale Digital Device Forensics Journal, 1(1).
  10. Berghel, H,. 2007. Hiding data, forensics, and antiforensics, Communications of the ACM.
  11. Microsoft, 2000. FAT: General Overview of On-Disk Format. FAT32 File System Specification, Version 1.03.
  12. Casey, E., 2004. Tool Review-WinHex. Journal of Digital Investigation, 1(2).
Download


Paper Citation


in Harvard Style

Jozwiak I. and Kedziora M. (2011). EFFICIENT N-BYTE SLACK SPACE HASHING IN RETRIEVING AND IDENTIFYING PARTIALLY RECOVERED DATA . In Proceedings of the 6th International Conference on Software and Database Technologies - Volume 1: ICSOFT, ISBN 978-989-8425-76-8, pages 309-312. DOI: 10.5220/0003605703090312


in Bibtex Style

@conference{icsoft11,
author={Ireneusz Jozwiak and Michal Kedziora},
title={EFFICIENT N-BYTE SLACK SPACE HASHING IN RETRIEVING AND IDENTIFYING PARTIALLY RECOVERED DATA},
booktitle={Proceedings of the 6th International Conference on Software and Database Technologies - Volume 1: ICSOFT,},
year={2011},
pages={309-312},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003605703090312},
isbn={978-989-8425-76-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 6th International Conference on Software and Database Technologies - Volume 1: ICSOFT,
TI - EFFICIENT N-BYTE SLACK SPACE HASHING IN RETRIEVING AND IDENTIFYING PARTIALLY RECOVERED DATA
SN - 978-989-8425-76-8
AU - Jozwiak I.
AU - Kedziora M.
PY - 2011
SP - 309
EP - 312
DO - 10.5220/0003605703090312