Blockhashing as a forensic method

Hansen, Kurt-Helge

Hansen, Kurt-Helge

Master thesis

View/Open

master_kh_hansen.pdf (2.238Mb)

URI

http://hdl.handle.net/11250/2424177

Date

2016

Metadata

Show full item record

Collections

Master – Ansatte ved PHS (masterstudier ved andre universitet og høgskoler) [24]

Abstract

In computer forensics investigation, there has always been a battle in which the offenders

find new methods to hide their illegal activity and the investigator find countermeasures

to these methods.

The most common method to use to hide illegal activity is to hide data connected

to the illegal activity by making the material unavailable. There are several methods

to make data less available. These could be techniques to encrypt the content, to hide

the content by using steganography or just erase the compromising files. Erasing data

content is probably the most common method to get rid of compromised data. There

are several techniques to erase data files, but the most common is to use a file explorer

in the operating system to erase the file. Such erasure does not have any impact on the

actual data content, only the file meta-data. More sophisticated tools both erase the file

meta-data and overwrite the file content with other more or less random content.

The most common method, using the file explorer to remove the file from the file

listing is a prerequisite for this project. We call this ordinary file erasure. Files erased

this way will have the content unchanged in an unpredictable time of period, but as the

time goes, more of the erased content and will be overwritten by new files.

There are already methods to reveal file content erased by ordinary file erasure. These

methods include file carving that searches for patterns to make it possible to reveal the

content. File carving is a method if the erased file content is not overwritten, but as the

file content is increasingly overwritten, the file carving method is less relevant. When

files are partially overwritten, there are still possibilities to identify the original content

from the existing fragments.

Technically, it is possible to identify pieces of information compared to other reference

files and research papers have proved this by comparing small pieces of data from

a file system with pieces of data from reference material. The technique is known, but

the problem of implementing this as a forensic method in an investigation has not yet

been solved so far.

In previous work, the technique is demonstrated in relatively small amount of data

and there is no research to implement this as a valid method that ensure the findings

can be used as admissible evidence in court.

The contribution of this work is to conduct a research by using larger datasets and

evaluate block hashing as a forensic valid method. The goal of the proposed project is

to describe a robust methodology to use block-hashing as a forensic method to discover

fragments of previously stored objects.

Publisher

University College Dublin