Blockhashing as a forensic method
MetadataShow full item record
In computer forensics investigation, there has always been a battle in which the offenders find new methods to hide their illegal activity and the investigator find countermeasures to these methods. The most common method to use to hide illegal activity is to hide data connected to the illegal activity by making the material unavailable. There are several methods to make data less available. These could be techniques to encrypt the content, to hide the content by using steganography or just erase the compromising files. Erasing data content is probably the most common method to get rid of compromised data. There are several techniques to erase data files, but the most common is to use a file explorer in the operating system to erase the file. Such erasure does not have any impact on the actual data content, only the file meta-data. More sophisticated tools both erase the file meta-data and overwrite the file content with other more or less random content. The most common method, using the file explorer to remove the file from the file listing is a prerequisite for this project. We call this ordinary file erasure. Files erased this way will have the content unchanged in an unpredictable time of period, but as the time goes, more of the erased content and will be overwritten by new files. There are already methods to reveal file content erased by ordinary file erasure. These methods include file carving that searches for patterns to make it possible to reveal the content. File carving is a method if the erased file content is not overwritten, but as the file content is increasingly overwritten, the file carving method is less relevant. When files are partially overwritten, there are still possibilities to identify the original content from the existing fragments. Technically, it is possible to identify pieces of information compared to other reference files and research papers have proved this by comparing small pieces of data from a file system with pieces of data from reference material. The technique is known, but the problem of implementing this as a forensic method in an investigation has not yet been solved so far. In previous work, the technique is demonstrated in relatively small amount of data and there is no research to implement this as a valid method that ensure the findings can be used as admissible evidence in court. The contribution of this work is to conduct a research by using larger datasets and evaluate block hashing as a forensic valid method. The goal of the proposed project is to describe a robust methodology to use block-hashing as a forensic method to discover fragments of previously stored objects.