Blockhashing as a forensic method
Abstract
In computer forensics investigation, there has always been a battle in which the offenders
find new methods to hide their illegal activity and the investigator find countermeasures
to these methods.
The most common method to use to hide illegal activity is to hide data connected
to the illegal activity by making the material unavailable. There are several methods
to make data less available. These could be techniques to encrypt the content, to hide
the content by using steganography or just erase the compromising files. Erasing data
content is probably the most common method to get rid of compromised data. There
are several techniques to erase data files, but the most common is to use a file explorer
in the operating system to erase the file. Such erasure does not have any impact on the
actual data content, only the file meta-data. More sophisticated tools both erase the file
meta-data and overwrite the file content with other more or less random content.
The most common method, using the file explorer to remove the file from the file
listing is a prerequisite for this project. We call this ordinary file erasure. Files erased
this way will have the content unchanged in an unpredictable time of period, but as the
time goes, more of the erased content and will be overwritten by new files.
There are already methods to reveal file content erased by ordinary file erasure. These
methods include file carving that searches for patterns to make it possible to reveal the
content. File carving is a method if the erased file content is not overwritten, but as the
file content is increasingly overwritten, the file carving method is less relevant. When
files are partially overwritten, there are still possibilities to identify the original content
from the existing fragments.
Technically, it is possible to identify pieces of information compared to other reference
files and research papers have proved this by comparing small pieces of data from
a file system with pieces of data from reference material. The technique is known, but
the problem of implementing this as a forensic method in an investigation has not yet
been solved so far.
In previous work, the technique is demonstrated in relatively small amount of data
and there is no research to implement this as a valid method that ensure the findings
can be used as admissible evidence in court.
The contribution of this work is to conduct a research by using larger datasets and
evaluate block hashing as a forensic valid method. The goal of the proposed project is
to describe a robust methodology to use block-hashing as a forensic method to discover
fragments of previously stored objects.