Theses and Dissertations
Issuing Body
Mississippi State University
Advisor
Dandass, Yoginder
Committee Member
Dampier, David
Committee Member
Vaughn, Rayford
Date of Degree
5-5-2007
Document Type
Graduate Thesis - Open Access
Major
Computer Science
Degree Name
Master of Science
College
James Worth Bagley College of Engineering
Department
Department of Computer Science and Engineering
Abstract
Forensic analysis on a media with fragmented and deleted files is a difficult task. There is a lack of tools and techniques that can accurately and quickly detect fragmented suspect files. Fragmented file data that resides in slack space is often overlooked by digital forensic tools. This thesis proposes to use a prefix signature of 4, 8, 16, or 32 bytes instead of either a complete sector comparison or a hash of the complete sector. The experiments show that the 32 byte has as much discrimination as an MD5 or SHA hash in uniquely identifying a sector. It is shown that the false positive rate does not exceed 10% for prefix signature sizes of 32, 16, and 8 bytes. Also the difference in false positive rates for the 32 and 16 byte prefixes does not exceed 25% as compared to MD5 and SHA hashes.
URI
https://hdl.handle.net/11668/15015
Recommended Citation
Necaise, Nathan Joseph, "Empirical analysis of disk sector prefixes for digital forensics" (2007). Theses and Dissertations. 1864.
https://scholarsjunction.msstate.edu/td/1864