Empirical analysis of disk sector prefixes for digital forensics

Author

Nathan Joseph Necaise

Issuing Body

Mississippi State University

Advisor

Dandass, Yoginder

Committee Member

Dampier, David

Committee Member

Vaughn, Rayford

Date of Degree

5-5-2007

Document Type

Graduate Thesis - Open Access

Major

Computer Science

Degree Name

Master of Science

College

James Worth Bagley College of Engineering

Department

Department of Computer Science and Engineering

Abstract

Forensic analysis on a media with fragmented and deleted files is a difficult task. There is a lack of tools and techniques that can accurately and quickly detect fragmented suspect files. Fragmented file data that resides in slack space is often overlooked by digital forensic tools. This thesis proposes to use a prefix signature of 4, 8, 16, or 32 bytes instead of either a complete sector comparison or a hash of the complete sector. The experiments show that the 32 byte has as much discrimination as an MD5 or SHA hash in uniquely identifying a sector. It is shown that the false positive rate does not exceed 10% for prefix signature sizes of 32, 16, and 8 bytes. Also the difference in false positive rates for the 32 and 16 byte prefixes does not exceed 25% as compared to MD5 and SHA hashes.

URI

https://hdl.handle.net/11668/15015

Recommended Citation

Necaise, Nathan Joseph, "Empirical analysis of disk sector prefixes for digital forensics" (2007). Theses and Dissertations. 1864.
https://scholarsjunction.msstate.edu/td/1864