Advisor

Dandass, Yoginder

Committee Member

Dampier, David

Committee Member

Vaughn, Rayford

Date of Degree

5-1-2007

Document Type

Graduate Thesis - Open Access

Abstract

Forensic analysis on a media with fragmented and deleted files is a difficult task. There is a lack of tools and techniques that can accurately and quickly detect fragmented suspect files. Fragmented file data that resides in slack space is often overlooked by digital forensic tools. This thesis proposes to use a prefix signature of 4, 8, 16, or 32 bytes instead of either a complete sector comparison or a hash of the complete sector. The experiments show that the 32 byte has as much discrimination as an MD5 or SHA hash in uniquely identifying a sector. It is shown that the false positive rate does not exceed 10% for prefix signature sizes of 32, 16, and 8 bytes. Also the difference in false positive rates for the 32 and 16 byte prefixes does not exceed 25% as compared to MD5 and SHA hashes.

URI

https://hdl.handle.net/11668/15015

Share

COinS