Theses and Dissertations

Issuing Body

Mississippi State University


Dandass, Yoginder

Committee Member

Dampier, David

Committee Member

Vaughn, Rayford

Date of Degree


Document Type

Graduate Thesis - Open Access


Computer Science

Degree Name

Master of Science


James Worth Bagley College of Engineering


Department of Computer Science and Engineering


Forensic analysis on a media with fragmented and deleted files is a difficult task. There is a lack of tools and techniques that can accurately and quickly detect fragmented suspect files. Fragmented file data that resides in slack space is often overlooked by digital forensic tools. This thesis proposes to use a prefix signature of 4, 8, 16, or 32 bytes instead of either a complete sector comparison or a hash of the complete sector. The experiments show that the 32 byte has as much discrimination as an MD5 or SHA hash in uniquely identifying a sector. It is shown that the false positive rate does not exceed 10% for prefix signature sizes of 32, 16, and 8 bytes. Also the difference in false positive rates for the 32 and 16 byte prefixes does not exceed 25% as compared to MD5 and SHA hashes.