Results 1 - 10
of
14
Tjoa, ‖Forensics Investigations of Multimedia Data: A Review of the State-of-the-Art
- International Conference on IT Security Incident Management and IT Forensics
"... Digital forensics is one of the cornerstones to investigate criminal activities such as fraud, computer security breaches or the distribution of illegal content. The importance and relevance of this research fields attracted various research institutes leading to substantial progress in the area of ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Digital forensics is one of the cornerstones to investigate criminal activities such as fraud, computer security breaches or the distribution of illegal content. The importance and relevance of this research fields attracted various research institutes leading to substantial progress in the area of digital investigations. One essential piece of evidence is multimedia data. For this reason this paper provides an overview of the state-of-the-art in the forensic investigation of multimedia data, the relationship between the various research fields and further potential research activities.
A Visual Study of Primitive Binary Fragment Types
, 2010
"... We argue that visual analysis of binary data objects such as data files, process memory, and file systems presented as grayscale graphical depictions helps distinguish structurally different regions of data and thus facilitates a wide range of analytic tasks such as fragment classification, file typ ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
We argue that visual analysis of binary data objects such as data files, process memory, and file systems presented as grayscale graphical depictions helps distinguish structurally different regions of data and thus facilitates a wide range of analytic tasks such as fragment classification, file type identification, location of regions of interest, and other tasks that require an understanding of the “primitive ” data types the objects contain. We believe that, due to the high visual value of this data presentation, such visual analysis is an invaluable help in low-level study of binary data objects and in understanding their structure, and that tools for such visual analysis belong in the toolkit of every researcher studying binary data. In an effort to facilitate development of such tools, this paper presents a visual study of binary fragments created by common kinds of software, and offers a descriptive taxonomy of primitive binary fragments and their graphical depictions. Although significant research has gone into the study of binary fragments, the depth and breadth of this study to date has been limited. Thus the primary contribution of this paper is an extensible and visual taxonomy to assist and inform researchers conducting low-level analysis of binary objects. 1
A Novel Support Vector Machine Approach to High Entropy Data Fragment Classification
"... A major challenge in digital forensics is the efficient and accurate file type classification of a fragment of evidence data, in the absence of header and file system information. A typical approach to this problem is to classify the fragment based on simple statistics, such as the entropy and the s ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
A major challenge in digital forensics is the efficient and accurate file type classification of a fragment of evidence data, in the absence of header and file system information. A typical approach to this problem is to classify the fragment based on simple statistics, such as the entropy and the statistical distance of byte histograms. This approach is ineffective when dealing with high entropy data, such as multimedia and compressed files, all of which often appear to be random. We propose a method incorporating a support vector machine (SVM). In particular, we extract feature vectors from the byte frequencies of a given fragment, and use an SVM to predict the type of the fragment under supervised learning. Our method is efficient and achieves high accuracy for high entropy data fragments.
On Improving the Accuracy and Performance of Content-based File Type Identification
- In Proceedings of the 14th Australasian Conference on Information Security and Privacy (ACISP
"... Abstract. Types of files (text, executables, Jpeg images, etc.) can be identified through file extension, magic number, or other header infor-mation in the file. However, they are easy to be tampered or corrupted so cannot be trusted as secure ways to identify file types.In the presence of adversari ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Types of files (text, executables, Jpeg images, etc.) can be identified through file extension, magic number, or other header infor-mation in the file. However, they are easy to be tampered or corrupted so cannot be trusted as secure ways to identify file types.In the presence of adversaries, analyzing the file content may be a more reliable way to identify file types, but existing approaches of file type analysis still need to be improved in terms of accuracy and speed. Most of them use byte-frequency distribution as a feature in building a representative model of a file type, and apply a distance metric to compare the model with byte-frequency distribution of the file in question. Mahalanobis distance is the most popular distance metric. In this paper, we propose 1) the cosine similarity as a better metric than Mahalanobis distance in terms of clas-sification accuracy, smaller model size, and faster detection rate, and 2) a new type-identification scheme that applies recursive steps to identify types of files. We compare the cosine similarity to Mahalanobis distance using Wei-Hen Li et al.’s single and multi-centroid modeling techniques, which showed 4.8 % and 13.10 % improvement in classification accuracy (single and multi-centroid respectively). The cosine similarity showed re-duction of the model size by about 90 % and improvement in the detection speed by 11%. Our proposed type identification scheme showed 37.78% and 31.47 % improvement over Wei-Hen Li’s single and multi-centroid modeling techniques respectively.
FILE CARVING AND MALWARE IDENTIFICATION ALGORITHMS APPLIED TO FIRMWARE REVERSE ENGll"'EERII'\G
, 2013
"... AFIT-ENG-13-M-46 ..."
(Show Context)
© CRAG – Haute Ecole de Gestion de GenèveMaking Sense of Unstructured Memory Dumps from Cell Phones
"... This paper presents an alternative to traditional file carving, targeted to cell phone forensics. The proposed algorithm processes the cell phone memory dump thanks to a previous partial knowledge of the content of the regular files present in the memory dump. The memory dump is decomposed into elem ..."
Abstract
- Add to MetaCart
This paper presents an alternative to traditional file carving, targeted to cell phone forensics. The proposed algorithm processes the cell phone memory dump thanks to a previous partial knowledge of the content of the regular files present in the memory dump. The memory dump is decomposed into elementary parts, each part classified according to the file type it is supposed to belong to, and finally ordered in a sequence representing the recovered file. The sequence is then transformed into a real file. This paper presents the first part of the algorithm (model and implementation) and does not cover the reordering of clusters nor the export of the recovered file. A reference to a basic open source software using this technology is provided.
Fast content-based file-type identificationI
"... Content-based file-type identification schemes often use byte-frequency distri-bution as a feature and use statistical and data mining techniques to classify file types. Since those schemes use the entire file content to obtain byte-frequency distribution and use all possible byte patterns in file c ..."
Abstract
- Add to MetaCart
(Show Context)
Content-based file-type identification schemes often use byte-frequency distri-bution as a feature and use statistical and data mining techniques to classify file types. Since those schemes use the entire file content to obtain byte-frequency distribution and use all possible byte patterns in file classification, they are inefficient and time-consuming. This paper proposes two techniques to reduce the classification time. The first method is a feature selection technique, which uses a subset of highly-occurring byte patterns in building the representative model of a file type and classifying files. To evaluate its effectiveness, we applied it to the six most popular classification algorithms (i.e. neural network, linear discriminant analysis, K-means, K-nearest neigh-bor, decision tree, and support vector machine). On average, the K-nearest neighbor method achieved the optimum accuracy of 90 % using only 40 % of byte patterns; this reduces 55 % of computation time. The second method is the content sampling technique, which uses a small portion of a file to ob-tain its byte-frequency distribution. It is effective for large size files where a relatively small sample can generate the representative byte frequency distri-bution. For instance, it reduces the sampling size of MP3 files from 5MB to 400KB (without compromising the accuracy). This is a 15 fold size reduction.
ORIGINAL PAPER Classification of packet contents for malware detection
"... Abstract Many existing schemes for malware detection are signature-based. Although they can effectively detect known malwares, they cannot detect variants of known malwares or new ones. Most network servers do not expect executable code in their in-bound network traffic, such as on-line shopping mal ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Many existing schemes for malware detection are signature-based. Although they can effectively detect known malwares, they cannot detect variants of known malwares or new ones. Most network servers do not expect executable code in their in-bound network traffic, such as on-line shopping malls, Picasa, Youtube, Blogger, etc. Therefore, such network applications can be protected from malware infection by monitoring their ports to see if incoming pack-ets contain any executable contents. This paper proposes a content-classification scheme that identifies executable con-tent in incoming packets. The proposed scheme analyzes the packet payload in two steps. It first analyzes the packet payload to see if it contains multimedia-type data (such as avi, wmv, jpg). If not, then it classifies the payload either as text-type (such as txt, jsp, asp) or execut-able. Although in our experiments the proposed scheme shows a low rate of false negatives and positives (4.69% and 2.53%, respectively), the presence of inaccuracies still requires further inspection to efficiently detect the occurrence of malware. In this paper, we also propose simple statistical and combinatorial analysis to deal with false positives and negatives. 1
i ii Chapter 1 CONTEXT-BASED FILE BLOCK CLASSIFICATION
"... Abstract In computer forensics, carving is an important trick in the digital in-vestigator’s sleeve. Since files are typically stored as sequences of data blocks, the retrieval process basically consists of locating and appro-priately collating together the original blocks of each file. Traditional ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract In computer forensics, carving is an important trick in the digital in-vestigator’s sleeve. Since files are typically stored as sequences of data blocks, the retrieval process basically consists of locating and appro-priately collating together the original blocks of each file. Traditional file carving solutions, generally based on signatures of file headers and footers, could be improved by performing a classification of each data block in the storage media as belonging to a given file type. Unfortu-nately file block classification techniques tend to be far from perfect in terms of accuracy. For an improvement of the classification results the presence of compound files, i.e. files containing sub-portions that are encoded similarly to a different data type, must be taken into account during the classifier preparation. In this work, we demonstrate that this impacts heavily on the performance of file block classifiers. In ad-dition, to generally improve the accuracy of classification, we propose a context-based classification architecture to improve block-by-block clas-sification schemes, by exploiting the contiguity of file blocks belonging to the same file on storage media. The approach is completely general and can be easily applied to any content-based file block classification algorithm.
Taxonomy of Data Fragment Classification Techniques
"... Abstract. Several fields of digital forensics (i.e. file carving, memory forensics, network forensics) require the reliable data type classification of digital fragments. Up to now, a multitude of research papers propos-ing new classification approaches have been published. Within this paper we comp ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Several fields of digital forensics (i.e. file carving, memory forensics, network forensics) require the reliable data type classification of digital fragments. Up to now, a multitude of research papers propos-ing new classification approaches have been published. Within this paper we comprehensively review existing classification approaches and classify
