A comparative analysis about similarity search strategies for digital forensics investigations

Vitor Hugo Galhardo Moia; Marco Aurelio A. Henriques

doi:10.14209/sbrt.2017.115

A comparative analysis about similarity search strategies for digital forensics investigations

Vitor Hugo Galhardo Moia, Marco Aurelio A. Henriques

DOI: 10.14209/sbrt.2017.115

Evento: XXXV Simpósio Brasileiro de Telecomunicações e Processamento de Sinais (SBrT2017)

Keywords: Digital forensics Approximate matching similarity hash similarity search sdhash ssdeep

Abstract

Known File Filtering method separates relevant from non-relevant information in forensics investigations using white or black lists. Due to limitations on hash functions (inability to detect similar data), approximate matching tools have gained focus recently. However, comparing two sets of approximate matching digests using brute force can be too time-consuming. Strategies to efficiently perform lookups in digests databases have been proposed as a form of similarity search. In this paper, we compare some strategies based on ssdeep and sdhash tools concerning to precision, memory requirement, and lookup complexity. We show that none of these strategies address these requirements satisfactorily.

Download