File Fragment Analysis Using Normalized Compression Distance - Advances in Digital Forensics IX
Conference Papers Year : 2013

File Fragment Analysis Using Normalized Compression Distance

Abstract

The first step when recovering deleted files using file carving is to identify the file type of a block, also called file fragment analysis. Several researchers have demonstrated the applicability of Kolmogorov complexity methods such as the normalized compression distance (NCD) to this problem. NCD methods compare the results of compressing a pair of data blocks with the compressed concatenation of the pair. One parameter that is required is the compression algorithm to be used. Prior research has identified the NCD compressor properties that yield good performance. However, no studies have focused on its applicability to file fragment analysis. This paper describes the results of experiments on a large corpus of files and file types with different block lengths. The experimental results demonstrate that, in the case of file fragment analysis, compressors with the desired properties do not perform statistically better than compressors with less computational complexity.
Fichier principal
Vignette du fichier
978-3-642-41148-9_12_Chapter.pdf (1.45 Mo) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01460604 , version 1 (07-02-2017)

Licence

Identifiers

Cite

Stefan Axelsson, Kamran Ali Bajwa, Mandhapati Venkata Srikanth. File Fragment Analysis Using Normalized Compression Distance. 9th International Conference on Digital Forensics (DF), Jan 2013, Orlando, FL, United States. pp.171-182, ⟨10.1007/978-3-642-41148-9_12⟩. ⟨hal-01460604⟩
60 View
161 Download

Altmetric

Share

More