Guest Research Lecture: Small Block Forensics and Disk Triage

16/11/2011 F.27, 11am

Abstract: As disk sizes increase, typically to many hundreds of Gigabytes or even Tera bytes, the time taken to analyse disks has increased to almost unmanageable levels. There is thus a need for disk triage in order to sample within disk blocks. In this way a disk can be analysed for its likely content, by simply performing a randomized scanning of a disk.

This presentation will provide an outline of how file content can be detected either by analysing the file meta data/ headers, or by analysing common data signatures contained within small data blocks. Using the methods defined in [1], the presentation shows how data can be sampled from within small data blocks, and how this can be used to reveal the actual contents of data within a disk infrastructure.

In areas such as border control it is important to the fast detection of certain types of content or specific media content, especially with encrypted files on disks. The presentation will show how Bloom filters can be used to perform disk triage using tables of hash signatures for byte blocks.

[1] Simson Garfinkel, Alex Nelson, Douglas White, Vassil Roussev, Using purpose-built functions and block hashes to enable small block and sub-file forensics, Digital Investigation, Volume 7, Supplement, August 2010, Pages S13-S23, ISSN 1742-2876, 10.1016/j.diin.2010.05.003.
[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.