High-Speed Searhing Targer Data Traces Based on Statistical Sampling for Digital Forensics

Abstract

As technology of manufacturing storage medium advances, data storage capacity has been increasing exponentially. This pervasiveness has made a forensic examination time-consuming and difficult. If a file system of data storage remains intact, an examiner can find files that would be important evidence by analyzing hierarchy, name, time information, etc. of files and folders. However, as anti-forensic techniques such as metadata destruction and disk format are widely known, the data search based on the file system becomes more impractical. Besides, significant evidences could be stored in the unallocated area; investigating the entire area of data storage is still important. The famous methods of exploring the existence of evidence are hash comparison and random sampling. The hash comparison that calculates hash for all sectors and compares them can detect all fragments of the evidence. However, it requires an enormous amount of time and computing resources. Whereas the random sampling takes much less time as it exploits a portion of data storage, but it involves the risk of false-negative; this fact is critical to forensic examiners. In this paper, we blend the merits of both methods to make false-negative zero and to reduce the processing time extremely at the same time. We use 16-byte values in a sector instead of traditional hash to filter out the unmatched sector. The values are statistically selected based on the frequency of occurrence according to offset. The effectiveness of our methodology is evaluated through several experiments.