Effective whitelisting for filesystem forensics

Author

Chawathe, Sudarshan S.

Author_Institution

Dept. of Comput. Sci., Univ. of Maine, Orono, ME

fYear

2009

fDate

8-11 June 2009

Firstpage

131

Lastpage

136

Abstract

Forensic analysis of the large filesystems commonly found on current computers requires an effective method for categorizing and prioritizing files in order to avoid overwhelming the investigator. A key technique for this purpose is whitelisting files, i.e., skipping the detailed analysis of files that match files in a well known reference collection of files. Effective use of this technique requires an efficient method to match files, detecting not only exact matches, but also near matches or approximate matches. This paper outlines the requirements for such matching, formalizes them as the bounded best match and approximate bounded near-match problems, and describes methods to solve these problems. In particular, the approximate bounded near-match problem is mapped to the problem of finding near neighbors in a high-dimensional metric space and solved using locality-sensitive hashing.

Keywords

digital signatures; file organisation; pattern matching; approximate bounded near-match problem; categorization; file matching; filesystem forensic analysis; high-dimensional metric space; locality-sensitive hashing; signature-based methods; whitelist matching; Application software; Extraterrestrial measurements; Flash memory; Forensics; Hard disks; Inspection; Nonvolatile memory; Operating systems; Software systems; Solid state circuits;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligence and Security Informatics, 2009. ISI '09. IEEE International Conference on

Conference_Location

Dallas, TX

Print_ISBN

978-1-4244-4171-6

Electronic_ISBN

978-1-4244-4173-0

Type

conf

DOI

10.1109/ISI.2009.5137284

Filename

5137284