An Automatic Identification of a Damaged Malicious File Using HMM against Anti-Forensics

These days, an increasing use of Internet has brought many trials to steal personal information. These unlawful users usually hide their own crime evidence or destroy evidence against their being arrested, which disturbs investigation. To come up with this, investigators use various methods to find evidence, and forensics investigation technique is also developing. Forensics tools can recover deleted file even when it is formatted. However, it is hard to know the original attributes when the header of a file is damaged. Data carving skill supports restoration techniques partly, but it canpsilat find the attributes of clusters in small unit. In this paper, we study a way to find out attributes of original file even with small clusters. We also find a method to decide if a damaged file is malignancy or not by analyzing the properties of execution file. We use HMMpsilas modeling techniques for auto-detect method, and propose estimation method to identify malicious file information. Finally, we test the whole process of analyzing clusters after formatting a real system with an attack code for disturbing its recovery.