Isabel Maria Sebastian, Noushida A, SafaSaifudeen and Surekha Mariam Varghese
Mar Athanasius College of Engineering, India
File carving is a popular method used for digital investigations for detecting the presence of specific target files on digital media. Hash based sector hashing helps to identify the presence of a target file. The hashes of physical sectors of the media iscompared to the database of hashes created by hashing every block of the target files. To enable this, instead of evaluatingthe hashes of entire files, the hashes of individual data blocks is used for evaluation. Hash-based carving helps to identify fragmented files, files that are incomplete or that have been partially modified. To address the problem of High false identification rate and non-probative blocks, a HASH-SETS algorithm that can help in identification of files and the HASH-RUNS algorithm thathelps in reassemblingthe files is used. This technique is demonstrated using the forensic tool: bulk_extractor along with a hash database: the hashdb and an algorithm implementation written in Python.
Forensics investigation, hash-based carving, HASH-SETS, HASH-RUNS algorithms, Sector hashing