Authors: Thomas Göbel (Universität der Bundeswehr München), Frieder Uhlig (Technical University Darmstadt), Harald Baier (Universität der Bundeswehr München) and Frank Breitinger (University of Lausanne)
DFRWS USA 2022
Abstract
An important challenge in a contemporary digital forensic investigation is dealing with the huge amount of data that needs to be processed. Similarity hashing, also referred to as approximate matching, plays a pivotal role in digital forensics in solving this challenge. For instance approximate matching algorithms are used for similarity assessment, clustering of different digital artifacts, finding fragments and embedded object detection, respectively. Since the presentation of ssdeep and hence the introduction of approximate matching to the digital forensic community, a variety of different algorithms have been proposed such as sdhash, mrsh-v2, or TLSH. In order to review strengths and weaknesses of an approximate matching algorithm (e.g., in terms of different aspects like run time efficiency, fragment detection, resistance against obfuscation attacks), a reproducible and easy-to-use assessment is indispensable. Back in 2013 a first framework called FRASH was presented to contribute to solve this issue. In this paper, we provide an up-to-date view on the problem of evaluating approximate matching algorithms with respect to both the conceptual and the practical aspects. With respect to the practical view we present the open-source approximate matching test framework FRASHER for a comprehensive evaluation of modern similarity hashing algorithms. We extend FRASH and adapt it to a modern environment, e.g., with respect to the implementation, the automation of the evaluation process, the usability and its modular architecture. The modular design enables an easy and usable integration of new approximate matching algorithms into the framework. As we provide an updated and extended release of FRASH we call our framework FRASHER. With respect to the conceptual aspect, we present and discuss meaningful test cases. As a proof of concept, we assess the most relevant similarity digest algorithms in terms of sample important test cases.