Authors: Simson Garfinkel, Ph.D. (Naval Postgraduate School), Alex Nelson, Ph.D. (Naval Postgraduate School), Douglas White (NIST), and Vassil Roussev, Ph.D. (University of New Orleans)

DFRWS USA 2010

Abstract

This paper explores the use of purpose-built functions and cryptographic hashes of small data blocks for identifying data in sectors, file fragments, and entire files. It introduces and defines the concept of a “distinct” disk sectorda sector that is unlikely to exist elsewhere except as a copy of the original. Techniques are presented for improved detection of JPEG, MPEG and compressed data; for rapidly classifying the forensic contents of a drive using random sampling; and for carving data based on sector hashes.

Downloads