Sub-file Hashing Strategies for Fast Contraband Detection and Reducing the Impact of Network Bottlenecks on Remote Contraband Detection - School of Computing Seminar Series

Sub-file Hashing Strategies for Fast Contraband Detection

Petra Leimich

Traditional digital forensics processes do not scale well with the huge quantities of data present in a modern investigation, resulting in large investigative backlogs for many law enforcement agencies. Data reduction techniques are required for fast and effective digital forensics triage, and to reduce the time taken to conduct an investigation. This work explores the potential of sub-file cryptographic hashing strategies, where small fragments of files are hashed in lieu of processing the file in its entirety, for contraband detection. Results show that sub-file hashing techniques perform well, particularly on solid state media, while also retaining a high degree of discriminating power. Such strategies may offer an opportunity to take advantage of the performance characteristics of non-mechanical media, streamlining future investigations and greatly reducing investigation times.

Reducing the Impact of Network Bottlenecks on Remote Contraband Detection

Sean McKeown

Cloud based storage is increasing in popularity, with large volumes of data being stored remotely. Digital forensics investigators examining such systems remotely are limited by bandwidth constraints when accessing this kind of data using traditional tools.
This work explores the potential for sub-file hashing strategies to decrease the time taken to detect contraband on networked storage devices, while maintaining a high degree of accuracy. Results show that sub-file hashing is faster than full file hashing for both LAN and Internet server configurations, with reduced bandwidth heavily favouring sub-file strategies.