基于磁盘碎片熵值特征的文件雕刻算法研究

doi:10.3969/j.issn.1000-3428.2012.16.010

计算机工程 ›› 2012, Vol. 38 ›› Issue (16): 40-43. doi: 10.3969/j.issn.1000-3428.2012.16.010

基于磁盘碎片熵值特征的文件雕刻算法研究

李炳龙 ¹，暴占彪 ²，王鲁 ¹，王清贤 ¹

(1. 解放军信息工程大学电子技术学院，郑州 450004；2. 河南财经政法大学现代教育技术中心，郑州 450002)

收稿日期:2011-12-12 修回日期:2012-03-02 出版日期:2012-08-20 发布日期:2012-08-17
作者简介:李炳龙(1974－)，男，副教授、博士，主研方向：数字取证，信息系统容灾理论与技术；暴占彪，讲师；王鲁，副教授；王清贤，教授、博士生导师
基金资助:
国家自然科学基金资助项目(60903220)；郑州市科技攻关计划基金资助项目“基于内存及存储介质的网络取证调查系统”；解放军信息工程大学校博士启动基金资助项目(42413621V)

Research on File Carving Algorithm Based on Disk Fragment Entropy Value Feature

LI Bing-long ¹, BAO Zhan-biao ², WANG Lu¹, WANG Qing-xian ¹

(1. Institute of Electronic Technology, PLA Information Engineering University, Zhengzhou 450004, China; 2. Modern Education Technology Center, Henan University of Economics and Law, Zhengzhou 450002, China)

Received:2011-12-12 Revised:2012-03-02 Online:2012-08-20 Published:2012-08-17

摘要/Abstract

摘要：

为获取受损存储介质或者有意隐藏在存储介质中的数字证据，设计一种文档碎片熵值特征提取算法，以区分不同文件类型文档碎片的熵值范围。在该算法的基础上，结合文件在存储介质中的存储位置特性，设计碎片文件雕刻框架，提出基于碎片熵值特征的文件雕刻算法。实验结果表明，与现有雕刻算法相比，该算法能够更有效地雕刻存储介质中的碎片文件。

关键词: 数字取证调查, 数字证据, 文档碎片, 碎片熵值特征, 文件雕刻

Abstract:

File carving is the important techniques about digital crime forensic investigation. In order to acquire digital evidence from the destroyed disk media, a feature extracting algorithm about document fragment is proposed which can identify various document fragments about its entropy value. Based on this algorithm, fragment file carving algorithm is designed by combining the logic property of disk cluster. Results show that compared with other file carving algorithms, the algorithms can carve out more files.

Key words: digital forensic investigation, digital evidence, document fragment, fragment entropy value feature, file carving

中图分类号:

TP309

李炳龙, 暴占彪, 王鲁, 王清贤. 基于磁盘碎片熵值特征的文件雕刻算法研究[J]. 计算机工程, 2012, 38(16): 40-43.

LI Bing-Long, BAO Tie-Biao, WANG Lu, WANG Qing-Xian. Research on File Carving Algorithm Based on Disk Fragment Entropy Value Feature[J]. Computer Engineering, 2012, 38(16): 40-43.

http://www.ecice06.com/CN/Y2012/V38/I16/40

参考文献

[1] Beverly R, Grafinkel S, Cardwell G. Forensic Carving of Network Packets and Associated Data Structures[J]. Digital Investigation, 2011, 8(11): 78-89.
[2] Carrier B, Casey E, Venema W. 2006 Digital Forensics Research Workshop File Carving Challenge[EB/OL]. (2011-08-05). http:// www.dfrws.org/2006/challenge/.
[3] Carrier B, Casey E, Venema W. 2007 Digital Forensics Research Workshop File Carving Challenge[EB/OL]. (2011-01-08). http:// www.dfrws.org/2007/challenge/.
[4] Memon N, Pal A. Automated Reassembly of File Fragmented Images Using Greedy Algorithms[J]. IEEE Transactions on Image Processing, 2006, 15(2): 385-392.
[5] Pal A, Shunmugasundurum K, Memon N. Automated Reassembly
of Fragmented Images[C]//Proc. of IEEE International Conference on Acoustics, Speech, and Signal Processing. San Francisco, USA: [s. n.], 2003: 121-126.
[6] Geoff H. The Joys of Complexity and the Deleted File[J]. Digital Investigation, 2005, 2(2): 89-93.
[7] Douceur J, Bolosky W. A Large-scale Study of File System Contents[C]//Proc. of ACM SIGMETRICS International Con- ference on Measurement and Modeling of Computer Systems. New York, USA: [s. n.], 1999.
[8] Claude E. A Mathematical Theory of Communication[J]. Bell System Technical Journal, 1948, 27(3): 379-423.
[9] Wagner A, Plattner B. Entropy Based Worm and Anomaly Detec- tion in Fast IP Networks[C]//Proc. of the 14th IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enter- prises. Likoping, Sweden: [s. n.], 2005: 172-177.
[10] Shannon M. Forensic Relative Strength Scoring: ASCII and Entropy Scoring[J]. International Journal of Digital Evidence, 2004, 2(4): 151-169.
[11] Karresand M, Shahmehri N. File Type Identification of Data Fragments by Their Binary Structure[C]//Proc. of IEEE Workshop on Information Assurance United States Military Academy. New York, USA: [s. n.], 2006: 200-208.
[12] Shunmugasundurum K, Memon N. Automatic Reassembly of Document Fragments via Context Based Statistical Models[C]//Proc. of the 19th Annual Computer Security Applications Conference. Las Vegas, USA: [s. n.], 2003: 211-218.

选择文件类型/文献管理软件名称

选择包含的内容

基于磁盘碎片熵值特征的文件雕刻算法研究

Research on File Carving Algorithm Based on Disk Fragment Entropy Value Feature

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于磁盘碎片熵值特征的文件雕刻算法研究

Research on File Carving Algorithm Based on Disk Fragment Entropy Value Feature

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

编辑推荐

Metrics

本文评价