Oscar - File Type and Camera Identification Using the Structure of Binary Data Fragments
2006 (English)In: First Conference on Advances in Computer Security and Forensics, ACSF 2006 / [ed] John Haggerty, Madjid Merabti, Liverpool, UK: School of Computing and Mathematical Sciences, John Moores University , 2006, 11- p.Conference paper (Refereed)
Mapping out the contents of fragmented storage media is hard if the file system has been corrupted, especially as the current forensic tools rely on meta information to do their job. If it were possible to find all fragments belonging to a certain file type, it might also be possible to recover a lost file. The Oscar method identifies the file type of data fragments based on their structure. This paper presents an improvement of the Oscar method. The new version is built on using 2-grams to create a model of different file types. The method is evaluated for JPEG, Windows executables, and zip files, reaching a 100% detection rate with 0.12% false positives for JPEG. We also use the method to identify the camera make used to capture a JPEG picture from a fragment of the picture.
Place, publisher, year, edition, pages
Liverpool, UK: School of Computing and Mathematical Sciences, John Moores University , 2006. 11- p.
IdentifiersURN: urn:nbn:se:liu:diva-34516Local ID: 21579ISBN: 1902560159ISBN: 9781902560151OAI: oai:DiVA.org:liu-34516DiVA: diva2:255364
1st Conference on Advances in Computer Security and Forensics (ACSF 2006) 13-14 July 2006, Liverpool, UK