liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Oscar — Using Byte Pairs to Find File Type and Camera Make of Data Fragments
Linköping University, The Institute of Technology. Linköping University, Department of Computer and Information Science, Database and information techniques.
Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
2007 (English)In: EC2ND 2006: Proceedings of the Second European Conference on Computer Network Defence, in conjunction with the First Workshop on Digital Forensics and Incident Analysis Faculty of Advanced Technology, University of Glamorgan, Wales, UK / [ed] Andrew Blyth, Iain Sutherland, Springer London, 2007, 85-94 p.Chapter in book (Refereed)
Abstract [en]

Mapping out the contents of fragmented storage media is hard if the file system has been corrupted, especially as the current forensic tools rely on meta information to do their job. If it was possible to find all fragments belonging to a certain file type, it would also be possible to recover a lost file. Such a tool could for example be used in the hunt for child pornography. The Oscar method identifies the file type of data fragments based solely on statistics calculated from their structure. The method does not need any meta data to work. We have previously used the byte frequency distribution and the rate of change between consecutive bytes as basis for the statistics, as well as calculating the 2-gram frequency distribution to create a model of different file types. This paper present a variant of the 2-gram method, in that it uses a dynamic smoothing factor. In this way we take the amount of data used to create the centroid into consideration. A previous experiment on file type identification is extended with .mp3 files reaching a detection rate of 76\% with a false positives rate of 0.4\%. We also use the method to identify the camera make used to capture a .jpg picture from a fragment of the picture. The result shows that we can clearly separate a picture fragment coming from a Fuji or Olympus cameras from a fragment of a picture of the other camera makes used in our test.

Place, publisher, year, edition, pages
Springer London, 2007. 85-94 p.
Keyword [en]
Camera recognition, computer forensics, data recovery, file type identification, 2-gram frequency distribution
National Category
Computer Science
URN: urn:nbn:se:liu:diva-35609DOI: 10.1007/978-1-84628-750-3_9Local ID: 27946ISBN: 978-1-84628-749-7ISBN: e-978-1-84628-750-3OAI: diva2:256457
Available from: 2009-10-10 Created: 2009-10-10 Last updated: 2014-06-24Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textfind book at a swedish library/hitta boken i ett svenskt bibliotek

Search in DiVA

By author/editor
Karresand, MartinShahmehri, Nahid
By organisation
The Institute of TechnologyDatabase and information techniques
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Altmetric score

Total: 104 hits
ReferencesLink to record
Permanent link

Direct link