2013 Seventh International Conference on IT Security Incident Management and IT Forensics (2013)
Nuremberg, Germany Germany
Mar. 12, 2013 to Mar. 14, 2013
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/IMF.2013.18
The handling of hundreds of thousands of files is a major challenge in today's IT forensic investigations. In order to cope with this information overload, investigators use fingerprints (hash values) to identify known files automatically using blacklists or white lists. Besides detecting exact duplicates it is helpful to locate similar files by using similarity preserving hashing (SPH), too. We present a new algorithm for similarity preserving hashing. It is based on the idea of majority voting in conjunction with run length encoding to compress the input data and uses Bloom filters to represent the fingerprint. It is therefore called mvHash-B. Our assessment shows that mvHash-B is superior to other SPHs with respect to run time efficiency: It is almost as fast as SHA-1 and thus faster than any other SPH algorithm. Additionally the hash value length is approximately 0.5% of the input length and hence outperforms most existing algorithms. Finally, we show that the robustness of mvHash-B against active manipulation is sufficient for practical purposes.
Bloom filter, Digital forensics, fuzzy hashing, similarity preserving hashing, run-length encoding
Frank Breitinger, Knut Petter Astebol, Harald Baier, Christoph Busch, "mvHash-B - A New Approach for Similarity Preserving Hashing", 2013 Seventh International Conference on IT Security Incident Management and IT Forensics, vol. 00, no. , pp. 33-44, 2013, doi:10.1109/IMF.2013.18