Forensically Classifying Files Using HSOM Algorithms

Abstract

It has been accepted by Cloud Computing vendors that retrieving data from a cloud environment once they have been deleted is next to impossible. This constitutes a major hurdle for the digital forensics examiner as it greatly limits the pool of potential evidence that could be collected during an investigation. In this concept paper we will discuss a different approach to the above problem that spans across two different worlds: the world of digital forensics and the world of artificial intelligence. Block-based hash analysis works by calculating a hash value for each block of the target file that would be allocated a sector or cluster to store its data. The block hashes are then stored in a "map" file. The examiner then searches secondary memory areas to see if they contain blocks matching those contained in the "map" files. The examiner then has the ability to rebuild any file whose blocks have been located. The processes of hash-map calculation and analysis in the case of graphic images is accomplished using a single, dual-purpose EnScript in EnCase. Where a suspect file has been partially but not completely located the script will produce a PNG graphic showing exactly which blocks of the graphic have been located. This technique is extremely time and processor intensive, and does not work for unknown broken files. We hypothesize that we can use Hierarchical Self-Organizing Map algorithms in order to classify broken chains of previously unknown files, and in the future reconstruct them in order to be examined by the digital forensic examiner using the block-based hash analysis technique.