Detecting Disk Sectors Data Types Using Hidden Markov Model

2020 17th International ISC Conference on Information Security and Cryptology (ISCISC) Pub Date : 2020-09-09 DOI:10.1109/ISCISC51277.2020.9261906

S. Sadegh Mousavi

{"title":"Detecting Disk Sectors Data Types Using Hidden Markov Model","authors":"S. Sadegh Mousavi","doi":"10.1109/ISCISC51277.2020.9261906","DOIUrl":null,"url":null,"abstract":"file carving is process of recovering data without knowledge of file system like recovering files from a formatted disk. Sometime the file systems do not write a file to disk in continues sectors and may split it to more than one chunks. Recovering of such a fragmented file can be difficult because if we found the first chunk of the file, the second chunk can be anywhere on disk. If the disk is large, the search process for finding the second chunk of file will be a time-consuming process. Data type classification help to classify disk sectors based on the type stored on them. Understanding the type of stored data on disk sectors, help to search for a specified file only on area of disk that more likely have the file type we want. In this article we propose an approach to create a hidden markov model that can help classifying disk sector based on their type and detect the point of disk that a fragmentation probably happened. The created hidden markov model classify sectors based on their entropy. The results show 52% of correct data type detection on disks with 512Bytes sector size.","PeriodicalId":206256,"journal":{"name":"2020 17th International ISC Conference on Information Security and Cryptology (ISCISC)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-09-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 17th International ISC Conference on Information Security and Cryptology (ISCISC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCISC51277.2020.9261906","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

file carving is process of recovering data without knowledge of file system like recovering files from a formatted disk. Sometime the file systems do not write a file to disk in continues sectors and may split it to more than one chunks. Recovering of such a fragmented file can be difficult because if we found the first chunk of the file, the second chunk can be anywhere on disk. If the disk is large, the search process for finding the second chunk of file will be a time-consuming process. Data type classification help to classify disk sectors based on the type stored on them. Understanding the type of stored data on disk sectors, help to search for a specified file only on area of disk that more likely have the file type we want. In this article we propose an approach to create a hidden markov model that can help classifying disk sector based on their type and detect the point of disk that a fragmentation probably happened. The created hidden markov model classify sectors based on their entropy. The results show 52% of correct data type detection on disks with 512Bytes sector size.

查看原文本刊更多论文

利用隐马尔可夫模型检测磁盘扇区数据类型

文件雕刻是在不了解文件系统的情况下恢复数据的过程，就像从格式化的磁盘中恢复文件一样。有时，文件系统不将文件写入连续扇区的磁盘，并可能将其分割为多个块。恢复这样一个碎片文件可能很困难，因为如果我们找到了文件的第一个块，第二个块可能在磁盘上的任何地方。如果磁盘很大，查找第二个文件块的搜索过程将是一个耗时的过程。数据类型分类有助于根据存储在磁盘扇区上的类型对磁盘扇区进行分类。了解磁盘扇区上存储数据的类型，有助于只在更有可能具有我们想要的文件类型的磁盘区域中搜索指定文件。在本文中，我们提出了一种方法来创建一个隐马尔可夫模型，可以帮助分类磁盘扇区的类型，并检测磁盘可能发生碎片的点。所建立的隐马尔可夫模型根据扇区的熵对扇区进行分类。结果显示，在扇区大小为512Bytes的磁盘上，正确的数据类型检测率为52%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 17th International ISC Conference on Information Security and Cryptology (ISCISC)

自引率

0.00%

发文量