Playing "Hide and Seek" with Stored Keys
FC '99 Proceedings of the Third International Conference on Financial Cryptography
Content Based File Type Detection Algorithms
HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
Identification and Localization of Data Types within Large-Scale File Systems
SADFE '07 Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering
Statistical Disk Cluster Classification for File Carving
IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
SÁDI - Statistical Analysis for Data Type Identification
SADFE '08 Proceedings of the 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering
Visual Reverse Engineering of Binary and Data Files
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
File Fragment Classification-The Case for Specialized Approaches
SADFE '09 Proceedings of the 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering
ACM SIGMOBILE Mobile Computing and Communications Review
Hi-index | 0.00 |
Security analysts, reverse engineers, and forensic analysts are regularly faced with large binary objects, such as executable and data files, process memory dumps, disk images and hibernation files, often Gigabytes or larger in size and frequently of unknown, suspect, or poorly documented structure. Binary objects of this magnitude far exceed the capabilities of traditional hex editors and textual command line tools, frustrating analysis. This paper studies automated means to map these large binary objects by classifying regions using a multi-dimensional, information-theoretic approach. We make several contributions including the introduction of the binary mapping metaphor and its associated applications, as well as techniques for type classification of low-level binary fragments. We validate the efficacy of our approach through a series of classification experiments and an analytic case study. Our results indicate that automated mapping can help speed manual and automated analysis activities and can be generalized to incorporate many low-level fragment classification techniques.