An adaptive method to identify disk cluster size based on block content

Authors:
Ming Xu;Hong-Rong Yang;Jian Xu;Ye Xu;Ning Zheng
Affiliations:
Institute of Computer Application Technology, Hangzhou Dianzi University, Hangzhou, PR China;Institute of Computer Application Technology, Hangzhou Dianzi University, Hangzhou, PR China;Institute of Computer Application Technology, Hangzhou Dianzi University, Hangzhou, PR China;Institute of Computer Application Technology, Hangzhou Dianzi University, Hangzhou, PR China;Institute of Computer Application Technology, Hangzhou Dianzi University, Hangzhou, PR China
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2010

Citing 3
Cited 0

Attacks on Steganographic Systems

IH '99 Proceedings of the Third International Workshop on Information Hiding
Digital Evidence and Computer Crime

Digital Evidence and Computer Crime
Statistical Disk Cluster Classification for File Carving

IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Indentifying the cluster size based on data content, rather than relying on the meta-data of file system, is an important issue in the field of the disk forensics and file caving. When the file system on an evidence disk has been intentionally or accidentally damaged, it is necessary to indentify the cluster size. This paper presents a method to identify the disk cluster size based on data content for various file systems. The main idea is using the difference between the entropy difference distributions of the non-cluster boundaries and the cluster boundaries to identify the cluster size. The @g^2 statistic is adopted to reveal this difference. Experimental results demonstrate that the proposed approach is effective in identifying the cluster size.