Abstract
One of the biggest challenges in file fragment classification is the low classification rate of compound files known as high entropy files that contain different types of data, such as images and compressed text. It is seen that current methods for file fragment classification may not work for classifying these compound files. In this paper we propose a novel approach based on detecting deflate-encoded data in compound file fragments then decompress that data before applying a machine learning technique for classification. We apply our proposed method to classify Adobe portable document format (PDF) file type. Experiments showed high classification rate for the proposed method.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Roussev, V., Quates, C.: File fragment encoding classification—An empirical approach. Digital Investigation 10(suppl.), S69–S77 (2013)
Penrose, P., Macfarlane, R., Buchanan, W.J.: Approaches to the classification of high entropy file fragments. Digital Investigation 10, 372–384 (2013)
Roussev, V., Garfinkel, S.L.: File Fragment Classification-The Case for Specialized Approaches. In: Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering. SADFE 2009, pp. 3–14 (2009)
Rentz, D.: OpenOffice.org’s documentation of the microsoft compound document (2007), http://sc.openoffice.org/compdocfileformat.pdf (The Spreadsheet Project, OpenOffice.org )
Park, B., Park, J., Lee, S.: Data concealment and detection in Microsoft Office 2007 files. Digital Investigation 5, 104–114 (2009)
Meehan, J., Rose, T.S.C.C.: PDF Reference. Adobe Portable Document Format, Version, 1, 1 (2001)
Axelsson, S.: The Normalised Compression Distance as a file fragment classifier. Digital Investigation 7(suppl.), S24–S31 (2010)
Fitzgerald, S., Mathews, G., Morris, C., Zhulyn, O.: Using NLP techniques for file fragment classification. Digital Investigation 9(suppl.), S44–S49 (2012)
Wei-Jen, L., Ke, W., Stolfo, S.J., Herzog, B.: Fileprints: identifying file types by n-gram analysis. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 64–71 (2005)
Sportiello, L., Zanero, S.: File Block Classification by Support Vector Machine. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 307–312 (2011)
Calhoun, W.C., Coles, D.: Predicting the types of file fragments. Digital Investigation 5(suppl.), S14–S20 (2008)
Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6(suppl.), S2–S11 (2009)
Li, Q., Ong, A., Suganthan, P., Thing, V.: A novel support vector machine approach to high entropy data fragment classification. In: Proceedings of the South African Information Security Multi-Conference, SAISMC 2010 (2010)
Chang, C.-C., Lin, C.-J.: LIBSVM: a library for support vector machines. ACM Transactions on Intelligent Systems and Technology (TIST) 2, 27 (2011)
Karresand, M., Shahmehri, N.: File Type Identification of Data Fragments by Their Binary Structure. In: 2006 IEEE Information Assurance Workshop, pp. 140–147 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Nguyen, K., Tran, D., Ma, W., Sharma, D. (2014). A Proposed Approach to Compound File Fragment Identification. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-11698-3_38
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11697-6
Online ISBN: 978-3-319-11698-3
eBook Packages: Computer ScienceComputer Science (R0)