An Evaluation of Side-Information Assisted Forensic Hash Matching

Investigations involving digital forensics typically include file hash matching procedures at one or more steps in the examination. File hash matching is typically done by computing a complete file hash value for each file on a storage device and comparing that to a pre-computed hash list. This work examines how various improvements to the basic technique impact the time required to perform hash matching. Specifically, side-information assisted approaches are evaluated in this work. By utilizing side-information such as file sizes and pre-hashes in addition to the traditional hash values, we find that it is possible to considerably decrease the amount of time required to perform file hash matching. A simulation model is used to evaluate the potential time saving over a range of storage devices and using five different empirically derived file size distribution datasets totaling 36 million file sizes. The results indicate that side-information assisted hashing provides a considerable reduction of the time required, ranging between 5% and 99%, with the majority of cases providing reductions with more than 50%.