Detection techniques for ELF executable file using assembly instruction searching

Abstract

As the frequency of computer crime is increasing, computer forensics became the center of interest in information security. A region of computer forensics is to restore the deleted information, to detect the hidden information, and to find out the meaning of the information. However, the result of present research restoring binary data and analyzing the meaning of the information is not covered by forensics investigation. This is the reason why we suggest some techniques for recovering original data and figuring out whether it is a fragment of executable file. Suggested detection method is based on the structure of ELF file consisting of a header and a lot of assembly operation codes. If the ratio of detected assembly instructions to size of a file fragment is over than fixed value (threshold), then we decide that the fragment is one section of executable file. © Springer-Verlag 2004.