Statistical Approaches to File Fragment Analysis

Abstract

Metadata is a blanket term that encompasses the information describing a file’s myriad properties. A file’s metadata might capture its extension, headers, footers, signatures, length, and file type, among other details. This information, along with other markers, can be exploited by a forensic examiner to identify and categorize files, often with relative ease. However, the challenge that arises in digital forensics is that examiners could potentially be tasked with identifying file types using only a few remnant fragments on a storage device. These remnants left behind on a device could be a product of routine operating system activities or a misguided attempt to destroy evidence by a suspect. In addition, files are routinely transmitted over a network as fragments, sometimes with errors, and network forensic examiners might be called upon for file fragment identification in this scenario. It is also commonplace to find perpetrators maliciously and deliberately falsifying metadata, including headers and footers, in an effort to mislead and misdirect forensic examiners. To this end, in this research, we propose statistical techniques for file type identification and classification using file fragments. We demonstrate that byte frequency analysis and related techniques are quite potent in their ability to tackle these aforementioned challenges. In our work, we analyze fragments garnered from fourteen different files. We choose these file types in our analysis as they are commonly used for various purposes and with different structures. We evaluate the performance of our proposed framework using evaluation metrics such as accuracy, precision, recall, and F1-score. Our results show that our proposed framework can accurately identify and classify file types from file fragments. Our work is novel in that we have pushed the boundaries of what was considered feasible using fundamental statistical tools, as suggested by the body of work in the literature. Our objective is to develop the foundations of a framework for file-fragment analysis under the fabric of statistical analysis. We show that the auspice of our research is applicable in domains as disparate as file integrity analysis, malware detection, steganography, intrusion detection systems, security policy implementation, and of course, a big thrust in digital and cyber forensic analysis.