Identifying almost identical files using context triggered piecewise hashing

  • Kornblum J
  • 170


    Mendeley users who have this article in their library.
  • 116


    Citations of this article.


Homologous files share identical sets of bits in the same order. Because such files are not completely identical, traditional techniques such as cryptographic hashing cannot be used to identify them. This paper introduces a new technique for constructing hash signatures by combining a number of traditional hashes whose boundaries are determined by the context of the input. These signatures can be used to identify modified versions of known files even if data has been inserted, modified, or deleted in the new files. The description of this method is followed by a brief analysis of its performance and some sample applications to computer forensics. © 2006 DFRWS.

Author-supplied keywords

  • Forensics
  • Memory analysis
  • Microsoft
  • Reverse engineering
  • Windows

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Jesse Kornblum

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free