Bytewise Approximate Matching: The Good, the Bad, and The Unknown

back to overview

Reference

Harichandran, V. S., Breitinger, F., & Baggili, I. (2016). Bytewise Approximate Matching: The Good, the Bad, and The Unknown. Journal of Digital Forensics, Security and Law, 11(2), 59 - 78.

Publication type

Article in Scientific Journal

Abstract

Hash functions are established and well-known in digital forensics, where they are commonly used for proving integrity and file identification (i.e., hash all files on a seized device and compare the fingerprints against a reference database). However, with respect to the latter operation, an active adversary can easily overcome this approach because traditional hashes are designed to be sensitive to altering an input; output will significantly change if a single bit is flipped. Therefore, researchers developed approximate matching, which is a rather new, less prominent area but was conceived as a more robust counterpart to traditional hashing. Since the conception of approximate matching, the community has constructed numerous algorithms, extensions, and additional applications for this technology, and are still working on novel concepts to improve the status quo. In this survey article, we conduct a high-level review of the existing literature from a non-technical perspective and summarize the existing body of knowledge in approximate matching, with special focus on bytewise algorithms. Our contribution allows researchers and practitioners to receive an overview of the state of the art of approximate matching so that they may understand the capabilities and challenges of the field. Simply, we present the terminology, use cases, classification, requirements, testing methods, algorithms, applications, and a list of primary and secondary literature.

Persons

Organizational Units

  • Institute of Information Systems
  • Hilti Chair for Data and Application Security

DOI

http://dx.doi.org/10.15394/jdfsl.2016.1379