CYBER FORENSICS: APPLICATION OF NORMALISED COMPRESSION DISTANCE FOR CROSS DRIVE CORRELATION

Abstract

In this work a new approach of automated Cross-Drive correlation, in computer forensics, is presented. This approach uses the concept of Normalized Information Distance(NID) that helps to derive drive similarity correlation between a pair of disk images. The algorithm uses the Normalized Compression Distance (NCD) which is the implementation approximation of NID. The method proposed is a parameter free correlation unlike the previous work which is based on generation of common features as parameters of comparison and correlation. The ever increasing capacities of digital storage devices and their rapid proliferation makes parameter based systems more time consuming as the generation of features or parameters would take a considerable amount of time. However, parameter free algorithm would provide quick and more complete leads and clues to the investigator so that he can focus only on the highlighted subset of input datasets for further detailed investigation. The main advantages of NCD based cross drive correlation are: examination of data for generating forensic features as parameters is not required, savings on time and resources that otherwise would be required for forensic features extraction, deep knowledge of the underlying data is not required, it would detect all similarities simultaneously, it would automatically select dominant shared features in all pairwise comparisons and can be used effectively for heterogeneous data. The algorithm works in three main stages: conversion of the acquired image to a reduced signature, NCD correlation and finally calculation of pairwise correlation score with graphical representation. Experiments on disk images of 200MB were conducted and the programs developed, without many modifications, can be easily scaled to inputs of sizes in Giga Bytes.