Difference between revisions of "Data Reduction"

From ForensicsWiki
Jump to: navigation, search
m
m (Reverted edit of Porker, changed back to last version by Uwe Hermann)
 
(One intermediate revision by one other user not shown)
(No difference)

Latest revision as of 11:57, 16 April 2006

Data reduction is the science of eliminating information from consideration. Although that may sound counter to the goal of computer forensics, today's computers contain too much information for a single investigator to completely evaluate. Thus, those data that can be eliminated from consideration should be removed, freeing an investigator to concentrate on the truly meaningful pieces.

Hash Analysis

A hash is a mathmatical transform that reduces an input of arbitrary size to a fixed value. It has the property that any two inputs that have the same hash are almost certainly the same. In this vein, an investigator can compute hashes of known good and known bad inputs (e.g. files) and use those hashes to search for those known files in a set of unknown files. For example, the NIST National Software Reference Library provides several million hashes of known good operating system files. If an invesigator can match those known hashes into an unknown set of files, the matching files can be eliminated from consideration.