Data Reduction

From Forensics Wiki
Revision as of 10:26, 29 October 2005 by Jessek (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Data reduction is the science of eliminating information from consideration. Although that may sound counter to the goal of computer forensics, today's computers contain too much information for a single investigator to completely evaluate. Thus, those data that can be eliminated from consideration should be removed, freeing an investigator to concentrate on the truly meaningful pieces.


Hash Analysis

A hash is a mathmatical transform that reduces an input of arbitrary size to a fixed value. It has the property that any two inputs that have the same hash are almost certainly the same file. In this vein, an investigator can compute hashes of known good and known bad hashes and use those hashes to search for those known files in a set of unknown files. For example, the NIST National Software Reference Library provides several million hashes of known good operating system files. If an invesigator can match those known hashes into an unknown set of files, the matching files can be eliminated from consideration.