File fragment recognition based on content and statistical features

TL;DR

This paper proposes a method for recognizing file fragments by extracting content and statistical features, reducing feature sets, and classifying with multiple algorithms to improve accuracy in cybercrime investigations.

Contribution

It introduces a new approach combining feature reduction and multiple classifiers for improved file fragment recognition accuracy.

Findings

Achieved higher accuracy than previous methods

Effectively distinguished 6 file types

Reduced feature set improved classification speed

Abstract

Nowadays, the speed up development and use of digital devices such as smartphones have put people at risk of internet crimes. The evidence of present crimes in a computer file can be easily unreachable by changing the prefix of a file or other algorithms. In more complex cases, either file divided into different parts or the parts of a file that has information about the file type are deleted, where the file fragment recognition issue is discussed. The known files are divided into different fragments, and different classification algorithms are used to solve the problems of file fragment recognition. The issue of identifying the type of file fragment due to its importance in cybercrime issues as well as antivirus has been highly emphasized and has been addressed in many articles. Increasing the accuracy in this field on the types of widely used files due to the sensitivity of the subject of recognizing the type of file under study is the main goal of researchers in this field. Failure to identify the correct type of file will lead to deviations of the results and evidence from the main issue or failure to conclude. In this paper, first, the file is divided into different fragments. Then, the file fragment features, which are obtained from Binary Frequency Distribution, are reduced by 2 feature reduction algorithms; Sequential Forward Selection algorithm as well as Sequential Floating Forward Selection algorithm to delete sparse features that result in increased accuracy and speed. Finally, the reduced features are given to 3 Multiclass classifier algorithms, Multilayer Perceptron, Support Vector Machines, and K-Nearest Neighbor for classification and comparison of the results. The proposed recognition algorithm can recognize 6 types of useful files and may distinguish a type of file fragments with higher accuracy than the similar works done.