Beyond Fuzzy Hashing
SANS What Works in Computer Forensics and Incident Response DC, 2010

Slides (pdf)    

Computers are fantastic at finding identical pieces of data, but terrible at finding similar data. Part of the problem is first defining the term "similar" in any given context. This talk will explore what similar means for different contexts in computer forensics. We will then discuss fuzzy hashing, a method for identifying similar files using signatures similar to MD5 or SHA-256. Finally we'll discuss more specific methods for finding similar images and executables.


Home     Publications     Presentations     Utilities     Tools     Blog