Bulgarian Academy of Sciences
During a forensic investigation, an investigator might be required to analyze the content of a personal computer. Due to huge amounts of data, it becomes necessary to recognize suspect files and automatically filter out non-relevant files. To achieve this goal, an investigator can resort to hashing algorithms in order to classify files into known-to-be-good, known-to-be-bad and unknown files. The working steps are quite simple: hash the file, compare the resulting hashes against a database and put it in one of the categories. Typically personal computers nowadays store several hundred thousand files on their hard disk and thus this operation becomes time consuming. The paper at hand demonstrates a framework that speeds up this proceeding as it uses multiple threads for different tasks.