Research On The Identification Technique Of Cracked File Type Information In Windows

Malicious tampering with file-type information to conceal identity files so as to entice users to visit real type, avoid detection and hide data is the most common computer crime means. For the purpose of striking the computer crime, the technology of identifying the malicious tampered file-type information is becoming hot and hard spot in computer forensics. The thesis deeply researched the technology of identifying malicious tampered file-type information, and these three aspects were contained:Firstly, file-type identification based on spherical space toroidal model is proposed. Picked up the statistic characteristic of files; described the distribution zone of file statistic characteristic using spherical space toroidal model; examined whether or not the malicious tampered file-type fall into the zone of original file-type based different zone described by different statistic characteristic belong to every file-type. Indicated by experience and analyze, the time complexity of this algorithm is low and has better effect of identification.Secondly,file-type identification based on k-spheroid space toroidal model is proposed, Described the distribution zone using K small spheres, the result of this description can approach to the real zone of file statistic characteristic distribution; detected whether the tampered file-type information fall into one of small spheres. This algorithm can effectively identify the discrepant file statistic characteristic in the same file-type, and the algorithm has high efficiency of identification which indicated by experience and analyze.Thirdly, a novel file-type identification based on NMF (Non-negative matrix factorization) is proposed, Firstly calculated every file-type's fingerprint by file statistic characteristic; then picked up the tampered file-type information's statistic characteristic, built up a matrix using the file-type's fingerprint and tampered file statistic characteristic, used NMF to reduce the dimension of that matrix and get the data from this low-dimension matrix; compared the data of the detected file with the fingerprint of the file-type at last, and got the true file-type marked by the fingerprint.Finally, conclude this thesis and present further research aspects of the tampered file-type information identification technologies.