Graduate Theses and Dissertations (2019 - present)

Date of Award

5-2026

Document Type

Thesis

Degree Name

M.S.

Department

Computer and Information Science

Committee Chair

Michael Black, Ph.D.

Abstract

As technology has become far more ubiquitous over the years, so too has the amount of digital evidence that can and needs to be collected and processed. Forensic tools are developed in response to the growing need, but are limited to what they are programmed to do. One such forensic tool is Autopsy, one of the most widely used open-source tools. Autopsy uses known file-type signatures (e.g., headers, trailers) to identify and recover files from forensic images. Polyglot files introduce a unique problem to both these forensic tools and investigators alike. In the context of the research conducted, polyglot files are a unique case in which two files are intentionally concatenated (e.g., PNG+JAR). The file system registers the polyglot file as a single file, but it is considered valid in both formats. Polyglot files inherently evade detection from signature-based forensic tools because the tools are designed to search for basic file signatures without additional validation. Because of this limitation, the self-obfuscated payload within the polyglot file could go undetected, let alone be identified as a polyglot file from the image without additional inspection by investigators. To help investigators, an algorithm was developed and evaluated that used a signature-based approach to perform block-level analysis of a raw disk image to detect PNG and JAR concatenated polyglot files.

Download

Share

COinS