Information entropy refers to the complexity of information included in set of data in a mathematical way. Entropy is now usually used for the classification of files or detection and analysis of malicious code. Information entropy graph shows the probability of occurrence of each information included in set of data using information entropy. Each Well Known File has different entropy and each file can be sorted using this. When it comes to binary file, however, different files can have the same entropy values so there is error possibility. Thus, the identification of files for the least errors can be possible when using entropy and graph patters. In the forensic analysis process, detections of hidden and tampered files are handled. With existing forensic method, the extensions of header and footer of tampered files are not automatically detected. When the other functions such as calculation and comparison of graphs are added, accuracy of experiment is increased in the forensic process. In this study, we proved that different files but have the same entropy values are assorted with the information entropy graphs. The information entropy graphs of Well Known Files showed the meaningful patterns for analysis and detection. When it comes to the damaged file header, footer, and even body, they sustained the same graph patterns even though they showed different entropy values.
[1]
Simson L. Garfinkel,et al.
Carving contiguous and fragmented files with fast object validation
,
2007,
Digit. Investig..
[2]
Heejo Lee,et al.
Generic unpacking using entropy analysis
,
2010,
2010 5th International Conference on Malicious and Unwanted Software.
[3]
C. E. SHANNON,et al.
A mathematical theory of communication
,
1948,
MOCO.
[4]
Robert Lyda,et al.
Using Entropy Analysis to Find Encrypted and Packed Malware
,
2007,
IEEE Security & Privacy.
[5]
Claude E. Shannon,et al.
The mathematical theory of communication
,
1950
.