FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks

We present FiFTy, a modern file-type identification tool for memory forensics and data carving. In contrast to previous approaches based on hand-crafted features, we design a compact neural network architecture, which uses a trainable embedding space. Our approach dispenses with the explicit feature extraction which has been a bottleneck in legacy systems. We evaluate the proposed method on a novel dataset with 75 file-types - the most diverse and balanced dataset reported to date. FiFTy consistently outperforms all baselines in terms of speed, accuracy and individual misclassification rates. We achieved an average accuracy of 77.5% with processing speed of approximate to 38 sec/GB, which is better and more than an order of magnitude faster than the previous state-of-the-art tool - Sceadan (69% at 9 min/GB). Our tool and the corresponding dataset is open-source.

Automated summary

FiFTy is a modern file-type identification tool for memory forensics and data carving, which uses a compact neural network architecture with a trainable embedding space. It outperforms legacy systems on a diverse dataset with 75 file-types in terms of speed, accuracy, and individual misclassification rates. The tool is open-source and achieves an average accuracy of 77.5% with a processing speed of approximately 38 sec/GB.