ディレクトリの変更履歴およびハッシュ値に基づいた残留ファイルの検出手法

抄録

There are a lot of information leakages because the files are copied from the removable storage medium and are left in the storage unit of personal computer without deleting. In order to prevent human mistakes, this paper proposes a method for detecting the remaining files copied from the removable storage medium. The proposed method records logs regarding changed information registering in a directory that is management list of files in storage unit and the hash values of file contents. The remaining files are detected when the removable storage medium removes from the personal computer, and they are displayed on the monitor. The detection processing works in five steps. First, copy operation toward file is detected by tracing the sequence of logs. Secondly, files copied from the removable storage medium are distinguished based on hash values. Thirdly, file operation and folder operation to copied files are distinguished. Fourthly, the deletion operation against the copied file is detected by using file name and path matching. Finally, file name and path using for tracing are changed according to folder operation. In case of the deletion operation is not found, it is judged that copied files are remaining. Our experimental result suggests that the proposed method can accurately detect remaining files left on the storage unit.