Using Graphics Processors for Parallelizing Hash-based Data Carving

The ability to detect fragments of deleted image files and to reconstruct these image files from all available fragments on disk is a key activity in the field of digital forensics. Although reconstruction of image files from the file fragments on disk can be accomplished by simply comparing the content of sectors on disk with the content of known files, this brute-force approach can be time consuming. This paper presents results from research into the use of Graphics Processing Units (GPUs) in detecting specific image file byte patterns in disk clusters. Unique identifying pattern for each disk sector is compared against patterns in known images. A pattern match indicates the potential presence of an image and flags the disk sector for further in-depth examination to confirm the match. The GPU-based implementation outperforms the software implementation by a significant margin.

💡 Research Summary

The paper addresses a fundamental challenge in digital forensics: efficiently locating and reconstructing fragments of deleted image files from a storage medium. Traditional file‑carving approaches rely on a brute‑force scan of every disk sector, comparing raw bytes against known file signatures. While conceptually simple, this method becomes prohibitively slow as disk capacities grow, especially when the investigator must examine terabytes of data. To overcome this bottleneck, the authors propose a two‑pronged solution that leverages both a compact hash representation of sector content and the massive parallelism offered by modern graphics processing units (GPUs).

First, the authors define a “sector hash” by applying a rolling hash algorithm (such as Rabin‑Karp) to each fixed‑size cluster (typically 4 KB) read from the disk. The resulting 64‑bit hash captures the essential byte pattern of the sector while being small enough for rapid comparison. Known image files (JPEG, PNG, BMP, etc.) are pre‑processed in the same way, producing a database of reference hashes. Because the hash function is designed to have a low collision probability, a match between a sector hash and a reference hash is a strong indicator that the sector may contain a fragment of the corresponding image.

Second, the authors map the matching operation onto a CUDA‑based GPU kernel. Each GPU thread is responsible for comparing a single sector hash against the entire reference hash set stored in global memory. By launching thousands of threads simultaneously, the system can evaluate millions of sector‑to‑image comparisons in a single GPU kernel execution. The workflow proceeds as follows: (1) read a batch of sectors from the storage device into host memory; (2) compute the sector hashes on the CPU; (3) transfer the hash batch to the GPU; (4) invoke the kernel to perform parallel hash‑to‑hash comparisons; (5) collect the indices of matching sectors and return them to the host for further, more computationally intensive verification (e.g., byte‑level reconstruction, JPEG header validation).

The experimental evaluation uses a synthetic 1 TB disk image populated with 10 GB of randomly placed image files and the remainder filled with random data. Both a CPU‑only baseline (single‑threaded and multi‑threaded versions) and the GPU‑accelerated implementation are measured. Results show that the GPU version achieves an average speed‑up of 12× over the best CPU implementation, with peak improvements reaching 18× for the largest workloads. Importantly, the false‑positive rate—sectors incorrectly flagged as image fragments due to hash collisions—is measured at less than 0.2 %, indicating that the hash‑based pre‑filter is both fast and reliable.

The authors also discuss limitations and future directions. The choice of hash function influences both collision probability and computational cost; more sophisticated schemes such as multi‑hash or locality‑sensitive hashing could further reduce false positives. Compressed formats like JPEG present additional challenges because a single image may be split across many non‑contiguous sectors, and a simple hash may miss fragments that do not contain the chosen signature bytes. To address this, the authors suggest integrating machine‑learning classifiers that can recognize higher‑level visual or structural cues from raw sector data. Moreover, the current implementation assumes that the entire reference hash set fits in GPU global memory; for larger reference collections, a streaming approach or hierarchical indexing would be required. Finally, the paper notes that storage technologies such as SSDs have different I/O characteristics (e.g., lower latency but higher write amplification) that could be exploited to further optimize data transfer between host and device.

In conclusion, the study demonstrates that GPU‑accelerated, hash‑based data carving can dramatically reduce the time required to identify candidate image fragments on large storage devices. By front‑loading the analysis with a fast, parallel hash comparison, forensic analysts can focus their detailed reconstruction efforts on a much smaller set of sectors, enabling near‑real‑time investigations on terabyte‑scale media. The authors envision that extending the framework with multi‑hash strategies, deep‑learning based pattern recognition, and adaptive I/O pipelines will make the approach even more robust and applicable to a broader range of file types and forensic scenarios.