The method of elf-files identification based on the metric classification algorithms

When performing the internal audit of computer equipment an important problem is to identify the elf (executable and linkable format) files stored on the investigated hard drive. To solve this problem, we propose a method of identification of unknown elf-ffles based on the metric classification algorithms. The method consists of three stages. On the first stage the preparation of the training sample by the disassembly of each file and submitting it in the form of an ordered set of the 118 elements is implemented. Each of these elements is the frequency of occurrences of the 118 most commonly used commands in the assembler code. Each program in the sample is represented by several sets, corresponding to different versions or operating systems in which this software is installed. Then, the Minkowski metric of each sample file and identifiable file is calculated. For the method of potential functions the selection of the reference elements of each set is obtained. On the third stage using the metric classification algorithms we evaluate affiliation of the identifiable file for a particular program from the sample. To approbate proposed method the experiment with the use of this method was conducted; results showing the accuracy of identification of elf-files was equal to 89,60% were obtained. The results indicate that this method is applicable in problems of identification of elf-files while conducting the internal audit of computer equipment. The advantages of the method are the accuracy of program identification regardless of the elf-files versions in the Linux operating systems. The ease of implementation of our method and the identification execution speed can be used not only in tasks of internal audit, but also in other tasks of computer forensics.