Hierarchical Deep Learning for File Fragment Classification

Abstract

File fragment classification is crucial in digital forensics, aiding in the recovery and reconstruction of fragmented files, which serve as key evidence; while deep learning techniques have advanced in this area, challenges remain, particularly regarding the consideration of inter-file-type relationships and the granularity of classification. To overcome these challenges, we introduce a hierarchical classification approach that leverages an agglomerative hierarchical clustering algorithm combined with a dynamic adjustment mechanism, optimizing category distribution among leaf nodes. This structure is further enhanced by developing specific classifiers for each leaf node, tailored to its unique characteristics. Experimental results on the FFT-75 dataset show that our method achieves 76.3% accuracy in a 75-class scenario (512-byte blocks), surpassing the accuracy achieved with existing approaches. This method improves classification accuracy, addressing misclassification issues caused by excessive classification types.

1. Introduction

Digital forensics is a method used to investigate and analyze digital devices or data, playing a crucial role in fields such as criminal investigations, legal proceedings, and cyber security. It aids investigators in collecting, analyzing, and preserving digital evidence, thereby uncovering criminal activities, establishing case facts, and safeguarding data security and privacy.

In digital forensics, file fragment classification is critical. With the diversification of file storage and transmission methods, files are often divided into multiple fragments and stored in different locations, posing challenges for digital forensics. Particularly noteworthy is that files are frequently damaged or deliberately deleted by human intervention, leading to partial overwriting of file content. Consequently, investigative clues and evidence that forensic examiners attempt to acquire from storage media (including raw flash media) or memory images often do not exist as intact files but reside as fragments on the media. File fragment classification analyzes the content and characteristics of file fragments, helping to restore and reconstruct divided files, thereby recovering complete digital evidence. It can identify different types of file fragments, including text, images, and videos, providing valuable information and clues for digital forensics. By leveraging file fragment classification, investigators can analyze case details more accurately, locate key evidence, expedite case resolution, and improve the efficiency and accuracy of forensic investigations.

Digital forensics, a critical tool for investigating cyber crimes and network attacks, faces the challenge of recovering and identifying file types when metadata is absent. Traditional recovery methods based on file system metadata become ineffective in such scenarios, prompting forensic analysts to rely on file carving techniques to reconstruct files based on their content rather than metadata. However, classifying the file fragments generated during the file carving process has emerged as a research hot spot. Existing methods can be categorized into two types: magic-number-based and content-based approaches. Magic-number-based methods have limitations when dealing with files lacking distinct magic numbers or highly fragmented files, making content-based methods the focus of increasing attention.

Traditional file fragment classification methods, such as those relying on file extensions and magic numbers, perform poorly due to loss of metadata or file fragmentation. As a result, researchers have turned to machine learning techniques. They utilize feature extraction methods like n-grams [1,2], Shannon entropy [3,4,5], or Kolmogorov complexity [3], combined with machine learning algorithms such as support vector machines [1,4,5,6,7], decision trees [8,9], sparse coding [2], and neural networks [8,10,11,12,13], to classify the type of a given file fragment. However, these methods, although performing well in certain cases, are still affected by file fragmentation, especially in severely fragmented scenarios. Additionally, methods relying on manually extracted features have several drawbacks. They are time-consuming, labor-intensive, highly subjective, limited in generalization ability, and lack interpretability. These issues constrain model performance.

In recent years, deep learning has made significant progress in file fragment classification. By utilizing deep learning models such as convolutional neural networks (CNNs), tools like Gray-scale [14] and FiFTy [15] have demonstrated effectiveness in file fragment classification. However, despite CNNs being one of the most commonly used deep learning models for classification tasks, existing solutions still have room for improvement in terms of performance and accuracy. For instance, they fail to consider the relationships between different file types and overlook the granularity of classification.

Therefore, to avoid explicit feature computation, we explore deep learning methods. Unlike previous works, we fully consider file type relationships and design a hierarchical classification structure based on agglomerative hierarchical clustering. Additionally, we introduce a dynamic adjustment mechanism to optimize category distribution among leaf nodes, enhancing the rationality and stability of the hierarchical structure. Building on this foundation, we develop dedicated classifiers for each leaf node and select appropriate classifiers for training based on leaf node characteristics. This design ensures optimized classifiers for specific leaf nodes categories, significantly improving accuracy and efficiency of file fragment classification. It alleviates misclassification problems caused by an excessive number of classification types, and the hierarchical structure model is simple and easy to expand. Our contributions are as follows:

• A hierarchical classification structure with a dynamic adjustment mechanism is designed based on the relationships between file types.
• Dedicated classifiers are built for each leaf node, fully considering the unique data characteristics of each node, and selecting appropriate classification models for targeted training.
• Extensive experimental validation on the FFT-75 dataset demonstrates that our method exhibits outstanding performance, achieving state-of-the-art results.

The organization of the paper is as follows:

In Section 2, we provide a systematic review and overview of related work in file fragment classification. Section 3 details our proposed hierarchical clustering algorithm and the design of dedicated classifiers. In Section 4, we report the results of the experimental evaluation, validating the effectiveness and superiority of the proposed model through data analysis and comparisons. Finally, in Section 5, we summarize the main findings and contributions of the study and highlight potential directions for future research. The code implementation of this framework is publicly available on GitHub (version 1.0.0) for reproducibility and further research, and can be accessed at: https://github.com/zbl-test/Hierarchical_FFC/releases/tag/V1.0.0 (accessed on 29 March 2026).

2. Related Work

The algorithm proposed by Karresand et al. [16] classifies data fragments by measuring the rate of change in the byte content of digital media and extends the Oscar method based on byte frequency distribution presented in previous papers. Evaluation of the new method showed a detection rate of 99.2% when scanning JPEG data, with no false positives. Even the slowest implementation could scan a 72.2MB file in approximately 2.5 s and demonstrated linear scalability. Calhoun et al. [17] proposed two algorithms: one based on Fisher Linear Discriminant Analysis and the other on the Longest Common Sub-Sequence, to improve accuracy and efficiency of file type prediction. Experimental results show these methods have potential in predicting file types, especially when handling file fragments without header information. Masoumi et al. [18] divided files into different fragments and then extracted features of file fragments using Binary Frequency Distribution (BFD). They performed dimensionality reduction using the SFS and SFFS algorithms and utilized MLP, SVM, and KNN classifiers for type identification. Results showed this method could effectively identify six common file types. Bhatt et al. [19] proposed a hierarchical machine-learning-based file fragment classification method, using optimized support vector machines (SVMs) as the base classifier and defining a raw classification system for file types. Evaluation on a dataset containing 14 file types showed the method achieved an average accuracy of 67.78% and F1-measure of 65% under 10-fold cross-validation. Hanis et al. [9] used machine learning methods to classify five common text file formats: PDF, DOC, DOCX, RTF, and TXT. They also examined the impact of contextual language on file fragment classification. When training and testing in the same language environment, the classification accuracies for Persian, English, and Chinese reached 85.6%, 76.4%, and 86.1%, respectively. In different language environments, the average accuracies dropped to 60.0%, 58.5%, and 71.4%. Karampidis et al. [13] proposed a file type recognition method based on computational intelligence techniques, achieving accurate detection of common image file types (jpg, png, gif) and uncompressed tiff images through a three-stage process involving feature extraction, genetic algorithm-based feature selection, and neural network classification. Experimental results showed this method had very high recognition accuracy for tampered image file types. Wang et al. [2] proposed an automated feature extraction method based on sparse coding, which, by learning sparse dictionaries of n-grams of different sizes, could estimate the n-gram frequency of a given file fragment without being affected by combinatorial explosion. The statistical and machine-learning-based methods above generally have several issues, such as the need for manual feature extraction, reliance on experience, time consumption, and limited focus on file types.

Recent deep learning advances have driven file fragment classification toward end-to-end feature learning and performance breakthroughs. Wang et al. [20] proposed JSANet, a joint self-attention network integrating byte, channel and sector self-attention modules, which fuses intra-sector local features and inter-sector contextual information and improves accuracy by over 16.3% on the self-built variable-length fragment dataset VFF-16. Aiming at the class imbalance problem in forensic datasets, Alam et al. [21] designed a hybrid resampling framework combining SMOTE oversampling and ENN/Tomek undersampling, cooperating with TF-IDF feature selection and random forest classifier, which increased the weighted average true positive rate to 81.6%. Different from traditional CNNs, Park et al. [22] constructed XMP, the first Transformer encoder-based model for file fragment classification, which adopted multi-scale self-attention and cross-attention with Performer complexity optimization and achieved state-of-the-art results on FFT-75. On this basis, Liu et al. [23] introduced Gaussian Bit-Flip (GBFlip) binary data augmentation and parameter-efficient fine-tuning strategies for XMP, which alleviated the inductive bias of CNNs and enhanced the cross-domain generalization ability of the model.

Mittal et al. [15] designed a modern file-type-identification tool for memory forensics and data recovery, called FiFTy. It uses a compact neural network architecture in a trainable embedding space, eliminating the need for explicit feature extraction. Evaluated on their proposed new dataset of 75 file types, FFT-75, FiFTy outperforms all baseline methods in speed, accuracy, and individual misclassification rates. Specifically, FiFTy is an order of magnitude faster than the previous tool, Sceadan [1], with an average accuracy of 77.5% and a processing speed of about 38 s per GB. Saaim et al. [24] proposed a new lightweight file fragment classification method that uses depth-separable convolutional neural networks to improve classification accuracy and speed while reducing computational resource requirements, achieving an accuracy of 78.45% on the FFT-75 dataset. Zhu et al. [25] proposed a file fragment type identification method based on convolutional neural networks (CNN) and long short-term memory networks (LSTM), achieving an average accuracy of 66.5% (512 bytes) and 78.6% (4096 bytes) on the FFT-75 dataset. Wang et al. [26] proposed a method combining image representation and a deep Inception-Attention mechanism for file type and malware classification. By converting the data sequences in memory blocks into two-dimensional binary images and using the deep Inception-Attention network to extract features and predict file types, this method showed superiority in large-scale benchmark tests. Furthermore, it can be extended to malware classification tasks and achieved significant performance. Liu et al. [27] introduced a new data augmentation technique called Byte2Image for file fragment classification. This technique views file fragments in small memory blocks as two-dimensional gray-scale images and incorporates previously ignored byte-level bit information to capture inter-byte relationships. Experimental results show that this method achieves higher accuracy than existing methods on the FFT-75 dataset. Although some researchers have explored deep learning methods in recent years, there are still some issues, such as insufficient accuracy and failure to consider inter-file-type relationships.

3. Methodology

The file fragment classification problem aims to identify a function f, which can accurately map input data $\mathbf{x}$, the raw data of memory blocks or file fragments, to the correct file type label y:

$$f:\mathbf{x}\in {\mathbb{Z}}_{255}^{N_s}\to y\in \{\mathrm{JPG},\mathrm{PNG},\dots ,\mathrm{DOCX}\}$$

(1)

where ${\mathbb{Z}}_{255}=\{0,1,\dots ,255\}$ and $N_s$ denotes the length of the byte sequence (512 or 4096). To address this problem, we consider file type relationships and propose a multi-level classification method combining hierarchical clustering with deep learning classifiers. By constructing a hierarchical category tree structure, we incorporate category relationships into the classification model, improving accuracy and robustness for complex file fragment classification tasks.

3.1. Hierarchical Clustering Strategy

Given a training dataset $\mathcal{D}={\left\{({\mathbf{x}}_i,y_i)\right\}}_{i=1}^N$ with C classes, where each sample ${\mathbf{x}}_i$ is a 512-byte file fragment and forms the feature space for hierarchical clustering—a 512-dimensional raw byte feature space. In this space, each dimension corresponds to the original byte value of the file fragment at a specific position, with the byte value ranging from 0 to 255 (i.e., ${\mathbf{x}}_i\in {\mathbb{Z}}_{255}^{512}$). We first compute the category-wise mean feature vector for each class c:   

$${\mathit{\mu }}_c={\displaystyle \frac{1}{N_c}}\sum _{i:y_i=c}{\mathbf{x}}_i$$

(2)

where $N_c$ is the number of samples in class c. These mean vectors represent class prototypes in the feature space.

We perform agglomerative hierarchical clustering on the set of prototypes $\mathcal{M}=\{{\mathit{\mu }}_1,\dots ,{\mathit{\mu }}_C\}$ in three levels. At each level, we apply Ward’s linkage criterion to minimize the within-cluster variance. The clustering yields a tree structure where the root node contains all classes, internal nodes represent intermediate groupings, and leaf nodes contain subsets of classes for final classification.

Let $\mathcal{T}$ denote the resulting tree structure. Each leaf node $S\in \mathcal{T}$ represents a subset of classes that will be handled by a dedicated classifier. The hierarchical decomposition allows classifiers to focus on discriminating between visually or semantically similar classes grouped together in the same branch.

3.2. Leaf Node Optimization

To ensure effective training, we enforce constraints on the cardinality of leaf nodes. Empirically, we found that nodes with too few classes (<4) lead to overfitting, while nodes with too many classes (>15) make the classification task overly difficult.

For any leaf node S with $\left|S\right|<{\tau }_{min}$ (where ${\tau }_{min}=4$), we merge it with its sibling node $S^{\prime }$ subject to the constraint that the merged node does not exceed the maximum size ${\tau }_{max}=15$:

$$S^{\prime }\leftarrow S^{\prime }\cup S,\mathrm{if}\left|S\right|<{\tau }_{min}\mathrm{and}|S^{\prime }\cup S|\le {\tau }_{max}$$

(3)

Conversely, for nodes with $\left|S\right|>{\tau }_{max}$, we split the node into two balanced subsets by bipartitioning the class set into two halves of approximately equal size. This optimization ensures that all leaf nodes contain between 4 and 15 classes, striking a balance between specialization and sufficient training data per class. If no suitable sibling node is available for merging (i.e., all siblings would exceed the maximum size limit after merging), a new leaf node is created to accommodate the categories that would otherwise be left without a valid assignment. The threshold settings were primarily determined empirically based on the distribution of the 75 file types in the FFT-75 dataset.

The resulting hierarchical category tree structure with dynamic adjustment is illustrated in Figure 1, which fully describes the hierarchical relationships among categories while maintaining a balanced distribution of categories at the leaf nodes.

The overall hierarchical clustering procedure with dynamic adjustment is summarized in Algorithm 1.

Algorithm 1 Hierarchical clustering with dynamic adjustment.

Require:  Category mean vectors $\mathcal{M}={\left\{{\mathit{\mu }}_c\right\}}_{c=1}^C$; number of clusters at each level Ensure:  Hierarchical tree structure $\mathcal{T}$   1: Perform Level 1 clustering with Ward’s linkage to obtain $K_1$ clusters   2: for each Level 1 cluster i do   3:   Perform Level 2 clustering to obtain $K_2^{\left(i\right)}$ sub-clusters   4:   for each Level 2 sub-cluster j do   5:     Perform Level 3 clustering to obtain $K_3^{(i,j)}$ leaf candidates   6:     for each Level 3 candidate k with label set S do   7:       if $\left|S\right|<{\tau }_{min}$ then   8:         Merge S into sibling node using Equation (3)   9:       else if $\left|S\right|>{\tau }_{max}$ then 10:         Split S into two balanced sub-nodes 11:       else 12:         Assign S as final leaf node 13:       end if 14:     end for 15:   end for 16: end for 17: return Optimized tree structure $\mathcal{T}$

This clear organizational framework enhances the training and optimization of classifiers, improving classification performance.

3.3. Neural Network Classifiers

For each leaf node S containing M classes, we train a convolutional neural network classifier $f_S:{\mathbb{R}}^{N_s}\to {\mathbb{R}}^M$ that maps an input byte sequence to class probabilities.

Embedding layer: The discrete input sequence (byte values ranging from 0 to 255) is first transformed into dense vector representations through an embedding lookup operation. The embedding layer maps 256 possible byte values (vocabulary size) to $d_e=64$-dimensional vectors, producing a matrix $\mathbf{E}\in {\mathbb{R}}^{N_s\times d_e}$.

Convolutional feature extraction: The network employs multiple one-dimensional convolutional layers to extract hierarchical features. Each convolutional layer applies a set of learnable filters to the input feature maps, followed by a non-linear activation function. We employ the Leaky Rectified Linear Unit (LeakyReLU) as the activation function:

$$\varphi \left(z\right)=max(z,\alpha z)=\left\{\begin{array}{cc}z,\hfill & z>0\hfill \\ \alpha z,\hfill & z\le 0\hfill \end{array}\right.$$

(4)

where $\alpha =0.3$ is a hyperparameter controlling the negative slope. This activation mitigates the dying ReLU problem by allowing small negative gradients to flow through.

Following each convolutional layer (except the last), we apply max-pooling with pooling size 2 to reduce the spatial dimensions and increase the receptive field. The pooling operation computes the maximum value within each local neighborhood.

Global aggregation: After the final convolutional block, we apply global average pooling to aggregate spatial information across the entire sequence, producing a fixed-dimensional feature vector $\mathbf{g}\in {\mathbb{R}}^F$ regardless of the input length.

Classification head: The pooled features pass through a fully-connected layer with dropout regularization (dropout rate $p\in \{0.1,0.2\}$), followed by the final linear transformation and softmax activation to obtain class probabilities:

$$\widehat{\mathbf{y}}=\mathrm{softmax}(\mathbf{W}·\mathrm{dropout}\left(\mathbf{g}\right)+\mathbf{b})$$

(5)

where $\mathbf{W}\in {\mathbb{R}}^{M\times F}$ and $\mathbf{b}\in {\mathbb{R}}^M$ are learnable parameters.

The network is trained by minimizing the categorical cross-entropy loss between the predicted probabilities and the ground truth one-hot encoded labels.

3.4. Architecture Variants

We employ two architecture variants tailored to the complexity of different leaf nodes:

• P1 (deep architecture): This is used for complex leaf nodes requiring fine-grained discrimination (e.g., leaf nodes containing diverse multimedia formats). This variant comprises 4 convolutional layers with filter sizes $(32,64,128,128)$, the first followed by max-pooling, and the second directly connected to global average pooling. The deeper architecture captures more complex patterns at the cost of increased computational requirements. The dropout rate is set to 0.2. The architecture is depicted in Figure 2.

• P2 (shallow architecture): This is used for simpler leaf nodes. This variant uses 2 convolutional layers with 32 filters each. The first convolutional layer is followed by max-pooling, while the second layer directly connects to the global average pooling layer, reducing computational complexity for simpler classification tasks. Dropout rate is set to 0.1. The architecture is depicted in Figure 3.

The selection of network architectures is determined by an empirical evaluation of the classification task complexity for each leaf node, which is systematically conducted based on two core criteria. First is the feature complexity of the categories within each leaf node: P1 is adopted if a leaf node contains high-entropy file types (e.g., compressed files, multimedia files, installation packages) and files with complex binary structures (e.g., compound document formats, embedded multi-stream media files); in contrast, P2 is used for leaf nodes consisting of low-entropy file types with regular binary structures (e.g., plain text files, raw image files, log files). Second is the baseline classification accuracy: a shallow P2-like baseline model is first trained for preliminary classification on each leaf node; P1 is then employed to enhance the model’s feature extraction capability if the average baseline classification accuracy of the leaf node is below 60%, while P2 is sufficient to achieve accurate classification when the baseline accuracy exceeds 60%. Specifically, the leaf nodes Level_3_1_0_1 and Level_3_1_0_2 contain a variety of multimedia formats characterized by high entropy and complex binary structures, and their classification accuracy on the shallow P2-like baseline model is below 60%, thus satisfying both criteria for P1 adoption and being configured with the P1 classifier. All other leaf nodes comprise low-entropy categories with regular binary structures and yield a classification accuracy above 60% on the P2-like baseline model, which meets the requirements for P2 application, and are therefore uniformly equipped with the P2 classifier. This heuristic selection strategy not only ensures that complex classification tasks are supported by adequate model capacity but also preserves the computational efficiency of simple classification tasks.

The classifier system, designed based on the characteristics of each leaf node, ensures that the classifier for each node can efficiently handle its corresponding category, thereby improving the overall classification accuracy of the hierarchical structure.

4. Experimental Evaluation

4.1. Experimental Setup

4.1.1. Dataset

We evaluated our method on the large-scale dataset FFT-75 [28], the largest corpus to date for file fragment type classification. It comprises six scenarios, considering both 512-byte and 4096-byte file system clusters. Scenario 1 contains 75 file types, such as JPEG, PDF, and ZIP, with a total of 7.5 million samples. For our experiments, we utilized the 512-byte clusters from Scenario 1.

4.1.2. Implementation Details

The hierarchical clustering algorithm initializes the number of clusters as follows: the first layer (Level 1) consists of 2 clusters, the second layer (Level 2) divides each cluster from the first layer into 2 or 3 sub-clusters, and the third layer (Level 3) further subdivides the sub-clusters from the second layer based on the structure $\left[\right[2,1],[4,1,2\left]\right]$. The thresholds for merging and splitting leaf nodes are set to ${\tau }_{min}=4$ and ${\tau }_{max}=15$, respectively.

Both the P1 and P2 classifiers use an embedding size of 64, with dropout rates of 0.2 and 0.1, respectively. The optimizer is Adam, and the loss function is categorical cross-entropy. Each model is trained for 30 epochs.

We evaluate our model using per-class accuracy and average accuracy, calculated as follows:

$${\mathrm{Accuracy}}_i={\displaystyle \frac{a_i}{b_i}},\hspace{1em}\mathrm{Avg\_Accuracy}={\displaystyle \frac{1}{n}}\sum _{i=1}^n{\displaystyle \frac{a_i}{b_i}}$$

(6)

where $a_i$ denotes the number of correctly predicted samples for class i, $b_i$ is the total number of samples for class i, and n is the total number of classes.

Our experimental environment is as follows: CPU: Intel(R) Xeon(R) Silver 4114 CPU @ 2.20 GHz; GPU: Tesla P40 24 GB; RAM: 106 GB; OS: Ubuntu 16.04.

4.2. Experimental Results

The clustering results shown in Figure 1 accurately reflect feature similarities and potential associations between file types, demonstrating the effectiveness of the clustering algorithm for file classification. Key observations include:

• Level_3_0_0_0 (ARW, RW2, 3FR, DLL, WMA, PCAP, DWG): Groups raw image files with dynamic link libraries, audio files, and network packet files, possibly due to consistency in binary structure or data header features.
• Level_3_0_0_1 (EPS, MACH-O, ELF, DOC, MD, RTF, TXT, TEX, JSON, HTML, XML, LOG, CSV, SQLITE): Accurately groups text files, executable files, and code files, demonstrating shared storage structures and text markup features.
• Level_3_0_1_0 (NRW, RAF, XLS, TTF): Groups raw image formats with spreadsheet and font files, possibly due to similarities in file metadata or format markers.
• Level_3_1_0_0 (CR2, ORF, MOV, 3GP, WEBM, JAR, MOBI, PDF, AIFF, FLAC, M4A, WAV, BMP, KEY, PPTX): Successfully clusters multimedia files sharing specific encoding and packaging formats.
• Level_3_1_0_1 (JPG, DNG, TIFF, HEIC, PNG, MP4, AVI, MKV, OGV, APK, MSI, DMG, 7Z, MP3): Includes mainstream multimedia files, installation packages, and compressed files.
• Level_3_1_0_2 (BZ2, DEB, GZ, PKG, RAR, RPM, XZ, ZIP, EXE, DOCX, XLSX, DJVU, EPUB): Groups compressed files and advanced document formats.
• Level_3_1_0_3 (NEF, GIF, AI, PSD, PPT, OGG): Groups design files, image files, and audio files.
• Merged_Leaf (GPR, PEF): Groups raw image formats with unique storage characteristics.

The clustering results are highly consistent with the inherent properties of the file types, clearly displaying the associations and feature similarities among categories. This also verifies the rationality of the proposed hierarchical clustering process: the three-level agglomerative clustering based on the 512-dimensional raw byte feature space and Ward’s linkage criterion can accurately capture the feature similarity between different file types, and the dynamic adjustment mechanism of leaf nodes (merge/split) further optimizes the category distribution of each leaf node. The resulting hierarchical structure not only reflects the intrinsic relationships between file types but also provides a reasonable grouping basis for the subsequent dedicated classifiers, which is the key to reducing the complexity of the classification task and improving the overall classification accuracy.

Table 1. Evaluation results on FFT-75 dataset (scenario #1, 512 bytes).

No.	Classes	Acc. (%)	No.	Classes	Acc. (%)	No.	Classes	Acc. (%)
1	arw	100	26	nef	98	51	pptx	69
2	gpr	100	27	mkv	98	52	apk	68
3	nrw	100	28	doc	98	53	key	68
4	pef	100	29	m4a	98	54	pdf	65
5	raf	100	30	mobi	97	55	jar	63
6	3fr	100	31	txt	97	56	djvu	58
7	eps	100	32	jpg	96	57	flac	58
8	xls	100	33	tiff	96	58	rpm	48
9	json	100	34	psd	96	59	avi	46
10	xml	100	35	mach-o	96	60	dmg	44
11	log	100	36	ogg	96	61	zip	40
12	csv	100	37	elf	94	62	gz	36
13	aiff	100	38	pcap	94	63	mov	34
14	wav	100	39	xlsx	93	64	msi	34
15	wma	100	40	orf	92	65	epub	29
16	ttf	100	41	cr2	91	66	deb	26
17	dwg	100	42	gif	90	67	pkg	25
18	rw2	99	43	3gp	90	68	rar	23
19	dll	99	44	bmp	85	69	mp4	21
20	md	99	45	ppt	84	70	7z	21
21	rtf	99	46	ogv	82	71	docx	21
22	tex	99	47	dng	81	72	heic	20
23	html	99	48	ai	78	73	bz2	19
24	mp3	99	49	webm	71	74	exe	18
25	sqlite	99	50	png	70	75	xz	16

presents evaluation results of our model on the FFT-75 dataset. Overall, some file types achieved very high classification accuracy, such as ARW, GPR, XLS, JSON, and XML, with 100% accuracy. Moreover, categories like JPG, TIFF, MKV, ELF, and DLL also exhibited accuracy rates exceeding 90%, demonstrating excellent performance.

However, significant classification challenges persist in specific file types:

• HEIC (20%): As a high-efficiency image container, its high entropy characteristics (from advanced compression) and fragmented data distribution lead to misclassification, mainly as 7z (27.7%), followed by mp4 (19.1%) and avi (11.3%).
• MP4 (21%): Combines compound structure (embedded video/audio/metadata) with high entropy (e.g., H.265 encoding), causing misclassification, mainly as 7z (28.4%), followed by avi (17.2%) and dmg (3.8%).
• DOCX (21%): Compound document format with embedded multimedia elements (images, formatting tags), resulting in cross-type misclassification, mainly as epub (16.2%), followed by bz2 (10.9%) and gz (10.6%).
• 7Z (21%)/BZ2 (19%)/XZ (16%): Exhibit extreme high entropy (redundancy elimination via deep compression), resulting in severe misclassification; specifically, XZ is mainly misclassified as bz2 (23.1%), followed by djvu (10.0%) and docx (8.5%), while BZ2 is mainly misclassified as xz (24.9%), followed by docx (9.1%) and deb (5.7%).
• EXE (18%): Windows executables’ complex structure (code/resources/strings) and high entropy drive misclassification, mainly as xz (27.2%), followed by bz2 (18.4%) and djvu (9.2%).

These categories showed poor classification performance, which may require further optimization of the model or feature extraction methods.

Table 2. Comparison with other methods on FFT-75 dataset (scenario #1, 512 bytes).

Method	Feature	Accuracy (%)
FiFTy [15]	Raw data	65.6
DS-CNN [24]	Raw data	65.9
Byte2Image [27]	Intra-byte n-grams	71.0
Ours	Raw data	76.3

compares our model with other methods on the FFT-75 dataset. We evaluated our method against state-of-the-art approaches (e.g., FiFTy [15], DS-CNN [24], and Byte2Image [27]) on FFT-75 Scenario #1 (512 bytes). All baseline methods in Table 2 were tested under the exactly identical experimental settings as adopted in our study. The baseline results cited are the officially reported values from their original studies, and we have reproduced all these baseline methods in the same experimental environment, with the difference between the reproduced accuracy and the originally reported values being less than 1%. Our model achieved an average accuracy of 76.3%, which is 10.7% higher than FiFTy, 10.4% higher than DS-CNN, and 5.3% higher than Byte2Image.

5. Conclusions

In this paper, we proposed a hierarchical classification structure based on the agglomerative hierarchical clustering algorithm, combined with deep learning methods, significantly improving the performance of file fragment classification. By introducing a dynamic adjustment mechanism, we ensured a reasonable category distribution at the leaf nodes, optimizing the stability and scalability of the hierarchical classification structure. Additionally, we built specialized classifiers for each leaf node and selected appropriate classification models for training based on node characteristics, achieving targeted classification optimization. Experimental results show that our method achieved state-of-the-art performance on the FFT-75 dataset and effectively alleviated misclassification issues caused by the large number of classification types. In addition, the experimental results on the FFT-75 dataset reveal obvious performance differences among different file type categories, and the root causes of such differences are closely related to the intrinsic characteristics of file types and their feature expressions in the 512-dimensional raw byte feature space, which also further reflects the practical adaptability of the proposed hierarchical classification method. For file types with highly structured binary characteristics (e.g., ARW, GPR, JSON, XML), their fixed header/footer features and regular byte distribution make their feature vectors in the clustering feature space have obvious distinguishability, so the classification accuracy reaches 100%. For file types with semi-structured binary characteristics (e.g., DLL, MP3, GIF), although there is partial feature overlap with similar types, the hierarchical clustering groups them with other similar types into the same leaf node with a reasonable category scale, and the dedicated classifier can effectively learn the fine-grained feature differences; therefore, the classification accuracy is maintained at 90% or above. For file types with high entropy and complex composite structure (e.g., XZ, EXE, MP4, HEIC), the random byte distribution caused by deep compression, the large intra-class feature difference caused by embedded multi-component content, and the serious feature overlap with similar formats make their feature distinguishability in the raw byte feature space extremely low; even though the P1 deep classifier is adopted for their affiliated leaf nodes, the fine-grained classification is still a challenging task, leading to relatively low classification accuracy.

Despite these achievements, our work still has certain limitations that need to be addressed:

1.

The dynamic adjustment mechanism has limited adaptability, currently only meeting the needs of conventional classification scenarios, and its performance in complex and dynamic classification scenarios needs improvement.

2.

There is room for optimization in the targeted nature and architectural efficiency of leaf node classifiers. Existing models do not fully adapt to the unique characteristics of data from various categories, and the exploration of efficient training strategies is insufficient.

In future work, we will further optimize the dynamic adjustment mechanism in the clustering process to better adapt to complex and dynamic classification scenarios and needs. For each leaf node, we will design more targeted classifiers and explore more efficient classifier architectures and training strategies, such as introducing more advanced deep learning models or combining multimodal features, to further improve classification performance. We also plan to validate our method on more diverse datasets to evaluate its generalizability and robustness and study how to intelligently handle class distribution imbalance. These improvements will contribute to advancing file fragment classification technology and provide stronger support for the digital forensics field.