Lempel-Ziv Jaccard Distance, an effective alternative to ssdeep and sdhash

Recent work has proposed the Lempel-Ziv Jaccard Distance (LZJD) as a method to measure the similarity between binary byte sequences for malware classification. We propose and test LZJD's effectiveness as a similarity digest hash for digital forensics. To do so we develop a high performance Java implementation with the same command-line arguments as sdhash, making it easy to integrate into existing work-flows. Our testing shows that LZJD is effective for this task, and significantly outperforms sdhash and ssdeep in its ability to match related file fragments and files corrupted with random noise. In addition, LZJD is up to 60× faster than sdhash at comparison time.