Foundations for Visual Forensic Analysis

Computer forensics is the preservation, analysis, and interpretation of computer data. It is a crucial tool in the arsenal of law enforcement investigators, national security analysts, and corporate computer emergency response teams. There is a need for software that aids investigators in locating data on hard drives left by persons committing illegal activities. Analysts use forensic techniques to analyze insider attacks on organizations and recover data hidden or deleted by disgruntled employees or attackers. Advanced software tools are needed to reduce the tedious efforts of forensic examiners, especially when searching large hard drives. This paper discusses the background, algorithms, fundamentals, and techniques intrinsic to the visual analysis of typical computer forensic data. In terms of the visualization technique itself we discuss a visualization techniques to represent file statistics such as file size, last access date, creation date, last modification date, owner, number of i-nodes for fragmentation, and file type. The user interface to this software allows file searching, pattern matching, and the display of file contents