FishEYE: A Forensic Tool for the visualization of change-over-time in Windows VSS

Author

Jin-Ning Tioh ; Yong Guan

Author_Institution

Dept. of Electr. & Comput. Eng., Iowa State Univ., Ames, IA, USA

fYear

2013

fDate

21-22 Nov. 2013

Firstpage

1

Lastpage

7

Abstract

For the digital forensic examiner, being able to perceive change-over-time supports the goal of being able to explain “what happened.” In this paper, we focus on the improvements brought to digital forensic analysis by the visualization of forensic data and its application to digital forensic data that records change-over-time, specifically for a directory-tree structure and its content. By perceiving digital evidence visually, investigators are able to speed up the forensic analysis process, and at the same time better comprehend new unique relationships between data as well as more easily comprehend it in terms of its global context. In addition, we propose applying the fisheye focus+context visualization approach to the directory tree structure, with a series of segmented boxes for each to represent change-over-time for each directory/file.

Keywords

data analysis; data visualisation; digital forensics; operating systems (computers); tree data structures; FishEYE tool; Windows VSS; Windows Volume Shadow Copy Service; change-over-time visualization; digital forensic analysis; digital forensic examiner; directory-tree structure; fisheye focus plus context visualization approach; forensic analysis process; forensic data visualization; forensic tool; Computers; Context; Data visualization; Digital forensics; Lenses; Prototypes; Change-Over-Time; Fisheye; Forensics; Segmented Change-Over-Time-Box; Visualization;

fLanguage

English

Publisher

ieee

Conference_Titel

Systematic Approaches to Digital Forensic Engineering (SADFE), 2013 Eighth International Workshop on

Conference_Location

Hong Kong

Type

conf

DOI

10.1109/SADFE.2013.6911544

Filename

6911544