Table of ContentsForensic Design EvaluationsAnalysisTemporal AnalysisRelational AnalysisFunctional AnalysisProposed SolutionConclusionForensic Design EvaluationsThe goal of every digital forensic (DF) investigation is rapid reconstruction of a sequence of events and user actions from the (often large) volumes of evidence available. While the tools, techniques and methodological supports intended for the first stages of investigation (acquisition, preservation, research) mature, the analysis and reconstruction stages lag behind. The resulting lack of tools leaves the execution of these activities largely dependent on the experience and intuition of the investigator. Say no to plagiarism. Get a tailor-made essay on 'Why violent video games should not be banned'? Get an original essay The particular problem facing DF investigators is the need to explore large volumes of low-level retrieved data and analyze it synthesize into high-level information and a hypothesis of an offender's behavior. The authors seek to exploit the synergies that exist between the problem domain and the strengths of interactive 3D computer graphics (CG) and information visualization to provide a means of exploring, analyzing and structuring large volumes and data complexes. associated with DF. The knowledge gained will be incorporated into a prototype visualization tool called Insight. In the first stage of this work, a review of existing uses of data visualization in security and existing techniques to support digital forensic analysis/reconstruction was undertaken. This article presents the results of this investigation, analyzes the strengths and weaknesses of existing tools and techniques, and suggests potential avenues for further exploitation of visualization techniques in the field of digital forensics. The techniques used during this stage are not defined at the methodological level. suggests that activities that form an equivocal analysis (i.e., resulting in hypotheses that may be incriminating or exculpatory) can be classified into temporal analysis, relational analysis, and functional analysis. Temporal analysis involves ordering recovered evidence over time to provide a narrative sequence of events. Many pieces of digital forensic data lend themselves naturally to this (e.g. file MAC times, event logs with timestamps, email timestamps, etc.). Relational analysis attempts to show the connections between entities in a case, for example the existence of a telephone number in a case. The mobile phone contacts database shows a link between the phone owner and the phone number owner. Functional analysis consists of determining which entities could have carried out one of the events related to the case. Various attempts have been made to formalize the analysis process. Systems based on state machines are typical. It is unclear from the literature the extent to which such formal approaches have been adopted, but Pollit and Whitledge suggest that the main act of analysis, that is, the reconstruction of a testable description of high level of what has been done by whom, is, in many cases, left to the experience of individual analysts and investigators. Currently, data retrieved during the initial stages of a digital forensic investigation is analyzed manually, which is time-consuming. Some existing products attempt to make the investigation process moreefficient through the use of filtering and providing functionality to provide an overview of the data; however, most of these tools still require investigators to work with large amounts of qualitative information. Some tools attempt to alleviate this problem by presenting data in a way that is intended to be more easily understood by the analyst than a "raw" format. . For example, Zeitline allows the investigator to group information extracted from the target computer, such as MAC timestamps and event logs, into a hierarchical structure of atomic and complex events. This structure is then visually displayed to the user in the form of a tree interface that they will be familiar with using tools such as Microsoft Explorer. This tool increases efficiency by ensuring that the investigator has a way to structure the data they find and keep it in chronological order, while structuring it in an easy-to-understand format to use as evidence. AnalysisIn this section we try to draw some conclusions from the previous review about the extent to which the key activities of analysis are supported by tools and how this situation could be improved by the use of visualization techniques of data. Temporal Analysis If our working definition of "analysis" is accepted, then the key activities are those involving organizing and structuring low-level evidence into a testable hypothesis. Of the three types of analysis (temporal, relational and functional), the only one in which such an organization receives tool support is temporal analysis: tools such as Zeitline, fls, CyberForensic TimeLab and Webscavator. It seems reasonable to assume that temporal analysis was favored. by toolmakers due to the simplicity of its underlying formalism – namely sorting by timestamp. In terms of structuring and organization, Zeitline alone recognizes the “layers of abstraction” approach by allowing the grouping of events into higher level events. Fls and associated tools, although essential for obtaining and converting low-level data, offer little facility for “analysis”. The presentation of the results of Zeitline et fls is, however, tabular and therefore still requires significant effort on the part of the interpreter. Webscavator and CyberForensic TimeLab emphasize graphical display of low-level data and as such represent a step towards easier understanding of low-level data, but they lack Zeitline's concept of "clustering". No tool therefore provides functionality for low-level manipulation, high-level structuring, and the use of data visualization techniques to improve understandability. Relational analysis There are many tools designed for social network analysis (perhaps because computer scientists like to play with graph theory and layout algorithms), but few are designed to work specifically in a social network context. digital investigation. Meng's VAIE system demonstrates that well-known data visualization graph rendering techniques can be applied to social networks recovered from forensic data. However, it is not clear how this can be integrated into an overall investigation. Relational analysis can be used in a broader sense to identify meaningful correlations between low-level data elements. Currently, these SOM tools are not well integrated into the digital forensics process. Functional analysis Our investigation did not find any visualization software supporting.