IndexForensic project evaluationsAnalysisTemporal analysisRelational analysisFunctional analysisProposed solutionConclusionForensic project evaluationsThe goal of every digital forensic investigation (DF) is the rapid reconstruction of a sequence of events and user actions from the ( often large) volumes of evidence available. While tools, techniques and methodological supports are maturing for the first phases of the investigation (acquisition, conservation, research), the analysis and reconstruction phases are lagging behind. The resulting paucity of support tools leaves the execution of these tasks largely dependent on the experience and intuition of the investigator. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an Original Essay The particular problem facing DF investigators is the need to explore large volumes of low-level recovered data and synthesize it into high-level information and a hypothesis of an offender's behavior. The authors seek to leverage existing synergies between the problem scope and the strengths of interactive 3D computer graphics (CG) and information visualization to provide a means to explore, analyze, and structure large, complex volumes of data associated with DF . The knowledge gained will be incorporated into a prototype visualization tool known as Insight. As a first phase of this work, a review of existing uses of data visualization in the security field and existing techniques to support digital forensic analysis/reconstruction was undertaken. This article presents the results of this investigation, analyzes the strengths and weaknesses of existing tools and techniques, and suggests potential avenues for further exploitation of visualization techniques in the field of digital forensics. The techniques used in the phase are not defined at a methodological level, it suggests that the activities that form an equivocal analysis (i.e. that give rise to hypotheses that can be inculpatory or exculpatory) can be classified as temporal analysis, relational analysis and functional analysis. Temporal analysis deals with ordering the retrieved evidence based on time to provide a narrative sequence of events. Many digital forensic data elements are naturally suited to this (e.g. MAC times of files, timestamped event logs, email timestamps etc.). Relational analysis attempts to show links between entities in a case, such as the existence of a phone number in a Cell phone contact database shows a link between the owner of the phone and the owner of the phone number. Functional analysis is the act of determining which entities could have performed any of the case-related events. Various attempts have been made to formalize the analysis process. Typical are those based on state machines. It is not clear from the literature how widespread the adoption of such formal approaches has been, but Pollit and Whitledge suggest that the central act of analysis, that is, the reconstruction of a high-level verifiable description of what was done and by whom, is, in many cases, left to the expertise of individual analysts and investigative agents. Currently, data recovered from the early stages of a digital forensic investigation is analyzed manually, which is a time-consuming process. Some existing products attempt to make the investigative process more efficient through the use of filters and by providing data overview capabilities; however, most of these tools still require investigators to work with large amounts of qualitative information. Some tools attempt toalleviate this problem by presenting the data in a way that is intended to be more easily understood by the analyst than a "raw" format. For example, Zeitline allows the investigator to group information taken from the target computer such as MAC timestamps and event logs into a hierarchical structure of atomic and complex events. This structure is then visually displayed to the user as a tree interface that they will be familiar with from tools such as Microsoft Explorer. This tool increases efficiency by ensuring that the investigator has a way to structure the data they find and keep it in chronological order, while structuring it in an easy-to-understand format to use as evidence. Analysis In this section we attempt to draw some conclusions from the previous review about the extent to which key analysis activities are supported by tools and how this situation could be improved by the use of data visualization techniques. Temporal Analysis If our operational definition of "analysis" is accepted, then the key activities are to organize and structure low-level evidence into a testable hypothesis. Of the three types of analysis (temporal, relational and functional) the only one in which this organization receives the support of tools is temporal analysis: tools such as Zeitline, fls, CyberForensic TimeLab and Webscavator. It seems reasonable to conjecture that temporal analysis has been favored by tool makers because of the simplicity of the underlying formalism, i.e., timestamp sorting. In terms of structuring and organization, only Zeitline recognizes the “layers of abstraction” approach allowing the grouping of events into higher level events. Fls and associated tools, while essential for obtaining and converting low-level data, offer few "analysis" possibilities. The presentation of Zeitline and fls results is however tabular and therefore still requires significant effort on the part of the interpreter. Webscavator and CyberForensic TimeLab place an emphasis on graphical visualization of low-level data and as such represent a step towards easier understanding of low-level data, but lack Zeitline's concept of "clustering". No tool therefore provides facilities for low-level manipulation, high-level structuring, and the use of data visualization techniques to improve understandability. Relational Analysis There are many tools designed for social network analysis (perhaps because computer scientists love to play with graph theory and layout algorithms), but few are designed to work specifically in a digital forensics context. Meng's VAIE system demonstrates that well-known data visualization graph rendering techniques can be applied to social networks recovered from forensic data. However, it is unclear how this can be integrated into an overall investigation. Relational analysis can be used in a broader sense to identify significant correlations between low-level data. Currently such SOM tools are not well integrated with the digital forensics process. Functional Analysis Our investigation was unable to find any visualization software that explicitly supports functional analysis. The use of debugging software in malware analysis certainly helps the understandability of such problems, but it does not fall under the usual definition of data visualization. It could perhaps be argued that the use of Treemaps (as exemplified by the “Digital Forensics Visualization Tool”) constitutes functional analysis as it helps to understand the use to which a system has been put. Proposed Solution Due to the multiple attributes of the data contained in a.