Enhancing Computer Forensics Investigation through Visualisation and Data Exploitation

Abstract

This paper focuses on establishing the need for new architectures on which to build visualisation systems that enhance computer forensic investigation of digital evidence. The issues surrounding processing of large quantities of digital evidence are established. In addition, the current state of visualisation and data analysis techniques for computer forensics are highlighted. This paper suggests need for new visualisation techniques in order to display data in familiar visual forms that facilitate efficient insight gaining into digital evidence. Visualisations techniques also require a source of processed data that contains context relevant information to present to an investigator. To this end this paper introduces the notion of data exploitation as a way to describe techniques that provide opportunistic data analysis across multiple sources of digital evidence. Data exploitation techniques provide normalisation techniques, event correlation, relationship extraction and investigative domain knowledge processing to occur across a set of evidence. This enables a visual representation of digital evidence to highlight relationships and events across many data sources, support an investigator throughout the entire data analysis process and enable an investigator to focus on the context of the current crime.