FishEYE: A Forensic Tool for the visualization of change-over-time in Windows VSS

Abstract

For the digital forensic examiner, being able to perceive change-over-time supports the goal of being able to explain “what happened.” In this paper, we focus on the improvements brought to digital forensic analysis by the visualization of forensic data and its application to digital forensic data that records change-over-time, specifically for a directory-tree structure and its content. By perceiving digital evidence visually, investigators are able to speed up the forensic analysis process, and at the same time better comprehend new unique relationships between data as well as more easily comprehend it in terms of its global context. In addition, we propose applying the fisheye focus+context visualization approach to the directory tree structure, with a series of segmented boxes for each to represent change-over-time for each directory/file.