Ph.D. Dissertation Defense
Computer Science and Electrical Engineering
University of Maryland, Baltimore CountyApplying Data Visualization Techniques to Support the
Analysis of Digital Forensic Data
Timothy Leschke
10:00am-Noon Friday 22 November 2013, ITE 456
Analysis of Digital Forensic Data
The Modern Age of digital forensics is characterized by a proliferation of artifacts, increased data complexity, larger and cheaper data storage, and the emergence of the need for tools that support timeline analysis, anomaly detection, and triage. Traditional text-based digital forensic tools can no longer keep pace with the demands of the modern digital forensic examiner. A new approach for developing digital forensic tools is required if digital forensics is going to avoid becoming stagnant.
We apply the power of data visualization to support the needs of the modern digital forensic examiner. We design and develop a tool called Change-Link; a coordinated and multiple view tool which uses semantic zooming in the form of an overview, treeview, directory content view, and a metadata view to provide an understanding of digital forensic data that changes over time. By using this tool to examine a mock evidence hard drive containing shadow volume data provided by the Microsoft Volume Shadow Copy Service, we demonstrate a way to reduce data complexity and provide better forensic data analysis while supporting timeline analysis, anomaly detection, and a triage of the dataset.
We demonstrate a proof for our broader hypothesis which is data visualization techniques can be developed to support better analysis of digital forensic data.
Committee: Drs. Charles Nicholas (chair), Konstantinos Kalpakis, Dhananjay Phatak, Jian Chen, Clay Shields (Georgetown Univ.), Daniel Quist