We present a visual analytic framework for exploring the relationship of textual evidence for computer forensics. Based upon a task analysis study performed with practitioners, our tool addresses the inefficiency of searching for related text documents on a hard drive. Our framework searches both allocated and unallocated sectors for text and performs some pre-analysis processing; this information is then presented via a visualization that displays both the frequency of relevant terms and their location on the disk. We also present a case study that demonstrates our framework’s operation, and we report on an informal evaluation conducted with forensics analysts from the Mississippi State Attorney General’s Office and National Forensics Training Center
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.