Forensic triage of email network narratives through visualisation

Purpose – The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. Design/methodology/approach – This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. Findings – Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. Practical implications – The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. Originality/value – There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets

FishEYE: A Forensic Tool for the Visualization of Change-Over-Time in Windows VSS

For the digital forensic examiner, being able to perceive change-over-time supports the goal of being able to explain what happened. In our thesis, we focus on the improvements brought to digital forensic analysis by the visualization of forensic data and its application to digital forensic data that records change-over-time, specifically for a directory-tree structure and its content. By perceiving digital evidence visually, investigators are able to speed up the forensic analysis process, and at the same time better comprehend new unique relationships between data as well as more easily comprehend it in terms of its global context. To provide multiple snapshots of a directory-tree structure, we chose to utilize Shadow Copy (also known as Volume Snapshot Servie or Volume Shadow Copy Service or VSS), a technology included in Microsoft Windows which allows for the taking of manual or automatic backup copies or snapshots of data (including whole volumes) over regular intervals. VSS was chosen since it is a potential gold mine of forensic information, having been included in every version of Microsoft Windows since Windows XP. In this thesis, we propose and develop a tool to take advantage of the information contained within VSS by applying the fisheye focus+context visualization approach to the directory tree structure, with a series of segmented boxes for each to represent change-over-time for each directory/file, accomplishing our goal of providing investigators a clear picture of how a directory-tree structure has changed over time at a glance

Business impact visualization for information security and compliance events

Business leaders face significant challenges from IT incidents that interfere with or pose imminent risk to more than one workgroup. Communication, coordination and monitoring are hindered by factors such as the IT incidents\u27 technical complexity and unfamiliarity, distributed ad-hoc response teams, competing demands for their time, nuanced business dependencies, the lack of reliable IT incident measures and a piecemeal toolset to overcome these challenges. This research proposes a dynamic visual system as a solution to overcome many of these challenges. Starting with a broad outline of improving the awareness and comprehension of security and compliance events for business leaders, this effort enlisted the assistance of seven experienced IT professionals in the Des Moines metropolitan area. A user-centered design methodology was developed that enabled these individuals to influence the selection of a problem space, explore related challenges, contribute to requirements definition and prioritization, review designs and, finally, test a prototype. The group consisted of leaders and senior technical staff working in various industries. At the end of the methodology, a group of unrelated IT professionals, with no prior knowledge, of the re- search was asked to perform an objective evaluation of the prototype. That evaluation is reported in this document and forms the basis of conclusions regarding the research hypothesis