Applying Data Visualization Techniques to Support the Analysis of Digital Forensic Data

Lecture / Panel
For NYU Community

Speaker: Timothy Leschke,  Johns Hopkins University

The Modern Age of digital forensics is characterized by a proliferation of artifacts, increased data complexity, larger and cheaper data storage, and the emergence of the need for tools that support timeline analysis, anomaly detection, and triage. Traditional text-based digital forensic tools can no longer keep pace with the demands of the modern digital forensic examiner. A new approach for developing digital forensic tools is required if digital forensics is going to avoid becoming stagnant.

We apply the power of data visualization to support the needs of the modern digital forensic examiner. We design and develop a tool called Change-Link; a coordinated and multiple view tool which uses semantic zooming in the form of an overview, treeview, directory content view, and a metadata view to provide an understanding of digital forensic data that changes over time. By using this tool to examine a mock evidence hard drive containing shadow volume data provided by the Microsoft Volume Shadow Copy Service, we demonstrate a way to reduce data complexity and provide better forensic data analysis while supporting timeline analysis, anomaly detection, and a triage of the dataset.

We conduct a usability study with 21 graduate students with various levels of experience in cyber security and digital forensics. 90% of the test questions were answered correctly, which supports our claim that the visualizations can be used to support the intended analytical goals. 95-100% of the participants reported being satisfied with the Overview, Treeview, and Directory Content visualizations, which supports our claim that these visualization techniques provide adequate support.  Only 85% of the participants reported being satisfied with the Matadata visualization, which suggests this visualization needs to be improved on. Responses to open-ended questions have resulted in design modifications planned for the next version of this tool.

We conclude that we have demonstrated an approach to digital forensic tool development that addresses the needs of the modern digital forensic examiner. Furthermore, we have demonstrated a proof for our broader hypothesis which is data visualization techniques can be developed to support better analysis of digital forensic data.


Timothy Leschke is a U.S. Air Force Civilian employee at the Defense Cyber Crime Center (DC3) in Linthicum, Maryland, where he is a Senior Forensic Engineer, and the Technical Solutions Development Lead. He is also a part-time graduate instructor at the Johns Hopkins Information Security Institute where he teaches Computer Forensics and Advanced Computer Forensics.  He was formerly a Digital Forensic Examiner with the Federal Bureau of Investigation (FBI) Computer Analysis Response Team (CART).

Timothy Leschke holds a Master of Science (M.S.) degree in Computer Science from Loyola University Chicago, and Doctorate in Computer Science from the University of Maryland Baltimore County (UMBC). He is certified in digital forensics by both the Federal Bureau of Investigation (FBI) and the U.S. Department of Defense (DoD).  His research interests include the development of data visualization techniques to support digital forensics.

Timothy Leschke is a Member of the Digital and Multimedia Sciences section of the American Academy of Forensic Sciences (AAFS).  He is a member of the technical program committees associated with the Digital Forensic Research Workshop (DFRWS) and Visualization for Cyber Security (VizSec) conferences.