| The Modern Age of digital forensics is characterized by a proliferation of artifacts, increased data complexity, larger and cheaper data storage, and the emergence of the need for tools that support timeline analysis, anomaly detection, and triage. Traditional text-based digital forensic tools can no longer keep pace with the demands of the modern digital forensic examiner. A new approach for developing digital forensic tools is required if digital forensics is going to avoid becoming stagnant.;We apply the power of data visualization to support the needs of the modern digital forensic examiner. We design and develop a tool called Change-Link; a coordinated and multiple view tool which uses semantic zooming in the form of an overview, treeview, directory content view, and a metadata view to provide an understanding of digital forensic data that changes over time. By using this tool to examine a mock evidence hard drive containing shadow volume data provided by the Microsoft Volume Shadow Copy Service, we demonstrate a way to reduce data complexity and provide better forensic data analysis while supporting timeline analysis, anomaly detection, and a triage of the dataset.;We demonstrate a proof for our broader hypothesis which is data visualization techniques can be developed to support better analysis of digital forensic data. |
