In this chapter, we will cover the following recipes:
- Data visualisation with FTK
- Making a timeline in Autopsy
- Nuix's Web Review & Analytics
In this chapter, we will cover the following recipes:
Being able to accurately view and analyze results is an important part of any investigation. Even before the final results stage, however, it can be useful to be able to look at and manipulate different factors within a case, so as to work out where it might be necessary to drill down further, and to uncover correlations that otherwise may be overlooked.
While the primary goal of digital forensics tools is not to look pretty but to uncover, analyze, and report back on data, the visualization process is nonetheless an important part of any software.
A well put together data visualization tool can demonstrate links between contacts, build a timeline and identify potential points of interest along it, bring to light geographical areas that may be relevant to an investigation, and give basic statistical outputs that can lead an investigator to understand which steps should...
This tool allows you to create and filter timelines, split data into categories, view emails and related metadata, analyze traffic and social connections, and observe geolocation data in a user-friendly environment. It also allows the user to specify a particular theme or color scheme, giving it a customizable feel.
Open FTK and load up a case (if you are not sure how to do this, see the section Drive acquisition in E01 format with FTK Imager in Chapter 3, Windows Drive acquisition.)
Choose a dataset within the case, then click the visualization icon in the top right-hand side of the screen. This will launch the visualization tool.
Autopsy is a popular piece of open source freeware with many advocates in the digital forensics community. The tool performs all the basic functions required for investigative work, and also makes it easy for technical users to extend it by creating compatible plugins.
The timeline feature is generally loaded within a case that is already running, and ideally needs to have several options enabled in order to be used efficiently, these being:
First, load up your case in Autopsy and then click Timeline at the top of the page. A new window will now open, which will give you access to the Timeline feature.
Although Autopsy's Timeline...
Sometimes a case is more complex than simply uncovering data from a single source and reporting back on it. Particularly in law enforcement investigations, there will often be many different people working on the same case, some of whom are non-technical investigators, and this makes it important for multiple individuals to be able to view, sort through, and report back on data regardless of their level of technical knowledge.
Nuix's solution to this is its Web Review & Analytics tool, which sits on top of its eDiscovery and Director suites and allows multiple users to collaborate.
Assuming you already have a Nuix license, you can get this as an add-on from Nuix's...