- This is my first article, its for my Final Year Project for Bachelor's of Computer Science (Systems and Networking) - It also will be uploaded into CyberSecurity Malaysia E-Bulletin for 2017

1. VISUALIZATION OF COMPUTER FORENSICS
ANALYSIS ON DIGITAL EVIDENCE
Muhd Mu’izuddin b. Hj.Muhsinon,
Nazri b. Ahmad Zamani
University Tenaga Nasional,
CyberSecurity Malaysia
muiz_din94@rocketmail.com
Abstract
The project is to explore the usage of data science methodology in further analyzing
computer forensics analysis results. In computer forensics the analysis in carried out via
forensics tools, for example EnCase, FTK, and XRY. These tools have powerful engine
to zooming in digital evidence and finding information pertinent to an investigation. What
lack in these tools are features for statistical, machine learning and visualization
function that may be crucial in looking into the evidence in its entirety. The project will
explore methods to profile and visualize these in computer forensics analysis findings
by using Python and Jupyter Notebook. The EnCase csv files of a real-life case analysis
will be loaded and will be analyzed by using Python’s SKLearn statistical and pattern
recognition engine. The result will be plotted by using Python’s visualization tools such
as Matplotlib, Seaborn, and Pandas.
I. Introduction
Computer technology is the major integral
part of everyday human life, and it is
growing rapidly, as are computer crimes
such as financial fraud, unauthorized
intrusion, identity theft and intellectual
theft. To counteract those computer-
related crimes, Computer Forensics plays
a very important role. Computer
Forensics involves obtaining and
analysing digital information for use as
evidence in civil, criminal or
administrative cases [1] .
A Computer Forensic Investigation
generally investigates the data which
could be taken from computer hard disks
or any other storage devices with
adherence to standard operating policies
and procedures to determine if those
devices have been compromised by
unauthorized access or not [2]. Computer
Forensics Investigators work as a team to
investigate the incident and conduct the
forensic analysis by using various
methodologies (e.g. Static and Dynamic)
and tools (e.g. EnCase csv files of a real-
life case).
To ensure the computer network system
is secure in an organization. A successful
Computer Forensic Investigator must be
familiar with various laws and regulations
related to computer crimes in their
country (e.g. Malaysian Computer Crimes
Act , CCA 1997) and various computer
operating systems (e.g. Windows, Linux)
and network operating systems (e.g. Win
NT). This report will be analyzed the
method and visualize these computer
forensics analysis results by using Python
and Jupyter Notebook. The result will be

2. plotted in visualization so that it more
easy to make reference or any
improvement [2].
Digital investigations are constantly
changing as new technologies are utilized
to create, store or transfer vital data [3].
Augmenting existing forensic platforms
with innovative methods of acquiring,
processing, reasoning about and
providing actionable evidence is vital.
Integrating open-source Python scripts
with leading-edge forensic platforms like
EnCase provides great versatility and can
speed new investigative methods and
processing algorithms to address these
emerging technologies.
In Malaysia, law enforcement agency is
now faced with the task of enforcing law
in cyberspace that transcends borders
and raises issues of jurisdiction.
Cybercrime has surpassed drug
trafficking as the most lucrative crime.
Almost anybody who is an active
computer/online user would have been a
cybercrime victim, and in most cases too
its perpetrators. Cybercriminals usually
use to cheat, harass, disseminate false
information for their own good. This
project basically want to improve the
results of the investigation have been
made to visualize these computer
forensics analysis results by using Python
and Jupyter Notebook. By not only have
raw data into something that is more
easily understood as a whole. So that,
people can also see the overview of the
results and it will be more accurate.
II. Problem Statement
In the analysis period of the computer
forensics crime scene investigation, the
analyst may confront numerous issues
on getting the exceptionally precise
result. They only get some kind of raw
information and less clear than regular
visualizations even more
understandable. One of the problems
is:
1. Computer forensics system lacks
statistical and visualization tools.
There are key points that need to be
considered in the investigation period
of the digital evidence:
1. Evidence profiling is crucial in
understanding relationships of
the digital evidence activities
timeline to the case investigation
timeline.
III. Workflow
Figure 3.: Flowchart

3. Figure 3.: Current Situation
Figure 3.: Overview
The security analysts are having
problems with lack of statistical and
visualizations tools in order to get
accurate results. They need to manually
compared all the raw information’s from
the digital evidence instead of visualize it.
The data from csv file may consist so
many data that came from various
sources. To avoid the situation where
analysts having issues with time
consuming and getting unclear
visualization of the csv data, the system
is needed. By using Jupyter Notebook
with Python, it may assist analyst to
gathering information and speed up prove
of evidence collection. Visualizaitons will
help to provide more understandable and
clear view of data from the csv file.
Due to the problems that have been
declared, the system provided the best
solution in order to get the visualizations.
The data .csv will be loaded into Jupyter
Notebook with Python 2.7, and then user
will choose type of analysis to be
included. In this part, it will decide on the
building blocks of the language such as
variables, datatypes, functions,
conditionals and loops. In addition,
question may be asked in this phase,
what type of analysis has been choosen.
In models & algorithms part, user may
choose what kind of models to be
produce based on the coding part. After
that, visualization will be visualized based
on request. In reporting part, user may
choose whether to export the data
science results and code base to PDF,
Microsoft Word and the web (html).
IV. Data Specimen
In computing, a comma-separated values
(CSV) document stores unthinkable
information (numbers and content) in
plain content. Every line of the document
is an information record. Every record
comprises of one or more fields, isolated
by commas. The utilization of the comma
as a field separator is the wellspring of
the name for this document group.
The CSV record organization is not
standardized. The essential thought of
isolating fields with a comma is clear, yet
that thought gets confused when the field
information may likewise contain commas
or even implanted line-breaks. CSV
usage may not handle such field
information, or they may utilize quotes to
encompass the field. CSV data contains
many datatypes and fields, it need to be

4. clean in order to get a better view of the
data. Jupyter Notebook with Python have
provided csvkit library in order to clean
the data. It can be set during the coding
part of the system.
Figure 1.: Data .csv
V. Methodology
Methodology that are used by this project
is Security Data Visualization Process.
Figure 5.1: Security Data Visualization
Process
1. Visualization Goals
On this step, it should get the overview of
current situation. Then, it follows with
gathering requirement from security
analyst where is the main user. The
requirement consists of determine the
visualization goals for the specific ease.
In fullfulling the requirement, the program
development of the system is produced in
order to achieve the visualization goals
that will be determined by the security
analyst. The visualization goals may
consists of what kind of information and
question required by the security analyst.
2. Data Preparation
It begins with seeking information and
setting up the information for analysis.
The following stride is to investigate the
information with the right inquiries, then
picture the information to create bits of
knowledge and follow up on it.
The most essential stride before
beginning representation is information
purifying or making the information
accessible in a usable configuration. For
example, encase data form csv file. It will
search for different learns of files found
inside an external hardrive and represent
it in visualization methods.
3. Explore
Asking the right question will prompt
further investigation and representation
utilizing factual/probabilistic
models/calculations and lead to helpful
bits of knowledge/choices. Statistical
methods that suitable to be used will be
decided in this step.
The investigate stage will take a gander
at some systematic exercises that will
empower security groups to ask the right
inquiries and take a gander at the

5. information to perceive how security
groups can accomplish their objectives.
4. Visualize
There are two angles to perception
hypothesis; one of it is the style. There is
writing around how to utilize shading,
tone, thickness and different perspectives
to make outwardly satisfying pictures to
target group. There is part of outline rules
in the book [4]. Graphics Press: There is
a committed section in the book [5].
These are sample of visualizations and
some explanation about it that could be
made.
5. Feedback
This step involves continuous
improvement with feedback from the
stakeholders and availability of new data.
In reporting part, data science results
could be represented in many ways.
VI. Results
For this visualization, the CyberSecurity
Malaysia has provided this data. It
provides metadata from Encase Result in
real forensic cases. The format for this
data is in .csv.
The metadata from the Encase Result
was a real data that given by Digital
Forensics Departments In CyberSecurity
Malaysia. The data was exhibit from
external hard drive. The first impression
by just looking the raw data, visualization
can make the data into something that is
more easily understood as a whole. So
that, people can also see the overview of
the results and it will be more accurate. In
this way, analysts are doing deduction of
material evidence so that they are easy to
identify the suspect
Figure 6.1: Overall Data Pie Chart
This pie chart shows the perentage of
each data type in the metadata file. From
the chart, .jpg data type is the highest
data that are produced/keeped by the
suspect. Followed by .xls, .pdf, .doc and
lastly .pptx.
Suspects showed a deep interest in data
type .jpg extent that more than 50% of the
data is based on data type .jpg. But, none
the less the number of data types .xls
where it represents 22% of the total data.
The suspect is likely an overpowering
interest in the collection, but the suspect
was also a diligent collecting data in the
calculation of whether skilled or analyze.
Figure .2: Data Compared by Month
From the graph, total number of metadata
shows that in April is the active period for
the suspect to produced/keeped the data.
So, it can be predict that April month for
each year are the most busy time for the
suspect to produced/keeped the data.

6. Followed by May, July and November
each of the above shows the number of
data rates are relatively high. The
probabilities that suspect are actively
doing the job in the middle of the year.
While in January for each year are the
lowest count that suspect frequently to
produced/keeped the data.
As seen in the graph, in January and
December rates meant their numbers are
very different compared to other months.
The assumption can be made that in two
months the suspect took time off and less
interested in generating any data.
Figure 6.3: Data Compared by Years
In this graph, it compare the data type of
the data for each year. It's proved that
.jpg file was the most file that being
produce/keep by the suspect. It can be
said that in 2006 & 2013 respectively was
the highest data being produce/keep
based on the visualization.
From that, we can aspect the suspect
behavior. .jpg format is for digital photos
and
other digital graphics. So, from that we
can concluded that suspect loves picture.
In beginning of years 1998 until 2011 it
keep going produce/keep those kind of
data.
Suspect likely to take great pictures. it
uses the advantages of and interest on
the image to get his wish. Conclusion that
can be made is the suspect is a
Photographer. In 2013, but no less
intense .xls format.It's a file extension for
a spreadsheet file format created by
Microsoft for use with Microsoft Excel.
Microsoft Excel is a well-organized
platform that give freedom to write data
on grids and worksheets, organized at
will, formatted as they prefer.It's also uses
in any quantity in business or finance.
Suspect maybe someone that loves to
write and doing doing something with its
own way.
Conclusion that can be made is the
suspect is an Analyst.
VII. Conclusion and Way
Forward
1. There are sugeestion that can be
making for the future works.
Visualization results improved with
the addition of information and the
right technique.
2. Numerical data can improve the
quality of the visualization. The
graphs are more attractive and easy
to understand.
3. If jupyter notebook can import more
data library, the more attractive form
of graphs can be

7. In conclusion, the phases that was
involved throughout the development of
this system starting from the idea,
requirement gathering, analysis, design,
coding, testing and finally presentation
was a very precious journey of learning,
failures, successes and persistence.
From this journey, this application has
opened my thoughts on how I used to
view on programming and it builds a
sense of interest in me towards
programming. Even though there are, still
much enhancement to be made in future,
the current developed system still
manages to fulfill the minimum
requirements and solves the problems
stated.
VIII. References
1. Nelson, B., et al., “Computer
Forensics Investigation”, 2008.
2. Case studies,
http://resources.infosecinstitute.com/,
2016.
3. Michael G. Noblett; Mark M. Pollitt;
Lawrence A. Presley, “Computer
Forensics”,
https://en.wikipedia.org/wiki/Compute
r_forensics October 2000.
4. Tufte, E., ”The visual display of
quantitative information, Cheshire,
Conn. (Box 430, Cheshire 06410)”,
1983.
5. Marty, R., “Applied security
visualization, Upper Saddle River, NJ:
Addison-Wesley", 2009.