Creating and understanding email communication networks to aid digital forensic investigations

TL;DR

This paper presents a novel automated method for constructing social communication networks from raw digital storage media to support forensic investigations, validated against real-world data.

Contribution

It introduces a new technique for extracting email-based social networks directly from hard drives, enhancing digital forensic analysis capabilities.

Findings

Classical centrality measures effectively identify key individuals.

Community detection algorithms reveal close associates within networks.

Method validated with real-world data and ground truth.

Abstract

Digital forensic analysts depend on the ability to understand the social networks of the individuals they investigate. We develop a novel method for automatically constructing these networks from collected hard drives. We accomplish this by scanning the raw storage media for email addresses, constructing co-reference networks based on the proximity of email addresses to each other, then selecting connected components that correspond to real communication networks. We validate our analysis against a tagged data-set of networks for which we determined ground truth through interviews with the drive owners. In the resulting social networks, we find that classical measures of centrality and community detection algorithms are effective for identifying important nodes and close associates.