CONSTRUCTING SOCIAL NETWORKS AND CLASSIFYING EMAIL ADDRESSES FROM RAW FORENSIC IMAGES

Abstract

The ability to find email addresses on digital storage media and deduce the relationships between them is critical for the success of many law enforcement and intelligence collection activities. Currently, building these social networks requires manually processing forensic images of acquired digital media. We conduct an experiment using readily available extraction and visualization tools along with a new algorithm that constructs networks based on the byte-offset proximity between digital artifacts. The main objective of this study is to test this new algorithm and refine techniques for classification with a goal of automating steps in the process of constructing social networks. To achieve this, we build an 11 terabyte dataset of drive images, construct networks from them, and assign these networks to the categories “useful” or “not useful” according to whether we believe them to contain information relevant to the actual social network of the device owner. We then interview device owners to determine ground truth, which we use to evaluate our analysis. We succeed in correctly categorizing networks with a recall of 0.9166, precision of 0.6316 and F-score of 0.7643. Our results show that our algorithm is successful in outputting data useful for the construction of the user's social networks.