{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,14]],"date-time":"2025-11-14T21:29:26Z","timestamp":1763155766656,"version":"3.41.2"},"reference-count":25,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2014,10,7]],"date-time":"2014-10-07T00:00:00Z","timestamp":1412640000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,10,7]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. <\/jats:p>\n <\/jats:sec>\n \n Practical implications<\/jats:title>\n \u2013 The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/imcs-11-2013-0080","type":"journal-article","created":{"date-parts":[[2014,10,29]],"date-time":"2014-10-29T06:51:52Z","timestamp":1414565512000},"page":"358-370","source":"Crossref","is-referenced-by-count":11,"title":["Forensic triage of email network narratives through visualisation"],"prefix":"10.1108","volume":"22","author":[{"given":"John","family":"Haggerty","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sheryllynne","family":"Haggerty","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mark","family":"Taylor","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2020122802171299300_b1","unstructured":"Access Data\n (2013), \u201cAccess Data\u201d, available at: www.accessdata.com (accessed 30 October 2013)."},{"key":"key2020122802171299300_b2","unstructured":"BBC\n (2012), \u201cPaedophile ring members jailed indefinitely\u201d, available at: www.bbc.co.uk\/news\/uk-england-19947914 (accessed 30 October 2013)."},{"key":"key2020122802171299300_b10","doi-asserted-by":"crossref","unstructured":"Chu, H.C.\n , \n Deng, D.J.\n and \n Park, J.H.\n (2011), \u201cLive data mining concerning social networking forensics based on a facebook session through aggregation of social data\u201d, IEEE Journal on Selected Areas in Communications, Vol. 29 No. 7, pp. 1368-1376.","DOI":"10.1109\/JSAC.2011.110804"},{"key":"key2020122802171299300_b3","doi-asserted-by":"crossref","unstructured":"DeBarr, D.\n , \n Ramanathan, V.\n and \n Harry Wechsler, H.\n (2013), \u201cPhishing detection using traffic behavior, spectral clustering and random forests\u201d, Proceedings of Intelligence and Security Informatics (ISI 2013) in Seattle, IEEE, Washington, DC, pp. 67-72.","DOI":"10.1109\/ISI.2013.6578788"},{"key":"key2020122802171299300_b4","doi-asserted-by":"crossref","unstructured":"Dou, W.\n , \n Wang, X.\n , \n Skau, D.\n , \n Ribarsky, W.\n and \n Zhou, M.X.\n (2012), \u201cLeadLine: interactive visual analysis of text data through event identification and exploration\u201d, Proceedings of the IEEE Symposium on Visual Analytics Science and Technology in Seattle, IEEE, Washington, DC, pp. 93-102.","DOI":"10.1109\/VAST.2012.6400485"},{"key":"key2020122802171299300_b5","unstructured":"EnronData.org\n (2014), \u201cEnronData.org the enron data reconstruction project\u201d, available at: http:\/\/enrondata.org\/content\/data\/ (accessed 30 October 2013)."},{"key":"key2020122802171299300_b6","unstructured":"Esichaikul, V.\n , \n Guha, S.\n and \n Juntapoln, C.\n (2011), \u201cMonitoring email transaction logs by text-mining email contents\u201d, Proceedings of the 3rd International Conference on Data Mining and Intelligent Information Technology Applications (ICMiA), IEEE, Macao, pp. 255-258."},{"key":"key2020122802171299300_b7","doi-asserted-by":"crossref","unstructured":"Fisher, D.\n , \n Hoff, A.\n , \n Robertson, G.\n and \n Hurst, M.\n (2008), \u201cNarratives: a visualization to track narrative events as they develop\u201d, Proceedings of the IEEE Symposium on Visual Analytics Science and Technology, IEEE, Columbus, pp. 115-122.","DOI":"10.1109\/VAST.2008.4677364"},{"key":"key2020122802171299300_b8","unstructured":"Haggerty, J.\n and \n Haggerty, S.\n (2011), \u201cTemporal social network analysis for historians: a case study\u201d, Proceedings of the International Conference on Visualization Theory and Applications (IVAPP 2011), Institute for Systems and Technologies of Information, Control and Communication, Algarve, pp. 207-217."},{"key":"key2020122802171299300_b9","doi-asserted-by":"crossref","unstructured":"Haggerty, J.\n , \n Karran, A.J.\n , \n Lamb, D.J.\n and \n Taylor, M.J.\n (2011), \u201cA framework for the forensic investigation of unstructured email relationship data\u201d, International Journal of Digital Crime and Forensics, Vol. 3 No. 3, pp. 1-18.","DOI":"10.4018\/jdcf.2011070101"},{"key":"key2020122802171299300_b11","doi-asserted-by":"crossref","unstructured":"Hamid, I.R.A.\n and \n Abawajy, J.\n (2011), \u201cPhishing email feature selection approach\u201d, Proceedings of the International Joint Conference of IEEE TrustCom-11, IEEE, Changsha, pp. 916-921.","DOI":"10.1109\/TrustCom.2011.126"},{"key":"key2020122802171299300_b12","doi-asserted-by":"crossref","unstructured":"Henseler, H.\n (2010), \u201cNetwork-based filtering for large email collections in E-Discovery\u201d, Artificial Intelligence and Law, Vol. 18 No. 4, pp. 413-430.","DOI":"10.1007\/s10506-010-9099-3"},{"key":"key2020122802171299300_b13","doi-asserted-by":"crossref","unstructured":"Hullman, J.\n and \n Diakopoulos, N.\n (2011), \u201cVisualization rhetoric: framing effects in narrative visualization\u201d, IEEE Transactions on Visualization and Computer Graphics, Vol. 17 No. 12, pp. 2231-2240.","DOI":"10.1109\/TVCG.2011.255"},{"key":"key2020122802171299300_b14","doi-asserted-by":"crossref","unstructured":"Jankun-Kelly, T.J.\n , \n Wilson, D.\n , \n Stamps, A.S.\n , \n Franck, J.\n , \n Carver, J.\n and \n Swan, J.E. II\n (2009), \u201cA visual analytic framework for exploring relationships in textual contents of digital forensics evidence\u201d, Proceedings of the 6th International Workshop on Visualization for Cyber Security, IEEE, Atlantic City, NJ, pp. 39-44.","DOI":"10.1109\/VIZSEC.2009.5375541"},{"key":"key2020122802171299300_b15","doi-asserted-by":"crossref","unstructured":"Nair, V.\n , \n Kaduskar, M.\n , \n Bhaskaran, P.\n , \n Bhaumik, S.\n and \n Lee, H.\n (2011), \u201cPreserving narratives in electronic health records\u201d, Proceedings of the International Conference on Bioinformatics and Biomedicine, IEEE, Atlanta, pp. 418-421.","DOI":"10.1109\/BIBM.2011.101"},{"key":"key2020122802171299300_b16","doi-asserted-by":"crossref","unstructured":"Osborne, G.\n , \n Turnbull, B.\n and \n Slay, J.\n (2012), \u201cDevelopment of infovis software for digital forensics\u201d, Proceedings of the 36th International Conference on Software and Applications Workshop, IEEE, Izmir, pp. 213-217.","DOI":"10.1109\/COMPSACW.2012.47"},{"key":"key2020122802171299300_b17","unstructured":"Palomo, E.J.\n , \n North, J.\n , \n Elizondo, D.\n , \n Luque, R.M.\n and \n Watson, T.\n (2011), \u201cVisualization of network forensics traffic data with self-organizing map for qualitative features\u201d, Proceedings of the International Joint Conference on Neural Networks, IEEE, San Jose, pp. 1740-1747."},{"key":"key2020122802171299300_b18","doi-asserted-by":"crossref","unstructured":"Schrenk, G.\n and \n Poisel, R.\n (2011), \u201cA discussion of visualization techniques for the analysis of digital evidence\u201d, Proceedings of the 6th International Conference on Availability, Reliability and Security, IEEE, Vienna, pp. 758-763.","DOI":"10.1109\/ARES.2011.119"},{"key":"key2020122802171299300_b19","doi-asserted-by":"crossref","unstructured":"Segel, E.\n and \n Heer, J.\n (2010), \u201cNarrative visualization: telling stories with data\u201d, IEEE Transactions on Visualization and Computer Graphics, Vol. 16 No. 6, pp. 1139-1148.","DOI":"10.1109\/TVCG.2010.179"},{"key":"key2020122802171299300_b20","unstructured":"Thomas, M.\n (2014), \u201cWhat is the average reading speed and the best rate of reading?\u201d, available at: www.healthguidance.org\/entry\/13263\/1\/What-Is-the-Average-Reading-Speed-and-the-Best-Rate-of-Reading.html (accessed 30 October 2013)."},{"key":"key2020122802171299300_b21","unstructured":"Ungar, L.\n , \n Leibholz, S.\n and \n Chaski, C.\n (2011), \u201cIntentFinder: a system for discovering significant information implicit in large, heterogeneous document collections\u201d, Proceedings of the International Conference on Technologies for Homeland Security, IEEE, Waltham, pp. 219-223."},{"key":"key2020122802171299300_b22","doi-asserted-by":"crossref","unstructured":"Wang, D.\n , \n Liu, W.\n , \n Xu, W.\n and \n Zhang, X.\n (2011), \u201cTopic tracking based on event network\u201d, Proceedings of the International Conferences on Internet of Things, and Cyber, Physical and Social Computing, IEEE, Dalian, pp. 488-493.","DOI":"10.1109\/iThings\/CPSCom.2011.59"},{"key":"key2020122802171299300_b23","doi-asserted-by":"crossref","unstructured":"Wiil, U.K.\n , \n Gniadek, J.\n and \n Memon, N.\n (2010), \u201cMeasuring link importance in terrorist networks\u201d, Proceedings of the International Conference on Social Networks Analysis and Mining, Odense, pp. 225-232.","DOI":"10.1109\/ASONAM.2010.29"},{"key":"key2020122802171299300_b24","doi-asserted-by":"crossref","unstructured":"Yoshinaga, N.\n , \n Itaya, S.\n , \n Tanaka, R.\n , \n Konishi, T.\n , \n Doi, S.\n , \n Yamada, K.\n and \n Davis, P.\n (2010), \u201cContent propagation analysis of email communications\u201d, Proceedings of the 2010 IEEE\/WIC\/ACM International Conference on Web Intelligence and Intelligent Agent Technology, IEEE, WIC, ACM, Toronto, pp. 79-82.","DOI":"10.1109\/WI-IAT.2010.202"},{"key":"key2020122802171299300_b25","unstructured":"Zilberman, P.\n , \n Dolev, S.\n , \n Katz, G.\n , \n Elovici, Y.\n and \n Shabtai, A.\n (2013), \u201cAnalyzing group communication for preventing data leakage via email\u201d, Proceedings of Intelligence and Security Informatics 2013 in Seattle, IEEE, Washington, DC, pp. 37-41."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-11-2013-0080","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2013-0080\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-11-2013-0080\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:50Z","timestamp":1753393850000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/22\/4\/358-370\/176023"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,10,7]]},"references-count":25,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,10,7]]}},"alternative-id":["10.1108\/IMCS-11-2013-0080"],"URL":"https:\/\/doi.org\/10.1108\/imcs-11-2013-0080","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2014,10,7]]}}}