{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,9,14]],"date-time":"2024-09-14T15:14:31Z","timestamp":1726326871119},"reference-count":36,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,7,1]]},"abstract":"<p>The continued reliance on email communications ensures that it remains a major source of evidence during a digital investigation. Emails comprise both structured and unstructured data. Structured data provides qualitative information to the forensics examiner and is typically viewed through existing tools. Unstructured data is more complex as it comprises information associated with social networks, such as relationships within the network, identification of key actors and power relations, and there are currently no standardised tools for its forensic analysis. This paper posits a framework for the forensic investigation of email data. In particular, it focuses on the triage and analysis of unstructured data to identify key actors and relationships within an email network. This paper demonstrates the applicability of the approach by applying relevant stages of the framework to the Enron email corpus. The paper illustrates the advantage of triaging this data to identify (and discount) actors and potential sources of further evidence. It then applies social network analysis techniques to key actors within the data set. This paper posits that visualisation of unstructured data can greatly aid the examiner in their analysis of evidence discovered during an investigation.<\/p>","DOI":"10.4018\/jdcf.2011070101","type":"journal-article","created":{"date-parts":[[2011,10,20]],"date-time":"2011-10-20T14:38:19Z","timestamp":1319121499000},"page":"1-18","source":"Crossref","is-referenced-by-count":16,"title":["A Framework for the Forensic Investigation of Unstructured Email Relationship Data"],"prefix":"10.4018","volume":"3","author":[{"given":"John","family":"Haggerty","sequence":"first","affiliation":[{"name":"University of Salford, UK"}]},{"given":"Alexander J.","family":"Karran","sequence":"additional","affiliation":[{"name":"Liverpool John Moores University, UK"}]},{"given":"David J.","family":"Lamb","sequence":"additional","affiliation":[{"name":"Liverpool John Moores University, UK"}]},{"given":"Mark","family":"Taylor","sequence":"additional","affiliation":[{"name":"Liverpool John Moores University, UK"}]}],"member":"2432","reference":[{"key":"jdcf.2011070101-0","unstructured":"Access Data. (2011). FTK forensic tool kit. Retrieved from http:\/\/www.accessdata.com"},{"key":"jdcf.2011070101-1","doi-asserted-by":"crossref","unstructured":"Bird, C., Gourley, A., Devanbu, P., Gertz, M., & Swaminathan, A. (2006). Mining e-mail social networks. In Proceedings of the International Workshop on Mining Software Repositories (pp. 137-143).","DOI":"10.1145\/1137983.1138016"},{"key":"jdcf.2011070101-2","doi-asserted-by":"crossref","unstructured":"Carenini, G., Ng, R., Zhou, X., & Zwart, E. (2005). Discovery and regeneration of hidden emails. In Proceedings of the ACM Symposium on Applied Computing (pp. 503-510).","DOI":"10.1145\/1066677.1066792"},{"key":"jdcf.2011070101-3","unstructured":"Cohen, W. W. (2009). Enron email dataset. Retrieved from http:\/\/www.cs.cmu.edu\/~enron\/"},{"key":"jdcf.2011070101-4","doi-asserted-by":"crossref","unstructured":"Collingsworth, B., Menezes, R., & Martins, P. (2009). Assessing organizational stability via network analysis. In Proceedings of the IEEE Symposium on Computational Intelligence for Financial Engineering (pp. 43-50).","DOI":"10.1109\/CIFER.2009.4937501"},{"key":"jdcf.2011070101-5","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511806452","author":"W.de Nooy","year":"2005","journal-title":"Exploratory social network analysis with Pajek"},{"key":"jdcf.2011070101-6","doi-asserted-by":"crossref","unstructured":"Dellutri, F., Laura, L., Ottaviani, V., & Italiano, G. F. (2009). Extracting social networks from seized smartphones and web data. In Proceedings of the 1st International Workshop on Information Forensics and Security (pp. 101-105).","DOI":"10.1109\/WIFS.2009.5386473"},{"key":"jdcf.2011070101-7","doi-asserted-by":"crossref","unstructured":"Falkowski, T., Bartelheimer, J., & Spiliopoulou, M. (2006). Mining and visualizing the evolution of subgroups in social networks. In Proceedings of the International Conference on Web Intelligence (pp. 52-58).","DOI":"10.1109\/WI.2006.118"},{"key":"jdcf.2011070101-8","doi-asserted-by":"publisher","DOI":"10.1016\/0378-8733(78)90021-7"},{"key":"jdcf.2011070101-9","doi-asserted-by":"publisher","DOI":"10.1086\/225469"},{"key":"jdcf.2011070101-10","unstructured":"Guidance Software. (2011). Encase. Retrieved from http:\/\/www.guidancesoftware.com"},{"key":"jdcf.2011070101-11","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2009.01.004"},{"key":"jdcf.2011070101-12","unstructured":"Haggerty, J., Lamb, D., & Taylor, M. (2009). Social network visualization for forensic investigation of e-mail. In Proceedings of the 4th Annual Workshop on Digital Forensics and Incident Analysis (pp. 81-92)."},{"key":"jdcf.2011070101-13","doi-asserted-by":"crossref","unstructured":"Haggerty, J., Taylor, M., & Gresty, D. (2008). Determining culpability in investigations of malicious email dissemination within the organisation. In Proceedings of the 3rd Annual Workshop on Digital Forensics and Incident Analysis (pp. 12-20).","DOI":"10.1109\/WDFIA.2008.8"},{"key":"jdcf.2011070101-14","doi-asserted-by":"publisher","DOI":"10.1007\/s10506-010-9099-3"},{"key":"jdcf.2011070101-15","doi-asserted-by":"crossref","unstructured":"Hu, B., & Gong, J. (2010). Modeling individual-based social network with spatial-temporal information. In Proceedings of the International Conference on Management and Service Science (pp. 1-4).","DOI":"10.1109\/ICMSS.2010.5577184"},{"key":"jdcf.2011070101-16","unstructured":"Kalamaras, D. B. (2011). SocNetV. Retrieved from http:\/\/socnetv.sourceforge.net"},{"issue":"4","key":"jdcf.2011070101-17","first-page":"185","article-title":"Analysis of personal email networks using spectral decomposition.","volume":"7","author":"U.Kim","year":"2007","journal-title":"International Journal of Computer Science and Network Security"},{"key":"jdcf.2011070101-18","doi-asserted-by":"crossref","unstructured":"Klensin, J. (2008a). RFC 5321: Simple mail transfer protocol. Retrieved from http:\/\/tools.ietf.org\/html\/rfc5321","DOI":"10.17487\/rfc5321"},{"key":"jdcf.2011070101-19","unstructured":"Klensin, J. (2008b). RFC 5322: Internet message format. Retrieved from http:\/\/tools.ietf.org\/html\/rfc5322"},{"key":"jdcf.2011070101-20","doi-asserted-by":"publisher","DOI":"10.2307\/2096408"},{"key":"jdcf.2011070101-21","doi-asserted-by":"publisher","DOI":"10.1109\/TVCG.2006.106"},{"key":"jdcf.2011070101-22","unstructured":"Lin, H. (2010). Predicting sensitive relationships from email corpus. In Proceedings of the 4th International Conference on Genetic and Evolutionary Computing (pp. 264-267)."},{"key":"jdcf.2011070101-23","unstructured":"Orloff, J. (2011). 35 interesting statistics about email. Retrieved from http:\/\/www.theemailadmin.com\/2011\/05\/35-interesting-statistics-about-email\/"},{"key":"jdcf.2011070101-24","doi-asserted-by":"publisher","DOI":"10.1109\/MCG.2009.44"},{"key":"jdcf.2011070101-25","unstructured":"Powers, W. C., Jr., Troubh, R. S., & Winokur, H. S., Jr. (2002). Report of investigation by the special investigative committee of the Board of Directors of Enron Corp. Retrieved from http:\/\/news.findlaw.com\/wsj\/docs\/enron\/sicreport\/index.html"},{"key":"jdcf.2011070101-26","doi-asserted-by":"publisher","DOI":"10.1145\/1113034.1113074"},{"key":"jdcf.2011070101-27","doi-asserted-by":"crossref","unstructured":"Snasel, V., Horak, Z., Kocibova, J., & Abraham, A. (2009). Reducing social network dimensions using matrix factorization methods. In Proceedings of the Conference on Advances in Social Network Analysis and Mining (pp. 348-351).","DOI":"10.1109\/ASONAM.2009.48"},{"key":"jdcf.2011070101-28","unstructured":"United States Department of Justice (UDOJ). (2006). Kenneth L. Lay and Jeffrey K. Skilling Jury trial \u2013 Government exhibits. Retrieved from http:\/\/www.justice.gov\/enron\/exhibit\/04-18\/index.htm"},{"key":"jdcf.2011070101-29","doi-asserted-by":"crossref","unstructured":"Viegas, F. B., Boyd, D., Nguyen, D. H., Potter, J., & Donath, J. (2004). Digital artifacts for remembering and storytelling: PostHistory and social network fragments. In Proceedings of the 37th Hawaii International Conference on System Sciences (pp. 1-10).","DOI":"10.1109\/HICSS.2004.1265287"},{"key":"jdcf.2011070101-30","unstructured":"Vlado, A. (2011). Pajek. Retrieved from http:\/\/vlado.fmf.uni-lj.si\/pub\/networks\/pajek\/default.htm"},{"key":"jdcf.2011070101-31","doi-asserted-by":"publisher","DOI":"10.1145\/1410234.1410238"},{"key":"jdcf.2011070101-32","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511815478","author":"S.Wasserman","year":"1994","journal-title":"Social network analysis: Methods and applications"},{"key":"jdcf.2011070101-33","doi-asserted-by":"crossref","unstructured":"Wei, C., Sprague, A., Warner, G., & Skjellum, A. (2008). Mining spam e-mail to identify common origins for forensic application. In Proceedings of the ACM Symposium on Applied Computing (pp. 1433-1437).","DOI":"10.1145\/1363686.1364019"},{"key":"jdcf.2011070101-34","doi-asserted-by":"crossref","unstructured":"Wiil, U. K., Gniadek, J., & Memon, N. (2010). Measuring link importance in terrorist networks. In Proceedings of the International Conference on Social Networks Analysis and Mining (pp. 225-232).","DOI":"10.1109\/ASONAM.2010.29"},{"key":"jdcf.2011070101-35","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Fleischmann, K. R., & Wallace, W. A. (2010). Automatic text analysis of values in the Enron email dataset: Clustering a social network using the value patterns of actors. In Proceedings of the 43rd Hawaii International Conference of System Sciences (pp. 1-10).","DOI":"10.1109\/HICSS.2010.77"}],"container-title":["International Journal of Digital Crime and Forensics"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=58405","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T14:31:56Z","timestamp":1654093916000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jdcf.2011070101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2011,7,1]]},"references-count":36,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2011,7]]}},"URL":"https:\/\/doi.org\/10.4018\/jdcf.2011070101","relation":{},"ISSN":["1941-6210","1941-6229"],"issn-type":[{"value":"1941-6210","type":"print"},{"value":"1941-6229","type":"electronic"}],"subject":[],"published":{"date-parts":[[2011,7,1]]}}}