A granular approach for user-centric network analysis to identify digital evidence

Recently, a tremendous advancement has been made in the field of network and communication. A usage of pervasive applications for machine-to-machine communication is increasing day by day. Digital forensic examiners are facing different type of problems. The most prominent problems among the research community are data overload, data modeling, data characterization and data presentation. This paper addresses these issues by analyzing a dataset of instant messages (IMs) over the period of 2 years and 4-months. Various patterns of interaction between target user and his/her buddies are analyzed through Social Network Analysis (SNA). The strength of relationship e.g. close, fair, temporary, etc. between each pair of users is determined by analyzing their social interaction ratio with respect to the chat frequency of overall network. The characterization of IMs is to identify the interaction between various actors from Social Network of Instant Messages (SNIM) and the prominence of certain actor within social network. Graphs and matrices are used to model and characterize the SNIM and suitable techniques are identified for computational analysis of SNIM. Centrality measures such as degree centrality, betweenness centrality and closeness centrality are taken to determine the connection of each actor with its neighbors and its influence within SNIM. 'Vizster' and 'Prefuse' are used for graphical representations and to analyze SNIM forensically. The effectiveness of 'snowball method' for forensic analysis of dataset graphically is also discussed. In the end the maximum number of immediate ties at step 1 of each vertex are considered to determine the most influential and significant vertices from the SNIM. Various relationship levels are defined on the basis of examiner-defined threshold to conclude the required results.