A Framework for the Forensic Analysis of User Interaction with Social Media

A Framework for the Forensic Analysis of User Interaction with Social Media

John Haggerty (School of Computing, Science and Engineering, University of Salford, Manchester, UK), Mark C. Casson (Henley Business School, University of Reading, Reading, UK), Sheryllynne Haggerty (School of Humanities, University of Nottingham, Nottingham, UK) and Mark J. Taylor (School of Computing and Mathematical Sciences, Liverpool John Moores University, Liverpool, UK)
DOI: 10.4018/978-1-4666-4006-1.ch014
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The increasing use of social media, applications or platforms that allow users to interact online, ensures that this environment will provide a useful source of evidence for the forensics examiner. Current tools for the examination of digital evidence find this data problematic as they are not designed for the collection and analysis of online data. Therefore, this paper presents a framework for the forensic analysis of user interaction with social media. In particular, it presents an inter-disciplinary approach for the quantitative analysis of user engagement to identify relational and temporal dimensions of evidence relevant to an investigation. This framework enables the analysis of large data sets from which a (much smaller) group of individuals of interest can be identified. In this way, it may be used to support the identification of individuals who might be ‘instigators’ of a criminal event orchestrated via social media, or a means of potentially identifying those who might be involved in the ‘peaks’ of activity. In order to demonstrate the applicability of the framework, this paper applies it to a case study of actors posting to a social media Web site.
Chapter Preview
Top

Social Network And Social Media Analysis

Computer forensics tools, such as EnCase (Guidance, 2012) and the Forensic Toolkit (Access Data, 2012), are used by examiners to recreate files and data from a suspect's computer. An image of the hard drive is taken to replicate the original data source to ensure evidence integrity as all analysis is carried out on the image of the original hard drive. A forensics tool is then used to recreate the logical structure of the underlying file system. A computer forensic analyst views the files, both extant and deleted, and files of interest are reported with supporting evidence, such as time of investigation, analyst's name, the logical and actual location of the file, etc. However, as discussed above, these tools are designed to analyse evidence retrieved from storage media rather than examine data from online sources such as social media. This is problematic as investigations involving social networks formed through social media have risen in prominence due to the information about a suspect that these data sources may yield to the forensic examiner.

Complete Chapter List

Search this Book:
Reset