Forensic triage of email network narratives through visualisation

Purpose – The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. Design/methodology/approach – This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. Findings – Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. Practical implications – The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. Originality/value – There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets

Forensic triage of email network narratives through visualisation

Purpose – The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. Design/methodology/approach – This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. Findings – Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. Practical implications – The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. Originality/value – There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets

Avoiding “musty mutton chops”: the network narrative of an American merchant in London, 1771-1774

Historians have increasingly been using network and narrative analysis as a means by which to explore their data. By doing so, they are able to explore how actors of interest used their relationships to undertake business and economic endeavors, and how, in turn, these were shaped by the discourse to which they had access. This paper presents a novel methodology using visual analytics to combine both social network (relationship) and textual (sentiment) analysis to visualize the information contained in historical sources over time. The definition of network narrative posited in this paper allows the historian to quantify and therefore assess the impact of, and reaction to, endogenous and exogenous events on actor networks. In order demonstrate the applicability of this approach, we apply it to the case study of Joshua Johnson, an American merchant in London during the 1772 credit crisis. This paper builds on the more recent network studies which show that networks were not only complex, but changed over time in reaction to events

Establishing cyber situational awareness in industrial control systems

The cyber threat to industrial control systems is an acknowledged security issue, but a qualified dataset to quantify the risk remains largely unavailable. Senior executives of facilities that operate these systems face competing requirements for investment budgets, but without an understanding of the nature of the threat cyber security may not be a high priority. Operational managers and cyber incident responders at these facilities face a similarly complex situation. They must plan for the defence of critical systems, often unfamiliar to IT security professionals, from potentially capable, adaptable and covert antagonists who will actively attempt to evade detection. The scope of the challenge requires a coherent, enterprise-level awareness of the threat, such that organisations can assess their operational priorities, plan their defensive posture, and rehearse their responses prior to such an attack. This thesis proposes a novel combination of concepts found in risk assessment, intrusion detection, education, exercising, safety and process models, fused with experiential learning through serious games. It progressively builds a common set of shared mental models across an ICS operation to frame the nature of the adversary and establish enterprise situational awareness that permeates through all levels of teams involved in addressing the threat. This is underpinned by a set of coping strategies that identifies probable targets for advanced threat actors, proactively determining antagonistic courses of actions to derive an appropriate response strategy

Leveraging digital forensics and data exploration to understand the creative work of a filmmaker: a case study of Stephen Dwoskin’s digital archive

This paper aims to establish digital forensics and data exploration as a methodology for supporting archival practice and research into a filmmaker's creative processes. We approach this by exploring the digital legacy hard drives of the late artist Stephen Dwoskin (1939-2012), who is recognised as an influential filmmaker at the forefront of the shift from analogue to digital film production. The research findings of this case study show that digital forensics is effective in extracting a timeline of hard drive activities, data that can be explored to reveal clues about the artist’s personal/professional history, stages of creative processes, and technical environment. The paper further demonstrates how this is related to current thinking around user-centred archival workflow and understanding of creative processes. The broader impact of the work for advancing digital archiving and research into creative processes is highlighted, concluding with a discussion of how, going forward, the approach can be coupled with deeper content analysis to reveal what influences editing choices taking place over time

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Picturing the Invisible

Picturing the Invisible presents different disciplinary approaches to articulating the invisible, that which is not known or that which is not provable. The challenge that we have seen is how to articulate these concepts, not only to those within a particular academic field but beyond, to other disciplines and society at large. As our understanding of the complexity of the world grows incrementally, so does our realisation that issues and problems can rarely be resolved within neat demarcations. Therefore, the importance of finding means of communicating across disciplines and fields becomes a priority. Whilst acknowledging the essential importance of the specialist academic, the capacity to understand other disciplines, their priorities, methodologies and even the language used can become crucial in being an effective instrument for change. This book brings together insights from leading academics from a wide range of disciplines including Art and Design, Curatorial Practice, Literature, Forensic Science, Fashion, Medical Science, Psychoanalysis and Psychotherapy, Philosophy, Astrophysics and Architecture with a shared interest in exploring how, in each discipline, we strive to find expression for the invisible or unknown, and to draw out and articulate some of the explicit and tacit ways of communicating those concepts that transcends traditional disciplinary boundaries

Educating the effective digital forensics practitioner: academic, professional, graduate and student perspectives

Over the years, digital forensics has become an important and sought-after profession where the gateway of training and education has developed vastly over the past decade. Many UK higher education (HE) institutions now deliver courses that prepare students for careers in digital forensics and, in most recent advances, cyber security. Skills shortages and external influences attributed within the field of cyber security, and its relationship as a discipline with digital forensics, has shifted the dynamic of UK higher education provisions. The implications of this now sees the route to becoming a digital forensic practitioner, be it in law enforcement or business, transform from on-the-job training to university educated, trained analysts. This thesis examined courses within HE and discovered that the delivery of these courses often overlooked areas such as mobile forensics, live data forensics, Linux and Mac knowledge. This research also considered current standards available across HE to understand whether educational programmes are delivering what is documented as relevant curriculum. Cyber security was found to be the central focus of these standards within inclusion of digital forensics, adding further to the debate and lack of distinctive nature of digital forensics as its own discipline. Few standards demonstrated how the topics, knowledge, skills and competences drawn were identified as relevant and effective for producing digital forensic practitioners. Additionally, this thesis analyses and discusses results from 201 participants across five stakeholder groups: graduates, professionals, academics, students and the public. These areas were selected due to being underdeveloped in existing literature and the crucial role they play in the cycle of producing effective practitioners. Analysis on stakeholder views, experiences and thoughts surrounding education and training offer unique insight, theoretical underpinnings and original contributions not seen in existing literature. For example, challenges, costs and initial issues with introducing graduates to employment for the employers and/or supervising practitioners, the lack of awareness and contextualisation on behalf of students and graduates towards what knowledge and skills they have learned and acquired on a course and its practical application on-the-job which often lead to suggestions of a lack of fundamental knowledge and skills. This is evidenced throughout the thesis, but examples include graduates: for their reflections on education based on their new on-the-job experiences and practices; professionals: for their job experiences and requirements, academics: for their educational practices and challenges; students: their initial expectations and views; and, the public: for their general understanding. This research uniquely captures these perspectives, bolstering the development of digital forensics as an academic discipline, along with the importance these diverse views play in the overall approach to delivering skilled practitioners. While the main contribution to knowledge within this thesis is its narrative focusing on the education of effective digital forensic practitioners and its major stakeholders, this thesis also makes additional contributions both academically and professionally; including the discussion, analysis and reflection of: - improvements for education and digital forensics topics for research and curriculum development; - where course offerings can be improved for institutions offering digital forensic degree programmes; - the need for further collaboration between industry and academia to provide students and graduates with greater understanding of the real-life role of a digital forensic practitioner and the expectations in employment; - continuous and unique challenges within both academia and the industry which digital forensics possess and the need for improved facilities and tool development to curate and share problem and scenario-based learning studies