A granular approach for user-centric network analysis to identify digital evidence

Muhammad Yasin, Junaid Ahmad Qureshi, Firdous Kausar, Jongsung Kim*, Jungtaek Seo

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

3 Citations (Scopus)


Recently, a tremendous advancement has been made in the field of network and communication. A usage of pervasive applications for machine-to-machine communication is increasing day by day. Digital forensic examiners are facing different type of problems. The most prominent problems among the research community are data overload, data modeling, data characterization and data presentation. This paper addresses these issues by analyzing a dataset of instant messages (IMs) over the period of 2 years and 4-months. Various patterns of interaction between target user and his/her buddies are analyzed through Social Network Analysis (SNA). The strength of relationship e.g. close, fair, temporary, etc. between each pair of users is determined by analyzing their social interaction ratio with respect to the chat frequency of overall network. The characterization of IMs is to identify the interaction between various actors from Social Network of Instant Messages (SNIM) and the prominence of certain actor within social network. Graphs and matrices are used to model and characterize the SNIM and suitable techniques are identified for computational analysis of SNIM. Centrality measures such as degree centrality, betweenness centrality and closeness centrality are taken to determine the connection of each actor with its neighbors and its influence within SNIM. ‘Vizster’ and ‘Prefuse’ are used for graphical representations and to analyze SNIM forensically. The effectiveness of ‘snowball method’ for forensic analysis of dataset graphically is also discussed. In the end the maximum number of immediate ties at step 1 of each vertex are considered to determine the most influential and significant vertices from the SNIM. Various relationship levels are defined on the basis of examiner-defined threshold to conclude the required results.

Original languageEnglish
Pages (from-to)911-924
Number of pages14
JournalPeer-to-Peer Networking and Applications
Issue number5
Publication statusPublished - Sept 7 2015
Externally publishedYes


  • Digital evidence
  • Digital forensic
  • Instant messages
  • Network analysis
  • Social network analysis

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this