Analyzing Network Level Information

Author First name, Last name, Institution

Farkhund Iqbal
Mourad Debbabi
Benjamin C. M. Fung

Document Type

Book Chapter

Source of Publication

Machine Learning for Authorship Attribution and Cyber Forensics

Publication Date



This chapter provides a brief description of the methods employed for collecting initial information about a given suspicious online communication message, including header and network information; and how to forensically analyze the dataset to attain the information that would be necessary to trace back to the source of the crime. The header content and network information are usually the immediate sources for collecting preliminary information about a given collection of suspicious online messages. The header analysis of an e-mail corpus identifying all the senders, the recipients associated with each sender, and the frequency of messages exchanged between users helps an investigator to understand the overall nature of e-mail communication. Electronic messages like e-mails or virtual network data present a potential dataset or a source of evidence containing personal communications, critical business communications, or agreements. When a crime is committed, it is always possible for the perpetrator to manipulate e-mails or any electronic evidence, forging the details to remove relevant evidence or tampering the data to mislead the investigator. Possible manipulation of such evidence may include backdating, executing time-stamp changes, altering the message sender, recipient, or message content, etc. However, such attempts of manipulation and misleading can be detected by examining the message header. By examining e-mail header and analyzing network information through forensic analysis, investigators can gain valuable insight into the source of a message that is otherwise not traceable through the message body. Investigators can utilize a range of existing algorithms and models and build on leveraging typical forensic planning. Such models focus on what type of information should be collected, ensuring the forensically sound collection and preservation of identified Electronically Stored Information (ESI). By applying these models, it is possible to achieve a full analysis and collect all the relevant information pertaining to the crime. The collected finding is then compiled to reconstruct the whole crime scene, deduct more accurate and logical conclusions [1].




Springer International Publishing

First Page


Last Page



Business | Computer Sciences

Indexed in Scopus


Open Access