1. 1. INTRODUCTION
   1. 1.1 Contribution
   2. 1.2 Paper Structure

1. INTRODUCTION

Social media presents investigators with a plethora of useful digital evidence as shown by a range of criminal prosecutions and convictions as well as civil investigations with outcomes such as disciplinary measures. Thus, the timely recovery of these artefacts is considered of interest to investigators during a live triage.

Triage as a practice emerged in the field of medicine where it was used to assess hospital patients in order to establish the order of prioritization of treatment Robertson-Steel (2006). In digital forensics however, triage is a fast-growing practice with two streams; live and post-mortem triage.

In time sensitive investigations, the need to quickly obtain actionable intelligence, in a usable format from a live system Wiles and Reyes (2007) may take precedence over waiting to conduct a detailed forensic analysis. This paper proposes a proof of concept (PoC) framework for social media user attribution, to support investigators through the automated, targeted recovery artefacts from social media activity in a live triage.

This paper is focused on social media access through a web browser and aims to highlight the potential in using artefacts other than communication content to infer and contextualise user activity, and to attribute actions to a user. The proposed framework is intended to be applicable and generalisable to other triage investigations. The web browser(s) referenced in this paper is a demonstration for the framework.

1.1 Contribution

The key contributions of this paper are as follows:

• ⇒ the proposal of a PoC framework for live triage investigations involving social media

• ⇒ defines a baseline for the artefacts of interest as a method for grouping social media artefacts based on the perceived user activity. This can be used in the prioritization of live triage data analysis

• ⇒ a demonstration to test its applicability, generalisability and reliability through the identification of how SMURF can extend or complement existing triage tools

1.2 Paper Structure

The rest of this paper is structured as follows: related work is discussed in Section 2; SMURF is introduced in Section 3, discussing the problem definition, characteristics and development. Section 4 discusses the build process and how SMURF works. In Section 5, the PoC implementation is discussed including data generation, analysis and the PoC deployment. Section 6 presents a case study and reliability assessment. Section 7 contains the discussion, and Section 8 presents the conclusion and future work.

Table of Contents

• 1. INTRODUCTION
• 2. LITERATURE REVIEW
• 3. SMURF
• 4. BUILDING THE SMURF FRAMEWORK
• 5. CREATING A POC SMURF IMPLEMENTATION
• 6. CASE STUDY - SMURF ON TWITTER
• 7. DISCUSSION
• 8. CONCLUSION AND FUTURE WORK
• REFERENCES
• A.