Mobile Social Network Forensic Analysis Based on Visualization Method

. Nowadays, so much personal information is stored in the mobile phone, especially in mobile social network. Due to the large amount of data in the mobile phone, it is very difficult to extract and analyze the evidence of the mobile phone. The paper presents a visualization forensic analysis method based on mobile social network, and a forensic analysis of mobile phone messages and call records was conducted, the results shows which makes the evidence more intuitive and improves the efficiency of phone forensics. The method can be used as reference for forensic analysts.


Introduction
In 2016, smart phone users accounted for 73.2% of all mobile phones. Due to the portability of mobile phones, which makes it better reflect a person's various types of information. The current smart phone features more powerful, comparable to a microcomputer, the user use the more features, leaving the greater the possibility of digital evidence. Which includes some privacy information, these privacy information is a proof of the behaviors of the owner of the phone, which criminal investigation and evidence collection is a great help, which the rise of domestic and foreign research on smart phone crime evidence. Smart phone forensics analysis technology has a very urgent application needs, automated forensic analysis tasks are handled by the system, can greatly reduce the time of evidence and personnel to pay, check the work of the efficient development of evidence has important significance and development prospects.
Most of the existing research on mobile phone forensics is the data extraction and recovery, A large amount of data was extracted; there are many unrelated information, do not see the correlation between the characteristics of the data. Resulting in forensic personnel often have a lot of evidence data, but failed to effectively get from the data to the event information. The COPLINK system [15] constructs the conceptual space of an entity and object using data mining techniques to help find the relationships between entities. And provides a visual support, including hyperchromatic tree views and spring embedded graphics layouts for related entities. TRIST [16] can represent, refine, organize, and execute queries on large collections of documents. TRIST is optimized for querying large databases and analyzing comparisons. Based on the data latency model of vector clock [17] , a vector clock algorithm is proposed, which can produce partial order relations between events in distributed systems and detect causal conflicts. At the same time, vector clocks can be used to find causal relationships between different events basis to visualize the formation of a two-dimensional map. Graphical representation adopted in social network analysis since the origin [12] is a natural and fast method to highlight links among individuals. Emilio Ferrara [19] proposes a method which finds the configuration of crime organizations through using call records. He uses the theory of network centrality in the process and proposes a program which visualizes a network. Cosimo Anglano [20] discusses all process smartphone forensic process model. Jisung Choi and Sangjin Lee [18] propose a method which shows connectivity, between a user and another as a numerical value, by using recorded data of SMS/MMS, call applications, contact information and stored time information.
Here, the contributions of this article are summarized as follows, we release the visualization forensics method based on mobile social network, which highlights the different aspects and characteristics of the network under consideration, and allows the elements of the network themselves to be checked, the visualization results can be more intuitive and facilitate the work of forensic work. Based on the key data of mobile information, the social network model of mobile information is constructed. Based on the characteristics of mobile social information network model, the algorithm of graph layout based on social network is realized. In the following of the paper, mobile social network and the phone social network are the same meaning.
The rest of the paper is organized as follows, Chapter 2 introduces the research status of mobile phone forensics technology and evidence visualization method. Chapter 3 introduces the social network based visualization method and implementation method proposed in this paper. Chapter 4 introduces the mobile data visualization scheme and the related experimental results. Chapter 5 summarizes the work of the article and explains the next step of the study.

Visualization Method
We take full advantages of the large amount of metadata in the mobile phone information, extract the key information, the use of social network analysis technology to build a criminal suspect user-centric star interpersonal network diagram, mobile phone information in the core of the communication behavior model, potential information associated with the suspect.

Mobile Social Network
Mobile information network refers to the user through the mobile platform with other people to interact with information generated by the information stored in the mobile phone set of information network, because the information set includes relationship between communications and its behaviors, which can be expressed using social networks. Graph is a more complex than the linear table of a data structure, display form more intuitive, is widely used in social, chemical and other different areas. In the graph G = (D, R), D represents the set of data elements in the graph, and R represents the set of relationships that exist between these data elements. If the data elements and relationships are abstracted as nodes and edges, respectively, you can use G = (V, E) to represent the graph, where V is the set of nodes and E is the set of edges.
Constructing mobile information network with directed graph. Its formal definitions are as follows: Definition 1: The mobile information network is represented by G = (V, E), where V represents the set of user accounts on both sides of the communication behavior relationship, ie V = {v i | v i represents the user account}; E is the edge (communication behavior relationship) of the set, that is,

Layout Algorithm
Force-directed algorithms are typical of spring theory algorithms and are widely used to describe relational information graphs such as social networks. The Fruchterman-Reingold algorithm [5] imagines the entire network as a virtual physical system. Each node in the system can be seen as a discharge of particles with a certain amount of energy, between the particles and particles there is a Coulomb repulsion, so that they are mutually exclusive. At the same time, some of the particles are implicated by some "edges", which produce a spring-like Huke gravitational force, and tightly contain the "edge" at both ends of the particles. Under the constant action of particle repulsion and gravitational force, the particles are constantly displaced from the random and disorderly initial state, and gradually tend to balance the orderly final state [6,7]. While the energy of the entire physical system is also constantly consumed, after several iterations, the particles are almost no relative displacement between the whole system to achieve a stable and balanced state, the energy tends to zero. At this point, the social network drawing is done. Mobile phone forensics data with large amount of data, data types and more features, a large number of complex information is not easy to evidence for evidence analysis, the use of force-oriented layout algorithm generated social network map, reasonable layout, clear and easy to understand. Can bring great convenience to the work of forensic personnel, improve the quality and efficiency of forensic work.
In the algorithm for nodes i and j in the graph, the Euclidean distance of two points is denoted by d (i, j), s(i, j) represents the natural length of the spring, k is the elastic coefficient, r represents the electrostatic force constant between two points, W is the weight between two points. The following are two models in force-oriented algorithms: Spring Model: ( Here is the pseudo-code for the force-directed algorithm: Set the initial speed of the node to (0,0) Set the initial position of the node to an arbitrary but non-overlapping position Total kinetic energy: = 0 // The total kinetic energy of all particles is zero For each node i Net force f: = (0,0) For each node j out of the node Net force f: = net force f + j node corresponding to the i node of the Coulomb repulsion The next node j + 1 For each spring on the node s Net force f: = net force f + spring on the node of the Hooks elasticity Next spring s + 1 // If there is no damping, the whole system will keep going The node speed: = (the node speed + step size * net force) * damping The node position: = the node position + step size * the node speed Total kinetic energy: = total kinetic energy + node quality * (the node speed) ^ 2 The next node i + 1 The force-directed layout can be used for most network datasets, achieving better symmetry and local aggregation, which is easy to understand and easy to implement. Based on the combination of statistical analysis and social network visualization technology, the interpersonal network composed of the association between user communication behaviors in mobile information is visualized from the point of view of evidence. The mobile information network not only allows the forensic staff to understand the relationship between the network structure data more intuitively, but also can assist the forensic person to excavate and obtain the hidden characteristic information between the data in the most natural way in a short time, so as to take the fast and effective Strategy. Therefore, the mobile information network in the mobile phone forensics data analysis process has a very important significance.

Mobile forensics analysis system
The architecture of the system is shown in Figure 3, which is made up of an extensible level: the data of the authenticated phone is imported (usually a flat file); the data is cleaned by data cleansing, and the redundant edges and nodes are removed to normalize the data. Convert to GraphML format [9], which is a structured XML format that is more suitable for graphical discovery and graphical rendering of applications between interchange, visualization and dynamic exploration of linked networks. Finally, through the layout algorithm output forensic results, that is, mobile information network map.

Experiment
The main contents of this experiment are call records, short messages and WeChat chat records, and the related information of the chat records is mainly composed of chat records, group chat records and system information of users and friends. The main contents are: sender ID, sender name, information content, receiver ID, recipient name, information creation time, information type, information status, notes and other information. The data source used in the experiment comes from the test cases published on the web. The data source is a Samsung Galaxy series of smart phone system image file, the specific model for the Sam Sung Galaxy Mini GTS5570, the operating system for Andrews 2.2.1, recorded in the mobile phone users Patrick Payge.  In the figure 4 and 5, the central node is the mobile phone user, the circumference node is the user contact person, and the number of times is the communication number. In the Figure 6, the central node is the mobile phone user, the circumference node is the micro contact person, and the number of times for the communication. The remaining circles are micro-credit groups, cross-line that micro-credit group members and the user is a friend relationship. Intuitive image of the user's social network. Figure 7 is based on the vector clock data correlation model forensic analysis of visualization results. As can be seen from the figure, the cause of event E1-2 is E1-1, the result is E1-3, E2-2. The cause of event E2-1 is E11 for E2-2. Through the time vector based visualization method can be found directly from the visual results of the reasons and results of the time. Figure 8 is visualization result of social networks. In the figure, the red node is the center user, and the blue node of the circumference is the user who communicates with it. Through the visualization of the size of the weight in the side can determine the degree of intimacy of the two, and then narrow the scope of the next step to determine the phone forensics. Compared with figure 7 and figure 8, we can find that visualization method shows more intuitive image based on the mobile information network, for large data volume of the evidence can be more intuitive display, we can quickly find the results from the evidence and the case-related information, and find close relationship and abnormal contact. It can greatly improve the efficiency of forensics, so that forensic staff could more easily access to the case of effective information.

Conclusion and Future work
The paper constructs the mobile information social network model based on the extracted data, and obtains the contact information of the mobile phone users' two-dimensional space, which is easy for forensic personnel to obtain valuable and potentially accurate evidence from a large number of disorganized data. For example, SMS, call records, instant messaging and so on. Geographic location information is also an important part of mobile phone evidence, the next study needs to associate the geographic location information, time information, and event information in the phone for a more comprehensive analysis.