Rating of the relationship between users using the data from the implemented mobile forensic software

Öz During the digital forensic process, different software and hardware tools are used. The devices from which the digital evidences are collected have been varied in parallel with the developments in technology. The issue of identifying the mobile phone owner’s friends and assessing his relationship with them with the help of digital evidences collected from the Android mobile phones has been studied in the literature and it is still under investigation. The software developed in this work enables accessing a variety of data that have evidential value in the court proceedings; these include physical and logical acquisition of images from mobile phones with Android operating system, extracting images for investigations, examining different file types in images


Introduction
Digital forensic is defined as a whole process of identifying, collecting, preserving, and analysing the data obtained from a sound, image, text, or any combination of them, which are stored in or transmitted in electromagnetic and electrooptical mediums, to be presented as digital evidences in the court [1].
In digital forensic, the digital forensic process is followed to convert the digital evidences to admissible evidences that can be used in courts.This process is defined as digital forensic investigation phase and after this process the digital evidences are converted to admissible evidences.Digital forensic processes can be divided into 4 main sections.These are acquisition or collection, identification or examination, evaluation or analysis, presentation or reporting [2].
When digital forensic becoming known, it was defined as computer forensics.However, depending to developments in technology, the profile of cybercriminals has changed and the appropriate technique before analysing them [3].At this stage, there is a need for digital forensic software tools.
In this work, A software has been developed that takes an image from the devices with Android operating system, opens the image and analyzes the different file types within it.These analyzes are carried out using a fuzzy model developed in the study and a new analysis method which is not in mobile forensics software.Thus, the software estimates the persons who are closely associated with the device user or are likely to be intimate.
The mobile forensic software developed in this work enables acquiring images, analysing different files in the images, and investigating databases and accessing many kinds of data from the devices with Android operation systems that can be used as admissible evidences.The software developed in this work performs multiple works using a single interface therefore it provides more advantages over the existing mobile forensic software tools.Especially, the novelty in this software includes analysing the person or the criminal whose device is under the investigation and the related people.The developed software has the ability to root the mobile devices and acquire the physical images using the exploit method.Although, the software tool has some limitations in the rooting and acquiring the data due to variety of Android mobile devices and also frequent software and hardware updates, this work presents different and novel results compared to the results obtained from the existing mobile forensics software tools.

Related works
Grover developed a prototype enterprise monitoring system for Android smartphones.The developed software enabled transferring the data sets which are of interest to many investigators including the forensic investigators from mobile phones to a web server.It was stated that the software can collect data sets that are not found in other available software tools [4].
Scrivens and Lin discussed the methods that are used to acquire information from an Android device for digital forensic investigations and explained their pros and cons.Moreover, they provided information on which data to access and from where after collecting the data.They also demonstrated an example analysis on Facebook Messenger and Google Hangouts [3].
Due to increases in the use of mobile devices and wide spread usage of social media and messaging applications, there has been a strong interest to use data obtained from social media applications in mobile devices for digital forensics investigations.Especially, many works have been done on Whatsapp Messenger [5]- [7].Telegram [7]- [9], Facebook, Twitter, Instagram [10]- [13] and there are still many ongoing works.
In order to identify the related persons and the relationship between those people by using data stored in the mobile devices collected under the forensic process some works have been performed.
Anvar and Abulaish presented a unified social graph-based text mining framework to identify digital evidences from chat logs data.Their proposed framework considers both users' conversation and interaction data in group-chats to discover overlapping users' interests and their social ties [15].Akbas et al., proposed a friends ranking algorithm which assigns weights to the durations of the calls, video conferences, face-to-face meetings and the sizes of the emails and texts and then depending on the value it finds the friendship levels [16].
Alzaabi et al., proposed a forensic analysis system called CISRI that helps forensic investigators to determine the most influential members of a criminal group using the email exchanges and text messages for the purposes of investigation.It was stated that the proposed system can describe the structural relationships between the members of a criminal group in terms of a graph [17].
Reinhardt et al., utilized a data set including contact names, calls, sms, mms, and emails on personal smartphones to classify users into social relationship categories (acquaintances, work, family, friends, school/university).They used SVM (Support Vector Machine), C4.5 and Naive Bayes algorithms to classify the users and showed that SVM provides the best results [18].
In digital forensic area, there are also some works produced by applying fuzzy logic method.Barmpatsalou et al., proposed a fuzzy system based suspicious pattern detection in mobile forensic evidences [19].
Stoffel et al., proposed a methodology based on the fuzzy set theory and an automatic procedure for inferring accurate and easily understandable expert-system-like rules from forensic data [20].
Rostamipour and Sadeghiyan proposed a forensic expert system based on fuzzy logic, which is able to automatically detect the origin of attack in single and multi-stage attacks.It was stated that the proposed system is able to indicate the time, origin and scenario of the attack [21].
Liao et al., proposed an approach based on fuzzy logic and expert system for network forensics that can analyse computer crimes in network environment and make digital evidences automatically [22].

Mobile forensics
With the development of the mobile device technologies, our daily works and activities can be done in mobile environment.People who use mobile devices can do many of their daily works easier, more cost effective and quicker than those who do not use mobile devices.In the mobile devices, all processed data can be stored in or deleted from the storage media.The possibility of recovering data from these storage areas, the fact that these data are digital evidence and that they are valid in judicial evidence examination processes has brought the concept of mobile forensics to the literature.
Nowadays, there are many software and/or hardware tools used in the mobile forensics area.Almost every day, new tools have been added to these existing tools or the existing tools have been updated by adding new features.Therefore, the evidence collection and analysing phases can be performed in more detail and quicker.
Smartphones used in our daily life contain immense data that can be used as digital evidences in the forensic examination process of mobile devices.These data can be collected by copying and/or investigating the sim cards, operating systems and RAMs of the devices.Investigation in the operating systems also covers the investigation of storage disks of devices therefore it is possible to recover many evidences that can be used to enlighten cases.

Non-structural fuzzy decision support system and fuzzy vikor methods
In this work, Non-structural Fuzzy Decision Support System (NSFDSS) developed by Chen [23] and Fuzzy Vikor method [24] were investigated since these theories have been used and accepted in the defining and development stages of the fuzzy method.According to the NSFDSS method developed in 1998, main criteria are dived into sub-branches in order to solve the problem.The problem convergences to a solution if the number of criteria under each sub-branch increases.In this method, simple combinations are used.Using the combinations, a value that shows how much each subcriteria affects the other criteria is calculated.Furthermore, depending on the effect of all subcriteria on the solution of the problem, criteria may be tested and removed from the solution.
The Fuzzy Vikor method is used to help decision makers to solve decision problems with conflicting and noncommensurable (different units) criteria therefore in this work the Fuzzy Vikor method was implemented.Although, Twitter data, Whatsapp data or contact information cannot be enough to make a sensible decision when they are used as separate criteria but when they are evaluated together as a solution equation the problem can convergence to a solution.

Mobile forensic software tool development process
In Linux systems, the root account has administrative rights thus it can access all commands and files on the operating systems.As Android operating system is used Linux kernel, the same administrative rights of the root are valid in the Android systems.In the mobile devices, the manufacturers disable the root settings for the uses in order to prevent them to get full control on the devices.Users with no root access cannot make any changes on the systems of the devices however users with root access can make any changes and control everything on the devices.Android root tools show differences depending on the platforms used.In this work, specifically, the root tools for mobile devices have been investigated.Different methods have been chosen to root the smartphones with Android operating system.Some of these methods can be very simple however some of them can be very complex.The easiest way of rooting a device is to use a tool that automatically enables rooting.These cloud-based tools scan the devices and find the best way to enable rooting and then the process is performed by using a brute-force attack method.The difficult process is to flash a custom recovery and install an up-to-date SuperSU.There are commercially available tools that can make these processes easier such as; Kingroot, Cf auto root, One click root, Towelroot and Rescue root.
In this work, many rooting tools developed for mobile devices have been investigated and a root module that implements an exploit method was developed and embedded in the developed software tool.
The developed software enables acquisition of logical and physical images from rooted devices however it only acquires logical images from devices without rooting.
By using the developed software, it is possible to analyse the files inside obtained images and databases.Also, it is possible to make analysis on the images obtained from different software tools.
In this work, the Mobile forensic software tool was developed by using Java programming language.
Figure 1 shows a screenshot of the developed software tool.As seen that it has a very simple interface.First, Android devices connected to the computer are identified by the software and then these are listed in the "Devices" section.When the code that belongs to the processed device is selected, information about the selected device is present at the bottom of the interface.Moreover, when device selected in the list, "Reset" (used to restart the device) and "Backup" (used to get images) options will appear.It is also possible to extract the images obtained from mobile devices in any folder desired by using "Open Backup" option under "File" tab."Analyses" tab includes sub-tabs which enable examinations on the files required for analysing the evidences and the database files in the extracted image file.

Image acquisition process
To start image acquisition process, it is selected from "Devices" section and then "Backup" option is enabled.As seen in Figure 2, a backup path and the acquisition type (whether logical or physical) are defined and then the backup process is started.
The main code used to backup files in a selected folder is as follows; adb.exe backup -apk -shared -all -system -f+" "+path

Analysis depending on the file types
For forensic analysis on the extracted files for the examinations of the evidences, a "File Operations" option under "Analyses" is selected.The analysis is performed over primarily defined 5 different file types.Figure 4 shows the interface which enables examination of the evidences depending on the file types.

Database analysing process
An additional module was also developed in order to process the data on the database files which are the one of the most important parts in the forensic analysis since they contain the programmes` recordings, browsing history, search results etc.With the use of this developed module, first of all database files in the image are found, listed and then analysed automatically.
Figure 5 shows an example from the database analysis module which can access many databases for the examination of the evidences.In the module developed for analysis, some of these databases were selected and the analysis was performed by using the relationships between the data obtained from these databases.
The databases, their addresses (url) and contents are summarised as seen in Table 1.

Acquisition of social media data sets and analysing process
In order to obtain social media data, the social media account details of the user were acquired as raw data from the analysis of images and databases.Before estimating possible linked users to the user under investigation, the user`s followers and following were listed.Later, using the obtained data, data for the followers and following of the user`s followers and following were acquired.Using the user social media data and all other data obtained from the databases in the user`s device were analysed by using a developed statistical model and then the users who have potentially close links with the user under investigation were listed with a score.

Software development for obtaining a list with the followers and following of the criminal by using social media data
A web software which implements the user`s Twitter name and systematically saves the data acquired from the account with the help from Twitter api, was developed in php programming language and then the software was embedded in the mobile forensic software tool.To get the social media data for the user account under investigation, in the mobile forensic software tool, select the "Social Media" tab and then select "Get Twitter Data" option.Figure 6 shows the web interface.
From Table 2 to Table 7 shows the main structure of the mysql database used in the web software.
The developed software first saves the followers and the following of the user account under investigation in the database.Later, the software saves followers of followers, followers of following, following of followers and following of following of the user account under investigation in the database.
Table 2.The follower account informations of main user.Follower account location information of follower account of main user

An algorithm for predicting the possible users with closely related to the criminal
Up to now, from the analysis on the mobile device and on the social media accounts of the user; the follower, following, the number of followers and following saved in the phone contacts, the frequencies of the calls with the contacts, interactions with these contacts on the Facebook and availabilities of these contacts on Whatsapp were obtained.The sincerity criteria (Facebook, Whatsapp, calling and mutual friend criteria) between 3400 different people obtained in this work and analysed, the generated results seemed quite consistent (close).This shows that the Fuzzy Vikor method is very suitable for computing the sincerity scores.The sincerity score can vary severely if the new parameters are added to the data set, e.g., if a user does not need to call a person who is with him almost every day or they can share the same social media accounts.In this case there would be significant differences in the sincerity score, i.e., even the sincerity score can be increased too much therefore the sincerity scores with other uses would be meaningless.Such issues make the problem fuzzy.
The problem analysed in this work can be considered as a decision making based on multiple scores as defined in VICOR and NSFDSS in 1998 and 2007 respectively.However, in this work, to solve the problem, a different approach has been followed from the existing methods when calculating the scores.The solution consists of two main sections; defining the decision-making criteria and making decision with the optimal solution.

Defining the decision-making criteria
The algorithm and the software have been developed with the aim to use it in the process of decision-making based on the sincerity analysis on the suspects or victims.In the developed decision-making process, the primary aim is to find someone who has been contacted the most and the less but may know the user well by correlating the data obtained from the user`s device and other data the user left on the internet on the public sites.
It may not always be possible to perform the sincerity analysis reliable in the decision-making criteria.The reasons depend on many factors such as the user`s reactions on the different events, environment, tendency to use technology, lack of communications in the social media with frequently seen users, etc.The proposed algorithm has an ability to draw a pattern with the use of the data obtained from the users.Formed criteria can be defined as information collected from Twitter, Whatsapp, Phones`s contacts, and Facebook.
A pattern can be detected on the user under investigation using the data obtained from Twitter.In Twitter, the users are most likely follow the people they are interested and want to know more about them.If they follow each other, in this case it is assumed that these users obtain digital information from each other.Even though this variable may not make any sense when is used its own, cross searching on followers of followers, followers of following, following of followers and following of following can provide some clues on the sincerity of each user to the user under investigation.Twitter has more options on sharing information publicly compared to the other social media platforms.This is one of the most important variable used to estimate the uses who have close relationships with the examined user.
The parameters evaluated by using the data obtained from Twitter are defined as follows; Z1=the number of mutual followers of followers, Z2=the number of mutual following of followers, Z3=the number of mutual followers of following, Z4= the number of mutual following of following.
Every data obtained from a subcriteria is used as a dependent variable in the other.For example, followers of a user can have the same reason to follow him.Similarly, comparing the data obtained from Z2, Z3, Z4 can be used as criteria even though there is no data in the devices of the users similar to the user under investigation.In this way, it would be possible to determine users who have similar attitudes but they do not follow each other in the digital environment.Furthermore, followers and following of the user are evaluated as separate coefficients.This criterion is defined such that it adds 0.2 to the general score if they follow each other; checking the scores coming from Z1, Z2, Z3, Z4 criteria, it adds 0.2 to the user with the highest score and adds a suitable weighted coefficient to the other users.
The data obtained from Whatsapp also provides one of the most important criteria used in this work since Whatsapp is one of the most widely used personal messaging application in the mobile devices.Whatsapp provides important information about the users since it is free, users can share files free of charge anywhere they can access the internet, share their location information etc.The data obtained from Whatsapp cannot be used to evaluate the degree of sincerity or relationship itself but when it is cross-evaluated with the data obtained from other applications then it can provide an added value to the solution as an auxiliary criterion.If the users are saved on the contact list on the Whatsapp, this adds 0.2 to the score.
The data obtained from the contact include saved contacts and the number of calls these are the most important variables that can be acquired off-line from mobile devices.From the number of calls, the contribution of the most called person to the sincerity score is evaluated as 1 which is the maximum value and the other numbers of calls are implemented to all people in the contact in proportion to 1.In the contact criteria, being in the contact list adds 0.1 to the total sincerity score and the most called person is evaluated as 0.1 score.
When considering the data obtained from Facebook, the information on being friends on Facebook is evaluated as 0.2 score.In Facebook`s evaluation criteria, different variables can be added such as messages, location information and being including on the photos etc but in this work only being in the friend list was considered and evaluated.
Equation 1 formulises the model developed for the fuzzy score system explained in detail above.The parameter  1 , which is required to calculate  1 , is calculated by using Equation 2.
In the above equation, the parameters are defined as follows; In the above equation, the parameters are defined as follows; When the common characteristics of the criteria clearly stated in equations are analysed; ✓ Every single criterion considered in the evaluation process has a characteristic of being cross-checked with the publicly available data.
✓ Every criterion in their own scoring system is scored based on the frequency of computation.
✓ As every criterion can be used as its own, this situation can differ depending on the person in terms of coefficient.Therefore, it is clearly seen that in this work, the criteria are divided into the equal coefficients.
When calculating the sincerity score using the criteria defined in this work, the most used platforms and applications were considered.Furthermore, in future it is possible to add new applications to the algorithm in order to increase the number of criteria required for new works or different parameters can be added in the criteria in order to get better results.

Making decision with the optimum convergence approach
One of the most important feature of the developed algorithm which was developed to help the decision makers and investigators to make the decision based on scientifically analysed digital data is that it correlates different applications.Sometimes it is not very possible to directly find the user who has the closest relationship with the user under investigation or this information is not enough.
The algorithm was designed such that it processes the acquired digital data quickly and reaches the defined goals.Thus, it enables reaching the critical points quickly during the decisionmaking process.
Considering these issues, the pattern generated by the algorithm developed here provides an important step for using information technologies for decision-making process.In forensic investigations, although it is aimed to reach a result within a short time, sometimes it is not possible to analyse the data and find the suspects within such a short time limit.
Taking into account the complexity of the problems, using the algorithm developed in fuzzy structure and its patterns enable making decision quickly and efficiently.
The developed algorithm allows adding new criteria to the system when the data obtained from the mobile devices increases and changes.
"The software for predicting the people in close relation with the criminal" which implements the algorithm defined above starts working by selecting the "Sincerity Score" tab on the main menu of the mobile forensic software and then selecting the "Calculate" option.
The developed software module lists the people who have close relationship with the user under investigation with a score value after "Sincerity Score" is selected and then it reports this list as an excel file as seen in Figure 7.In the development of this software module, the Python was used due to its advanced library supports.

Conclusions
In this work, first a software which acquires physical and logical images from mobile devices and then analyses the data was developed.Next, an algorithm that lists the people in close relation with the user under investigation was developed and then embedded in the main software tool.
This work was performed over three different mobile devices with Android operating system since it takes very long time to acquire images from mobile devices and also it is hard to find sample image sets.
The results for contacts and social media data analysing obtained from the examination of images that acquired from mobile devices by using the developed software tool can be seen in Table 8.
Table 9 shows some sample data generated by analysing the evidences depending on the file types option in the developed software.
Table 10 shows some data obtained from examinations of evidences from database files by using the developed software tool.
Table 11 shows the results on the analysis performed over the data obtained from a Samsung Galaxy S3 using the developed software named as the software for predicting the people in close relation with the criminal.
As seen in Table 11   The software implements the developed algorithm and performs scoring for the other users in the list based on the user with the highest score.The obtained results and analysis were shared with the owner of the device under investigation and it was stated that 90% of the results on the degree of sincerity are consistent.It was observed that as some user names are different on the phone contacts and on the social media accounts, this affects the failure rates.
Since the developed software has an open source code this allows other researchers to use it for their research.
It is possible to add additional parameters to the algorithm developed in this work from data obtained from different data sources, video and audio in order to increase its reliability.

Figure 1 .
Figure 1.Screenshot from the developed software tool.

Figure 4 .
Figure 4. Screenshot from the interface for analysing different file types.

Figure 5 .
Figure 5. Screenshot from the database files analysing interface.

Figure 7 .
Figure 7. Excel list with scores of users.

Table 1 .
The databases, their addresses (url) and contents.

Table 3 .
Informations of main user's following accounts.

Table 4 .
Informations of follower account of main user's following accounts.

Table 5 .
Informations of main user's following account's following account.

Table 6 .
Follower account informations of follower account of main user.

Table 7 .
Following account informations of main user's followers account informations.

Table 8 .
. the mean of the mutual friends value of the first user is 4.75 (as the first user has the highest number of mutual friends it gets the highest score from Twitter).The first user has a sincerity score of 1 and if this value is multiplied by the score of 0.2 for Twitter then the weighted coefficient of the mean of the mutual friends on Twitter is obtained as 0.2.Since the user under investigation and the first user follow each other on Twitter, the mutual follow up score is 0.2.They are friend on Whatsapp and Facebook therefore the first user gets 0.2 score for each criterion.Furthermore, the first user gets 0.1 for being included in the phone contacts of the user under investigation and having the highest number of phone calls with him amongst the all users.Eventually, the first user got 0.2 score from each of 4 parameters (criteria) and 0.2 score from each of 2 parameters so that in total the first user reaches the maximum total value of 1 and hence becomes the one who has the closest relationship with the user under investigation.Data from mobile device (phone contacts and social media).

Table 9 .
Sample data for the analysis depending on the file types.

Table 10 .
Sample data from the database analysis.