Vista新浪博客搬家工具

ForensicAnalysistowardstheuserbehaviorofSinamicroblogLongChen1,a,Yong-QingWang2,b1,2Departmentofcomputer,ChongqingUniversityofPostsandTelecommunications,Chongqing,400065,China.
achenlong@cqupt.
edu.
cn,bwangyongqing123@163.
comKeywords:Microblog,userbehaviour,iOSdataacquisition.
Abstract.
Microblog,anewnetworkapplicationintheeraofWeb2.
0,hasbecomeoneofthemajormediuminChina.
Itsmainfeaturesareasfollowings:largenumberofusers,frequentstatusofupdatinginformation,fasttransmissionspeedofinformation.
ThewritertookSinaWeiboiPhoneAppasanexampletostudythebehaviorofindividualcharacteristicsofmicroblogusersbyanalyzingthedatafromsamplesgeneratedbyusingmicroblog.
IntroductionDuetothepopularityandprevalenceofsmartphones,thenumberofthird-partymobileapplicationsincreasesrapidly.
ThenumberofmobileapplicationsinApple'sofficialAppStorehasreached1.
49millionbyJanuary2015[1].
Manyapplicationsaremakingthefeature-richsmartphones.
Therearemanypotentialevidenceforforensicsworkers.
Foreignresearchinthefieldofthird-partyapplicationsfocusesonFacebook,TwitterandMySpace.
Themainstudyfocusesonanalyzinguser'ssocialnetworkingactivityandwhetherthedatastoredinthemainmemoryandthemobilephonecanberestored[2].
DomesticresearchinthisfieldfocusesonWechatandSinaMicroblog.
ForWechat,themainstudyfocusesonanalyzingthefiledirectorystructure[3]andgettingtheaudiofile[4].
ForSinaMicroblog,therearetwomethodsofextractingthedataofSinaMicroblog:acquiringinformationbasedonSinaMicro-BlogOpenPlatformandacquiringinformationbasedonnetworkdataflow[5].
ButwiththedevelopmentofmobileInternet,manySinaMicroblogusersbegintousemobileclientotherthanPCclient,andthereisnorelevantresearchondataextractionofSinaMicroblogApp.
ThewritertookSinaMicroblogiPhoneAppasanexampletoextractsomeimportantdataofSinaMicroblogiPhoneApp,thenanalyzedthedirectorystructureofmicroblogbackupfileandrelevantimportantdata.
ThemethodmentionedinthispapercanhelpforensicinvestigatoracquiresomeimportantdataofSinaMicroblogquicklyandanalyzetheuserbehavioreasily.
MicroblogUserBehaviorMicroblog,asakindofnewinformationcommunicationplatform,cansatisfyourdifferentrequirements,suchasinformationacquisition,informationcommunicationandinformationsharingetc[6].
OntheInternet,therearethreemaintypicalbehaviorsofMicroblogusers:followothers,befollowedbyothers,totweet.
Thefirstoneisakindofbehaviorthattheuseracquiressomeinformationbyfollowingotherusers.
Thesecondoneisakindofbehaviorthattheuseraffectsotherusersthroughbeingfollowedbyothers.
Thethirdoneisakindofbehaviorthattheuserwritestwitterandspreadsinformation.
ThegreaterthenumberofMicroblogbeingcreatedandreposted,thelargertheinformationbeingtransferredbytheuser[7].
DataAcquisitionTherearethreewaystoacquiredatafromiOSdevices:acquiredatafrombackupfile,acquiredatabylogicalmethodandacquiredatabyphysicalmethod.
ThispaperfocusesonhowtoacquiredatafromiOSdevicesbybackupfile.
iPhonebackupsdatabyusingiTunesaccordingtosomesynchronousprotocolsaboutMACOS,sowecanacquiredatafromthebackupdirectoriesstoredinthecomputer.
However,onlythefiledatasynchronizedexactlybysynchronousprotocolcanbeacquirebythismethod.
DifferentoperatingsystemhasdifferentstoragelocationwheniPhonebackupsdatabyusingiTunes,thedetailinformationisshownintable1.
Table1.
backupfile'sstoragelocationofusingiTunesOperationsystemlocationWindowsXPWindowsVista/Windows7MacOSXC:\documentsandsetting\\ApplicationData\AppleComputer\MobleSync\BackupC:\Users\\AppData\Roaming\AppleComputer\MobleSync\BackupUsers//Library/ApplicationSupport/MobileSync/Backup/Alargenumberofkeyinformationcanberecoveredbyusingthemethodmentionedabove.
Frequently-useddataisusuallystoredintheSQLitedatabaseandsomepropertylistfile,assynchronousprotocolcansupportsynchronousoperationoftheSQLdatabaseandsomepropertylistfile.
ForensicanalysisofiPhonethird-partyapplicationTheforensicanalysisofthedatageneratedbyiPhonethird-partyapplicationconsistsofthreeparts:analyzingfileanddirectorystructure,analyzingdatabase/plistfile,correlationanalysis.
IOSdevicecontainsalargenumberofvarioustypesofdata,includingsomedatarelatedwithmobilephoneandbuilt-inapplications,suchascalllog,contacts,shortmessages,photosandthecachefilesofSafaribrowseretc.
Inadditiontothis,iOSalsocontainsthedatageneratedbythethirdpartyapplicationswhicharefromAppStore.
IOSdevicehastwokindsofstorageformats:oneispropertylistfile(plist)inbinaryform,it'susedtostoresomesetupinformation;anotherisSQLitedatabase,it'susedtostorepersonalinformation[8].
Analyzingfileanddirectorystructure.
EveryiOSapplicationhasitsownsandbox,thesandboxisaspecialfilesystemdirectorywhichisseparatedfromotherfiledirectories.
Itcanpreventanyapplicationtoexchangedatawithotherapplications.
Thethird-partyappsofiPhoneareusuallystoredin/private/var/mobile/Applications.
Everythird-partyapphastwodirectories:/Documentsand/Library,thefirstdirectorycontainssomedocumentinformation,theseconddirectorycontainspreferencesettingsandsomecachefiles[9].
Butdifferentthirdpartyapplicationhasdifferentstoragelocationandformat.
Analyzingdatabase/plistfile.
SQLitedatabaseisoneofthemostcommondatatypeforstorage,it'smainlyfoundinthemobileapplicationdevelopment.
ManyapplicationsintheiOSuseSQLitetostoredata.
Manyimportantdata(suchasContacts,ShortMessages,CallHistoryetc)arestoredintheformofSQLitedatabase,thesedataareencodedinUTF-8.
PropertyListfileismainlyusedtostoreserializedobjects.
Thefilenameextensionis.
plist,soit'susuallycalledplistfile.
Plistfileisusuallytostoreusersettingsandextrainformation.
Plistfileisconsistofthreeclasseswithhierarchicalstructure:CocoaFoundation、CoreFoundationandXML,allnodesaredisplayedinalist.
Correlationanalysis.
Althoughthesefilesincludemanyimportantinformation,suchastheuniqueIDofvisitingsocialnetworksite,specialdata,whereandwhentheeventistakingplace.
AnalyzingSinaMicroblogThispaperwilltakeSinaMicroblogiPhoneAppasanexampletodiscusshowtoanalyzeMicroblogusers'behaviorforforensicinvestigator.
Thisworkincludestwosteps:extractimportantbackupfiledatarelatedwithSinaMicroblogusers'behavior,andanalyzeSinaMicroblogdirectorystructure,importantdatabaseandplistfile.
Asthebackfilesareallencryptedfiles,wecanusesomeforensictoolstorestoretheseencryptedfiles,twotoolsusedinthispaperareiBackupBotforiTunes.
Fig1showsthedirectorystructurediagramofusingiPhoneDataRecoverytorestoreSinaMicroblog,SinaMicrobloghastwodirectories:/Documentsand/Library,thefirstdirectoryisusedtostoredocumentinformation,thesecondoneisusedtostorepreferencesettingsandcacheinformation.
Fig1.
DirectoryStructureofSinaMicroblogImportantinformationofSinaMicroblogiPhoneAppisstoredinaSQLitedatabasecalledDocuments/db_42500_1992761734.
dat,thelasttendigits(1992761734)istheuniqueidoftheuser.
Thenwecanknowthatthefilenameofthisdatabasefileinthebackupfilesis4ab36716f9ce19991ac7950591b2c06475e5d21ebycomputingthehashvalue(sha1)ofppDomain-com.
sina.
microblog-Documents/db_42500_1992761734.
dat.
Thenwecanfindseveraltablesinthisdatabasefile,thedetailinformationisshowninFig2.
Fig2.
SQLitefileIt'seasytoanalyzetherelationshipbetweenthedatacontentandcorrespondingMicrobloginformationbyviewingthestructureofeachtable.
Eachtableinthedatabase(db_42500_1992761734.
dat)hasdifferentfunctions,thedetailinformationisshownasfollowings:contact_group_count:Thistableisusedtorecordtheamountofusersineachgroupoffolloingotherusers.
contact_groups:Thistableisusedtorecordsomeinformationaboutbeingfollowedbyotherusers,includingtheGIDandnameofeachgroup.
contact_x_group:Thistableisusedtorecordtheuserslistofbeingfollowedbyothers,includinguserIDandthegroupIDofeachgroup.
contacts:Thistableisusedtorecordtheuserslistoffollowingothers,includingusernameanduserIDetc.
pm_conversations:Thistableisusedtorecordthelistofuser'sMicroblogprivatemessages,includingthenewestrecordofprivatemessagewitheachuser.
pm_messages:ThistableisusedtorecordtheMicroblogmessagelist.
microblogs:ThistableisusedtorecordMicrobloginformationbyuser'stimeline,includingthecontentofMicroblogmessage,theauthorofMicroblogmessage,userID,posttime,theamountofforwarding,thenameofMicroblogclient,geographicalpositioninformation,thelinkofpictureattachedtoMicroblogmessageandsoon.
Twokindsoftypicaluserbehaviors,"Follow"and"Befollowed",formthebasisofMicrobloguser'ssocialnetwork[10].
Wecanacquiretheuserslistoffollowingothersfromthecontactstable.
Thecontactstablecandirectlyreflecttheuser'sintereststowardsdifferentkindofinformation.
Ifwewanttoknowtheuser'ssocialnetworkinformation,weshouldviewtheuser'sfanslistfromcontact_x_grouptable.
User-postedMicroblogmessagesarerecordedinweibotablebytimeline.
Thelast50microblogrecordsarestoredinthemobileclient,theserecordsincludethemicroblogmessagespostedorbrowseredbytheuser.
TheinformationrecordedinthemicroblogtableisveryimportantforstudyingforensicinvestigationofMicrobloguser'sbehavior.
hedetailinformationofeachfieldandthecorrespondingmeaningisshowninTable2Table2theinformationofweibotableFieldStoredinformationStoreddatatypenickUsernicknameNSStringuidTheuniqueIDofuserNSNumeber(intValue)portraitImageInformationNSStringconcentThebodyofpostedMicroblogNSStringpicEmbeddedpictureintheMicroblogNSStringdatelineThedateofpostingMicroblogNSDatertrootuidTheuniqueIDofthepostedMicroblogNSNumeber(intValue)rtrootnickThenicknameofthepostedMicroblogNSStringrtreasonThecommentcontentofforwardedMicroblogNSStringsourceTheappofpostingMicroblogNSStringlongitudeLongitudeNSNumber(floatValue)latitudeLatitudeNSNumber(floatValue)url_structsThelinkinformationembeddedintheMicroblogNSDictionarypage_infoPageinformation(position,topicetc)NSDictionarytopic_structsTopicinformation(thelinkandtitleofthetopic)NSDictionarypic_id_infosThepictureembeddedinthepostedMicroblogNSDictionaryextra_propertiesExtrainformation(Ifthevalueofrelationis0,itindicatesthatthismessageispostedbytheuser;ifthevalueofrelationis1,itindicatesthatthismessageisthepublichomepage'smicroblogmessagewhichisbrowseredbytheuser.
)NSDictionaryTheforensicinvestigatorcanobtainmanyusefulinformationbyanalyzingtheimportantfieldsinweibotable,suchasuser-postedmicroblogmessages,thepublichomepage'smicroblogmessageswhicharebrowseredbytheuser,wheretheuserpostedthemicroblogmessage.
Inadditiontothis,theuser'strackduringaperiodoftimecanbeobtainedbyanalyzingtheinformationoflongitudeandlatitude,thentheforensicinvestigatorcananalyzeMicroblogusers'behaviorfromthepointoftimeandspacerelations.
Exceptforthis,wecandirectlyvisittheuser'sMicrobloghomepagebyenteringtheURL:http://microblog.
com/0000000000inthebrowser'saddressbartovalidatewhethertheIDnumberintheURLbelongstotheuser.
WecanacquireallkindsofdataofMicroblogbycallingAPIinterfaceprovidedbySina,includingpersonalprofileinformation,geographicalpositioninformation,dynamicinteractioninformation,user'sfansinformation.
SummaryAtpresent,theresearchofMicrobloguser'sbehaviorandacquiringMicroblogdataareconductedseparately,buttheyareinseparableforforensicworkers.
Onthisbasis,thispapertookSinaMicroblogiPhoneAppasanexampleandproposedanewmethod:firstlyextractdatafromMicroblogapp,thenmakeanalyzeuserbehaviorforthepurposeofforensicanalysis,thismethodcanbeappliedtootherMicroblogapp,too.
AcknowledgementsThisworkissupportedbyNationalSocialScienceFoundationProjectofP.
R.
China(No.
14BFX156),NaturalScienceFoundationProjectofCQCSTCofP.
R.
China(No.
cstc2011jjA40031).
References[1]Informationonhttp://www.
pocketgamer.
biz/metrics/app-store/[2]MutawaNA,BaggiliI,MarringtonA.
Forensicanalysisofsocialnetworkingapplicationsonmobiledevices[J].
DigitalInvestigation,2012,9(15):S24–S33.
[3]GaoF,ZhangY.
AnalysisofWeChatoniPhone[C]//2ndInternationalSymposiumonComputer,Communication,ControlandAutomation.
AtlantisPress,2013.
[4]DuJiang,WangCong.
iPhonethird-partysoftwareforensicsresearch[J].
ComputerCDSoftwareandApplications.
2013,(13):53-54.
[5]HUANGYan-wei,LIUJia-yong.
StudyonSinamicroblogDataAcquisitionTechnology[J].
InformationSecurityandCommunicationsPrivacy.
2013(06):71-73.
[6]ZhaoLing,ZhangJing.
Multi-dimensionalAnalysisofMicroblogUserBehaviorResearch[J].
InformationandDocumentationServices.
2013(05).
[7]ChenPeng,ShuiJinguang.
StatisticalAnalysisofMicroblogUserTypicalBehaviorbasedonIndividualProperty[J].
KnowledgeManagementForum.
2013(05).
[8]ChenCN,TsoR,YangCH.
DesignandImplementationofDigitalForensicSoftwareforiPhone[C]//InformationSecurity(AsiaJCIS),2013EighthAsiaJointConferenceon.
IEEE,2013:90-95.
[9]LevinsonA,StackpoleB,JohnsonD.
Thirdpartyapplicationforensicsonapplemobiledevices[C]//SystemSciences(HICSS),201144thHawaiiInternationalConferenceon.
IEEE,2011:1-9.
[10]XUXiao-dong,XIAOYin-tao,ZHUShi-rui.
SimulationInvestigationofRumorPropagationinMicrobloggingCommunity[J].
ComputerEngineering.
2011,37(10):272-274.