A Survey of Forensic Analysis and Information Visualization Approach for Instant Messaging Applications

—Instant messaging applications, including WhatsApp, Viber, and WeChat, are moving beyond text messages to videos and voice calls, which are proportioned to current media, files, and locations. In this study, we surveyed existing forensic visualization and forensic analysis techniques for instant messaging applications, with the aim of contributing to the knowledge in the discussion of these research issues. A total of 61 publications were reviewed after searching various academic databases, including the IEEE, ACM Digital Library, Google Scholar, and Science Direct during the last five years. Our observation from research trends indicates that both forensic analysis and information visualization are relatively mature research areas. However, there is a growing interest in forensic visualization and automated IM forensic analysis. We also identified the lack of discussion on forensic selection criteria in existing forensic visualization works and the needs of benchmarking the evaluation method of automate forensic analysis tools.

In the context of smartphones, the acquisition of digital evidence involves mobile forensic techniques [7]. The acquired artifacts can be valuable, as these include various significant metadata, such as application data, communication data, location data, and browsing history data. These data are, however, produced in unstructured data -raw data that are not in the organized data model form. The unstructured data could be challenging for forensic examination activities, for instance time-consuming and increase investigation cost [8], [9].
Therefore, there has been significant interest in examining appropriate approaches to expedite digital forensic analysis activities. One of the potential approaches is the use of forensic visualization. It is a common practice for digital forensic investigators to perform cross-analysis using various forensic software, but there is a lack of advanced visualization approaches to facilitate evidence analysis [5]. It also has been pointed out that the application of multimedia technology in presenting digital evidence could increase judicial understanding [6], [7], [8].
In this study, we explored the literature on forensic analysis of mobile applications, information visualization, and forensic visualization. The contributions of this work are twofold: (1) to provide insights into digital forensic analysis and the development of its automated tools, forensic analysis of IM apps, and forensic visualization to assist forensic analysis, and (2) to discuss the research trends and future research directions for these areas, including the potential of incorporating forensic visualization in IM forensic analysis. The knowledge gaps are identified from this study such as the needs of evaluation benchmarking and the lack of forensic selection criteria in the existing studies.
The remaining sections of this survey paper are organized as follows: Section II presents the review methodology while in Section III, associated works addressing forensic analysis and the techniques of visualization and mobile forensic analysis are discussed. Section IV reviews existing work in forensic analysis of IM apps. Section V discusses the role of forensic visualization in forensic analysis. Section VI presents the discussion on the research trends of forensics visualization and mobile forensic analysis techniques for future works. Section VII concludes this study. www.ijacsa.thesai.org

II. REVIEW METHODOLOGY AND PROCESS
A literature survey in forensic analysis, forensic visualization, and information visualization was performed by adopting the method used in [9] and [10] (see Fig. 1).

Fig. 1. Data collection method
To obtain a fair overview of the literature on forensic analysis and information visualization, we surveyed materials published in the English language over the past five years (i.e., April 2017 to June 2022). A total of 61 publications were located after searching various academic databases, including the IEEE, ACM Digital Library, Google Scholar, and Science Direct.
The search words used were different in each case, such as "digital forensics", "forensic analysis", "intelligent visual analytics digital evidence", "mobile forensics", and "information visualization". For the search in Title, Abstract, and Keywords, quotation marks were entered and modified by topic, such as "forensics visualization", "information visualization in digital forensics", "forensic analysis in visualization", and "forensic analysis in mobile application". We filtered the articles from the search results to include "digital forensics", "forensic analysis", and "visual analytics". We utilized the term "Web of Science" in title, abstract, and keyword searches in Advanced Search, and searched within Topics. Furthermore, we defined the document type as "articles" with no restrictions for all search results, and we only looked at journal publications.

III. DIGITAL FORENSICS ANALYSIS
Forensic analysis is one of the phases in digital forensics, which is undertaken after evidence collection and examination. It involves "analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination." [11]. More importantly, forensic analysis encompasses the gathering of evidentiary materials, evidence interpretation, results validation, and evidence presentation in an intelligible manner [12].
As discussed in [13], event reconstruction includes the combination of temporal, functional, and relational analyses of available evidence artifacts. Temporal analysis includes searching for other events that occurred around similar timestamps as those of one or more events already identified as related to the case being investigated. Functional analysis involves understanding what actions were possible within the environment of the offense and how the offender's toolkit works. Relational analysis involves studying how the various systems involved in a compromise relate to each other and how they interact.
String and keyword search, file filtering, and timeline analysis are examples of commonly used techniques in forensic analysis. String and keyword searching techniques can be used to filter out words, phrases, strings, and keywords that provide clues when searching for evidence. It is one of the primary features used in both commercial and non-commercial forensic tools, (e.g. Magnet Axiom, Autopsy). It has also been widely validated in academic forensic investigation studies, such as those analyzing web URL information [14]. Nowadays, the conventional keyword searching technique might be limited in a large volume of data, as it could lead to false negative or false positive and requires background knowledge about the case [15]. Therefore, studies such as [16] and [17], have examined the use of the semantic-based approach for text clustering with the aim of improving the performance and accuracy of forensic analysis.
Another technique, known as file filtering, can be applied as digital sieving of important files from irrelevant files by utilizing cryptographic hashes to screen the hash values of target files. For example, when using the MD5 Hash (and/or SHA-1 Hash) and Known File Filter options to process evidence, a hash value for each item is generated. The hash value of each file item inside the evidence is computed, and known files are filtered for the freshly computed hash value data [18]. The file filtering technique is significant in forensically examining file systems, for example, examining file similarities, as in [19], and examining file types, as in [20]. A limitation of this technique, however, is that it cannot be applied to corrupted files.
The timeline analysis technique is a chronological analysis of incidents to display all occurrences in a chronological sequence. However, emerging computing pose various factors that must be considered to generate a unified timeline, such as different time zone settings, timestamp interpretations, clock skew, and syntax [21]. Therefore, manual timestamp inspections may no longer be adequate to support investigations. Some recent studies have applied other scientific methods to enhance temporal analysis such as visualization approach, such as using graph-based and ontology-based approaches [22], [23] and highlighting patterns in the timeline analysis [24], [25], [26].
It is unlikely that a single method of data analysis is applied when examining digital evidence, as the evidence could have multiple interactions. The applied methods of data analysis can be mixed, depending on the complexity of a system's architecture. For example, Carrier [27] presented data analysis based on layers, in which physical storage media analysis was the bottom layer. The next layers comprised volume analysis, memory analysis, file system analysis, and database analysis, while application analysis was the top layer. In a work by [28], the authors demonstrated system analysis, operating system analysis, application analysis, network analysis, device analysis, and Shim cache analysis to present Windows registry www.ijacsa.thesai.org forensics. Analyzing cloud apps on Android mobile devices, [29] demonstrated the analysis of app files in private storage, external storage, app database, and app account data and analyzed apps using the static and dynamic analysis approach. X. Zhang et al. [30] performed IoT botnet forensics by applying network traffic analysis, servers' disk analysis, servers' memory analysis, and database analysis. As described in these works, the configurations and deployments of systems architectures can vary. Undertaking the tasks manually may result in advertent or inadvertent mistakes and biases. The advancement of computing infrastructures and the interconnection of devices have made the tasks more complex and time-consuming. Hence, the automation of the tasks is essential to improve the efficiency of forensic analysis.

B. Metrics of Automated Forensic Analysis Tools
The development of automated forensic analysis tools is a developing field with a wide range of scientific techniques applied in many cyber forensics areas to keep pace with evolving computer generations [31]. Ayers [32] proposed seven metrics for computer forensic tools that are absolute speed, relative speed, reliability, accuracy, completeness, auditability, and repeatability.
Absolute speed, which refers to the elapsed time required to complete analysis tasks. Relative speed, which involves the average rate at which the tool can process evidence compared with the rate at which data can be read from the original evidential media. Reliability, which includes the proportion of tests that the tool executes successfully, as in performing without crashes and providing outputs in the intended format. Accuracy, which refers to the proportion of analysis results that are correct. Completeness, which concerns the proportion of evidence artifacts present in a forensic image that are identified and reported by the tool. Auditability, which includes the proportion of results that are fully auditable back to the original evidence data. Repeatability, which involves the proportion of tests that ran as stipulated in every aspect. Table I summarizes the applied forensic tools metrics in existing works related to forensic analysis tools.  [28] Lin et al. [33] Kumar et al. [34] Subedi et al. [35] Anglano et al. [36] Absolute speed In practice, it is unlikely for a study to include all the specified metrics in a tool due to the limited scope, time, and tool functionality. It has been observed that completeness and accuracy are the most applied metrics. The metrics are consistent with digital evidence principles by the RFC 3227 [37].
There are also other studies that proposed new or additional metrics to evaluate forensic tools. For example, Lin et al. [33] used the effective metric to evaluate their tool's efficacy in locating the source of the evidence artifact. Additional metrics proposed by Anglano et al. [36] are (1) effectiveness, which is the ability to correlate users' actions with the generated data, and (2) generality, which is the ability to analyze any mobile application on as many different Android devices as possible. It is observed that this work defined the repeatability metric as the ability to provide to a third party the possibility of replicating the same set of experiments. Considering the repeatability definition by Anglano et al. [36], we argue that all works shown in Table I are repeatable because detailed methodologies were provided. Furthermore, it is essential for academic work to provide a repeatable methodology for comparison with other similar research works. Other notable observations are that: (1) aforementioned studies used the same term to discuss different evaluations, such as Anglano et al. [36] using the "effective" term to discuss correlation ability, while Lin et al. [33] used the term to discuss the ability to locate data, and (2) the studies used different terms to describe the same evaluation, for example, Anglano et al. [36] using "fidelity" as a term to discuss repeatability.

IV. FORENSIC ANALYSIS IN MOBILE COMMUNICATION APPS
Examining IM apps is one of the continuous research works in mobile forensics. In addition, new updates of apps' features pose challenges for mobile forensics practices [38]. In this section, we describe the basic concepts of mobile forensics, and recent works involving the forensic analysis of mobile IM apps are reviewed.

A. Forensic Analysis of Mobile Instant Messaging Apps
Forensic analysis of mobile IM apps has received considerable attention and is rapidly emerging in recent years. For example, Anglano et al. [39] performed an in-depth analysis on how to decode, interpret, and correlate the data generated by users, using Telegram Messenger as a case study. The experiments involved user account information, contacts, chats, message exchanges, phone calls, and deleted information. The proposed methodology of this work was evaluated based on completeness, repeatability, and generality. It should be noted that analysis tasks were conducted manually and involved the evaluation of sources. The study's event reconstruction includes temporal and relational analyses. In a similar vent, Akinbi and Ojie [40] demonstrated forensic analysis of Conversation and Xabber apps on Android smartphones. The study discussed the results obtained from the completeness of recovered data, the sources of data, and timeline analysis to present the chronology of chat logs, message contents, and deleted files. www.ijacsa.thesai.org Riadi and Firdonsyah [41] compared mobile forensics tools' effectiveness on four IM apps, which were Short Message Service, Blackberry Messenger (BBM), LINE, and WhatsApp. The applied tools in this study were Andriller, Oxygen Forensic Suite, WhatsApp DB/Key Extractor, and Metasploit. The experiments were conducted on Android smartphones and an Android smartwatch. Tool effectiveness was evaluated using the success rate percentage of artifact extraction, in which Oxygen Forensic Suite showed the highest success rate at 57.14% on BBM and WhatsApp, while Smartwatch achieved 42.85% success rate on SMS and LINE. Additionally, the completeness of the recovered artifacts was evaluated using the percentage of artifact extraction.
Due to concerns over privacy, the features of encrypted chat and end-to-end encryption have been updated in some IM apps. These pose another dimension in forensic analysis of investigating possible ways to recover data from encrypted databases. For example, [42] examined the encryption status of WhatsApp, Facebook Messenger, LINE, and Hangouts on Android smartphones. The study compared encrypted and unencrypted databases between rooted and unrooted smartphones. The results of the recovered data from unencrypted databases were presented in terms of the point of origin of data, database structures, and data completeness. Rathi et al. [43] performed forensic analysis tasks on four encrypted Android IM applications, which were WeChat, Telegram, Viber, and WhatsApp. It was demonstrated that encrypted WeChat and Viber databases can be acquired from rooted devices, WeChat database can be decrypted using the IMEI number and the phone identifier encryption key, WhatsApp messages can be acquired from unrooted devices, WeChat data can possibly be retrieved from unrooted devices by downgrading the app version, and Telegram data were irretrievable from unrooted devices. However, with the current version of the WeChat application, the approaches used in their study are no longer valid [44]. Although this study did not directly specify the evaluation method, it has been observed that the forensic analysis result was presented based on the completeness criterion. The analysis tasks were undertaken manually and involved the evaluation of evidence sources.
Also focusing on the decryption methodology for forensic analysis, [45] investigated Wickr and Private Text Messaging apps on both rooted and unrooted Android smartphones, as well as jailbroken and non-jailbroken iOS smartphones. The results of this study showed that the proposed method was able to decrypt the databases of both apps and examine the encrypted databases' structure. The verification method of recovered user-entered password was used to decrypt the entire data. The method was evaluated based on the efficiency of estimated password recovery time. It is observed that this work focused on cryptographic contribution, as there was no discussion on data completeness and sources of evidence.
There are studies that attempted to compare recovered data from volatile and non-volatile memories. Focusing on Android LINE Messenger, [46] examined data remnant through the simulation of user activities, such as installation, uninstallation, logins, conversations, file transfer, and other LINE activities. The findings of the study showed that evidence artifacts from the LINE app can be recovered from both volatile and non-volatile memories. Similarly, their study attempted to analyze the artifacts using the evaluation metrics of evidence sources and completeness. Agrawal and Tapaswi [47] conducted the forensic analysis of the Android Google Allo messaging app. The study demonstrated manual analysis tasks on device images. An interesting observation is that this study applied inferential statistics to evaluate the completeness metric. The recovered files were evaluated based on the point estimation value, while margin of error was used to calculate confidence limits. Another study that applied the inferential statistics concept was conducted in [48]. The study demonstrated the residual data of Android Kik Messenger on the NAND flash memory and the heap memory. The results of this study were presented by comparing the count and the average number of recovered messages between the NAND memory and the RAM memory.
Considering the extensive manual tasks of forensic analysis, some studies have proposed the development of automated tools. Barradas et al. [49] demonstrated forensic analysis tasks on eight messaging apps, which were Facebook Messenger, WhatsApp, Viber, Signal, Twitter, Telegram, Hangouts, and Trillian. The proposed tool, called RAM Analysis System (RAMAS), was designed based on the filecarving approach to extract potential evidence artifacts from physical memory. This study simulated common user activities on messaging apps. The performance of RAMAS was measured using the analysis time metric by varying the memory image size and the number of modules. The results indicated that reducing the set of strings improved the elapsed time, while running several modules in parallel resulted in a sub-linear time for analysis completion. The tool also supported event reconstruction tasks by applying the timeline analysis technique.
Nizam et al. [50] presented a tool to automate keyword indexing to assist the forensic analysis of WhatsApp. The main module of the tool involved loading a list of keywords from selected crime categories and uploading WhatsApp chat text files. Subsequently, a text-matching algorithm was executed, and a keyword count that showed the number of found keywords in the chat files was generated. The tool was tested using software engineering properties, which were application functionality testing and user acceptance testing. No event reconstruction feature was observed in this tool.
Using WhatsApp and LINE as case studies, [51] proposed a tool that applied the information visualization approach to support forensic analysis activities. Using visualization techniques, the tool was able to visualize key information, such as total number of messages, number of contacts, top-most frequent contact, top-most frequent words, and location map. Event reconstruction was supported by this tool using the timeline analysis approach. As in [50], this tool was evaluated through functionality testing and user acceptance testing.
A notable observation found from these works is that the simulation of user activities on the studied apps was used to elicit the generation of artifacts. The recovered artifacts from IM apps were mainly associated with user account information, contact information, chat histories, message exchanges, media exchanges, phone calls, app database, and deleted information. www.ijacsa.thesai.org Furthermore, analysis results from rooted and unrooted Android devices or jailbroken and non-jailbroken iOS devices presented significant differences involving encrypted data. Most of the studies examined recovered artifacts on device images manually, except for a few studies that used proposed automated tools. We also note that results from the metrics of origin of artifact and completeness of recovered artifact were the two predominantly reported forensic analysis results. Evaluation metrics, however, varied in these studies, and several studies did not directly specify their metrics. We discuss our further observation of the trends of studies on forensic analysis of IM apps in Section V.

V. AN OVERVIEW OF INFORMATION VISUALIZATION
Information visualization is the process of displaying data as graphical markings on a computer screen or other media, to enhance people's ability to recognize visual patterns, such as watching, browsing, discriminating, and comprehending data [33]. Information visualization (InfoVis) is considered as a mature area, as evidenced in a study by Rees and Laramee [52], which surveyed over 23,000 pages of information visualization books. The study also highlighted that InfoVis research papers were cited in many areas, including networks, finance, healthcare, and security.
Data types in InfoVis can be classified into multi/highdimensional, relational, sequential/temporal, geospatial, and textual [53]. Multi-dimensional and high-dimensional data are presented in a table-like form, where the rows denote data objects, while the columns denote data dimensions, attributes, features, or descriptors. Relational data refers to the common case of binary relations and are represented as graphs. Sequential and temporal data concern the serial order of data points in a sequence, for instance, the time series data. Geospatial data involves creating maps of the real world to visualize spatial and non-spatial relationships among the data. Textual data are inherently multivariate data sources, for example, text corpora as a semi-structured source of information integrated with approaches (e.g., semantic, textmining) to transform raw texts into structured data sources.
Sorapure [54] discussed four key elements in InfoVis for improving data interpretation, which are text, image, data, and interaction. Text is often included as titles, labels, annotations, explanations, and other commentaries. Significant functions of text are guiding interpretation, providing explanation, establishing context, and facilitating navigation. The image element concerns generating and maintaining users' interest by selecting the most effective ways to convey information. Data literacy is important in enabling users to formulate questions and make decisions informed by the data. It involves creating arguments based on the data, effectively using tools to manipulate and represent the data, and being able to communicate with the data. Interactions include activities from users, such as selecting, exploring, reconfiguring, encoding, abstracting, filtering, and connecting, to establish interactions with InfoVis.
The application of InfoVis in many different fields further indicates that it is a reliable approach to support data interpretation and decision-making tasks. In the context of digital forensic analysis, interpreting gathered evidence is the key to establishing connections in crime investigations. With the use of intelligent computing and decision-support frameworks, InfoVis has a significant role in assisting forensic analysts in digital evidence analysis activities [55].

A. Role of Visualization for Forensic Analysis
The use of information visualization techniques in digital forensics has received considerable interest in the digital forensics' community. Existing works applied information visualization to visualize forensic data using various case studies, such as mobile phones, network data, IoT data, and Windows system files.
A study in [56] demonstrated how visual representation could support faster and more accurate decision-making during real-time digital forensics investigations. The Nested Blocks and Guidelines Model (NGBM) was adopted to design the visualization interactions in this study. Using fileless malware as a case study, the usability of the proposed tool was evaluated through the tool's components, such as investigation timeline, network activity, read/write entropy, and system performance. Examples of the used data were "time series", "IP Address"," Windows Event Logs", "PowerShell Events", and "Syslog", while the involved visualization methods were line charts, ellipses, area charts, and time series.
Tassone et al. [5] proposed a proof of concept to visualize digital forensics datasets that consisted of three stages of visualization lifecycle, which were decode, store, and visualize. Three visualization techniques were used, namely treemap, geographic map plot, and word cloud. This study used three case studies to represent the XRY mobile forensics dataset to evaluate tool utility. The treemap technique was used to visualize SMS messages, the geographic map technique was used to map locations from a coupon app, and the word cloud technique was applied to visualize data from a text-based communication app. The three case studies were able to demonstrate the utility of the tool.
Kotenko et al. [57] proposed a visual analytics approach for network forensics to analyze network traffic. The proposed approach consisted of two stages, which are data slice classification and the selection of an information visualization model. The visualization model can be determined from data types, such as numerical (e.g., pie chart, bar chart), tree (e.g., TreeMaps), planar (e.g., Voronoi Maps), semi-structured (e.g., Chord diagram), unstructured (e.g., graph), and a combination of data types and models. The usability of the proposed tool was evaluated using a case study of an SSL-strip attack that involved 200584 network packets in the files. The model was demonstrated in a three-hour training lab session, in which the result showed that 8 out of 10 students were able to solve the use-case within the lab session using the proposed visual analysis tool.
Also investigating network traffic data, [58] applied a 3D model and the use of time-based information as a display third axis, combined with a computer network topology in a single interactive data. The proposed tool, Scanmap3D, was evaluated based on its effectiveness to solve questions from network forensics challenges. The results were compared with other (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 14, No. 2, 2023 242 | P a g e www.ijacsa.thesai.org tools that applied traditional statistical and 2D graphical analysis approaches.
Implementing Windows Jump List, [59] presented a graphical digital forensics tool, known as Jump List Analyzer. The study applied statistical charts (e.g., histogram) to visualize attributes, such as AppID, time, zoom, CustDest file, recorded file, and GUI interface. The tool was demonstrated to support forensic investigations of users' background and behavior analysis. Compatibility, friendliness, and functionality were the three applied metrics to evaluate the Jump List Analyzer. A comparison with other tools suggested that the proposed tool can effectively visualize large volumes of data.
Analyzing an online social network, [60] proposed a forensic analysis model that included evidence acquisition, evidence solidification, evidence analysis, and evidence visualization. Evidence analysis used semantic analysis method in natural language processing, and it involved text analysis, hot word frequency analysis, and physical locations. Sina Microblog was used to demonstrate the proposed tool's feasibility. Web page files, such as HTML text data, CSS files, JavaScript files, and images, were the involved metadata. However, there was no detailed information on InfoVis.
Applying the use of 3D and 2D models, [61] proposed a drone forensic framework to investigate the post-flight investigation of drone activities. The authors applied 3D visualization models to visualize three specific parameters, which were roll, pitch, and yaw along the flight path, while other parameters, which were drone-controller communication, signal type, battery, altitude, number of satellites used, and speed at each point of time, were visualized using 2D models. Each parameter value was logged based on the timestamp. Graphs and charts, such as line charts, were utilized for the 2D models. This study measured forensic visualization aspects based on performance and responsiveness. The study indicated that the tool could manage the visualizations of sensor data without interruptions.
Focusing on cloud computing's containers and Virtual Machines (VMs), [62] applied InfoVis to visualize the bytes contained in a virtual machine file for rapid incident response. The extracted data were visualized using two-dimensional colorized visualization. The proposed visualization method was evaluated based on relative speed and accuracy using a series of t-tests for significant difference. A total of 42 participants were involved in the test, in which they were divided into test and control groups. Results showed that members of the test group did not have to wait to access the test data, and accuracy rates were relatively equivalent between the groups. X. Zhang et al. [63] proposed an automated knowledgesharing forensic platform by applying the ontology-based approach. The proposed method involved five layers: collection, extraction, analysis, visualization, and abstraction. A timeline-based visualization panel was used to display the investigated metadata. The platform would allow forensic investigators to create schemas based on the results of their forensic investigation. However, the authors did not further discuss the applied visualization model, which might be due to the study focusing on the knowledge-sharing approach.
Chow and Ab Rahman [64] demonstrated a mobile forensic visualization tool that visualized metadata from the Android data partitions of different models. Examples of data visualization were frequent message texts, top contacts, call duration, and location maps. Tool usability was evaluated through application functionality testing and user testing. In a similar study, [51] presented a tool to visualize WhatsApp and WeChat metadata. Examples of data visualization were chat history, timeline of chats, frequent contacts, and location maps. It was observed that the visualization models and evaluation methods used in this study were similar to those of [64]. Both studies highlighted the use of forensic visualization to enhance forensic analysis tasks for mobile forensics.
Shidek et al. [65] demonstrated timeline graph visualization to display data from WhatsApp chat conversations. The utility of the tool was evaluated through questions derived from forensic analysis goals: what cyber incident occurred, who was involved in the incident, and where, when, and how the incident occurred. Also applying timeline graph visualization, [66] presented a visualization-based approach to support malware investigations on the Internet of Things environment. This study applied the data mining method to preprocess DLL files and assign weights to represent malicious and benign files. It was evaluated using a questionnaire survey for academicians and industry practitioners. The respondents were asked about visualization evaluation, user experience, and time performance. A t-test was used to examine the significant difference for performance evaluation.

Agrawal and Tapaswi
[51] Al-Rawashdeh et al. [52] Barradas et al. [53] Nizam et al [54] Ong and Ab Rahman [ In this section, we present the results of, and insight on, forensic analysis of Instant Messaging (IM) apps and forensic visualization for forensic analysis.

A. Forensic Analysis of Instant Messaging Apps
The findings are summarized into methods of forensic analysis tasks, evaluation metrics, evaluation methodologies, and event reconstruction methods. Fig. 2 and Fig. 3 present most of the studies manually analyzed forensic artifacts of IM apps, while three studies demonstrated the use of automated tools to perform forensic analysis tasks. A closer inspection of the table shows that the evaluation metrics for manual forensic analysis were different from those for automated forensic analysis. Origin of data and completeness were the most applied metrics to evaluate manual forensic analysis. For automated forensic analysis, tool performance and tool functionality were the two applied metrics.
Our examination of evaluation methodologies shows that the qualitative methodology was more predominant to be applied in manual forensic analysis studies. This is likely related to the most applied evaluation metrics. For example, the evaluation metric of origin of data is more meaningful in a qualitative way rather than quantitative. Mixed methodologies, on the other hand, are observed as the major selection of research designs evaluating automated forensic analysis tools.
It is identified that very few studies used manual analysis method and generate event reconstruction. This is an unexpected finding, since event reconstruction is the outcome of forensic analysis. A likely explanation is that extensive manual tasks might demotivate the research works from including event reconstruction in their research questions. This was echoed by Kang et al. [67], who highlighted that event reconstruction in manual analysis is limited to personal knowledge, prone to human errors, and time-consuming. In contrast, two out of the three studies that used automated forensic analysis included event reconstruction. This further supports the benefit of automating forensic analysis tasks, which is expediting event reconstruction.
As evidenced by the number of publications from 2017 until 2021, it can thus be suggested that IM forensic analysis has received significant interest from the forensics community, and the research on automated IM forensic analysis is growing. Therefore, we argue that automating IM forensic analysis to facilitate forensic analysis tasks is a promising research area. This is supported by a previous study by Anglano et al. [36], which indicated that the automated forensic analysis of mobile apps has recently received interest and that their proposed tool was able to achieve greater artifact coverage than did previous studies.

B. Research Trends of Forensic Visualization for Forensic Analysis
The research trends were summarized based on InfoVis data types, visualization techniques, case studies, and the number of publications (see Table II). The InfoVis data types were adopted from [53], while the list of visualization techniques was adopted from a survey conducted in [68].  [64], [72], [51], [59], [60], [65], [62] From Table II, we can see that forensic visualization was applied in various case studies, including recent computing trends, such as the Internet of Things. This finding accords with an earlier observation in [52], which showed various applications of InfoVis. Similarly, it indicates the generality of forensic visualization for incorporation into investigations of various digital infrastructures.
It is observed that each study incorporated more than one forensic visualization technique. Furthermore, most of the related studies demonstrated the selection of techniques based on data types, for example in [64], [57], [61], and [66]. This further indicates that different data types may require different visualization techniques. Therefore, we argue that the feature of the selection of visualization techniques must be incorporated in forensic visualization tools to ensure effective evidence interpretation.
Charts and graphs are the major visualization techniques applied, and relational is the most studied data type. This might be related to the usage flexibility of charts and graphs to visualize the relational data type. It can be argued that various types of charts and graphs are significant in providing evidence interaction, as well as interpretation, to users. For instance, [61] demonstrated that various parameters of drone flight data and sensor data can be visualized using various types of charts. www.ijacsa.thesai.org This is also consistent with the list of visualization techniques from a previous survey conducted in [68].
Time-based visualization is the second-most applied visualization technique. This is an unsurprising finding since timeline analysis is a major aspect of forensic investigations. The importance of timeline and its connection with digital forensics investigations were also echoed in the studies by [25] and [23]. Timeline analysis is not limited to examining the time of an incident, but it is also applicable to many other purposes, for instance, event correlation and time zone determination.
Word cloud and geographic maps were also applied as case studies involving mobile forensics data. This is, therefore, not surprising because most smartphone apps comprise textual and geo-spatial data. For example, the three case studies of [5], [64], and [51] used the word cloud to visualize textual data from communication and IM apps. This indicates that the metadata from smartphones involved enormous text-based data. Therefore, applying a word cloud can help analysts quickly understand the patterns of text-based data in relation to forensic investigations. Furthermore, incorporating geographic maps into the tool would expedite investigators in assessing geospatial data without manually examining the data using external map applications.
Another important finding is the evaluation methods of the proposed approaches. Table III summarizes the evaluation methods observed in the surveyed studies. The most applied method is performing technical simulations to evaluate tool usability, followed by conducting user testing to evaluate the tool, and using a focus group to solve forensic challenges. This shows that evaluation methods for visual analysis tools are relatively not mutually exclusive. Therefore, there is a need for benchmarking evaluation methods in this research area.  [56], [59], [60], [61], [63] User testing to evaluate tool functionality and performance [64], [51], [62], [66] Focus group to solve forensic challenges [57], [58], [65] In relation to the automated forensic tools metrics proposed by Ayers [32], speed (absolute and relative), reliability, accuracy, and completeness are the evaluation metrics used in existing studies. This is in line with our finding from automated IM forensic analysis tools, which show that performance and functionality are the most applied metrics. It should be noted that these studies might use different terms to describe the metrics. The result suggests that the existing tools were validated based on widely recognized metrics of computer forensics.
Despite the benefits of forensic visualization, most of the previous studies provided limited discussion on the selection criteria of forensic visualization techniques in relation to forensic analysis. This reflects the finding in [68] that most existing applications do not meet all forensic selection criteria. Forensic selection criteria include the following [68]: meaning, where the interpretation of evidence remains unaltered by the visualization technique used; errors, which is the ability to identify and account for errors to prevent evidence from being questioned; transparency, which is the ability to examine and verify all the data; and timeline, which shows users the events that occurred within a specific timeframe. These criteria are important to ensure the analysis results are valid and admissible in court of law. This observation suggests a knowledge gap(s) that needs to be addressed to highlight the significance of forensic visualization.

VII. CONCLUSION AND FUTURE WORKS
In this study, a literature survey was conducted to examine state-of-the-art IM forensic analysis and forensic visualization techniques. It appears from our literature survey that both forensic analysis and InfoVis are relatively mature research areas. However, there is a growing interest in forensic visualization and automated IM forensic analysis. This brings various research opportunities to fill up the knowledge gaps. For instance, there is a need to benchmark evaluation methods and metrics in both areas. Furthermore, there is a lack of discussion on forensic selection criteria in existing forensic visualization works. Therefore, our next research work will be conducted on the automated forensic analysis of IM applications by integrating the forensic visualization approach. Statistical analysis and machine learning algorithms would be incorporated to utilize the forensic selection criteria in forensic visualization. It is expected that the outcomes of this study will significantly aid digital forensics practitioners in analyzing and interpreting evidence data and aid judicial authorities in understanding the presentation of evidence.