±Forensic Focus Partners
New Today: 0
New Yesterday: 8
±Forensic Focus Partner Links
· SQLite Database Forensics – ‘Sleep Cycle’ Case Study
· Data Recovery As A Medium For Email Forensics
· Carving out the Difference between Computer Forensics and E-Discovery
· Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving
· How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
InterviewsBack to top Back to main Skip to menu
Oleg Fedorov, CEO and Founder, Oxygen Software
I started out as a developer, but in 1999 I decided that I needed a new challenge since I wanted to grow as a professional. I was advised to look into the market of Shareware and so I quit all my jobs and started Oxygen Software. Soon after, my friend Oleg Davydov joined me and we began to try different software markets.
That was the time of the “Matrix” cult movie. Do you remember the phones used by the actors? They were custom ones, but very similar to the Nokia 7110. It was a revolutionary device, the first phone that was able to store several phone fields for every contact and had advanced calendar features.
We at Oxygen were lucky that we released Oxygen Phone Manager for Nokia 7110 before Nokia included its support into their official PC Suite. This product gave us a great start. Later, there was another revolutionary phone, the Nokia 7650 on the Symbian OS. And again, Oxygen Phone Manager was the first software supporting Symbian smartphones.
Periodically, we were getting requests to release a read-only version of Oxygen Phone Manager. For me as a developer those requests looked quite strange, because what’s the problem in just NOT pressing the “Write” button? After some time, we finally got the explanation from the UK Metropolitan Police why the read-only version is so important. That is how the first version of Oxygen Forensic Suite arrived.
Tell us more about the products and services offered by Oxygen Software. What investigative challenges do they aim to address?
Right now we are mainly focused on the family of products for Mobile Forensics. The Basic version - Oxygen Forensic ® Suite Standard - is completely free, but still allows you to retrieve data from 8200+ mobile devices and provides basic functionality to browse the phonebook, call list and SMS / MMS / E-mail messages, calendar and file system.
Our main software product - Oxygen Forensic ® Suite Analyst - in addition to the capabilities of the Standard version, offers users a lot of analytic functions and data parsing of the 3rd party applications. You can see the comparison matrix of features here.
Oxygen Forensic ® SQLite Viewer - a handy tool for the analysis of both actual and deleted information from a SQLite database. According to our users, SQLite Viewer recovers a lot more deleted records than similar products from our competitors.
Oxygen Forensic ® Kit Rugged - a portable integrated solution that includes Rugged Tablet PC running on Windows 7 64-bit (which, unlike similar competitive solutions, allows installation of any third-party software), a set of cables and additional license for Oxygen Forensic ® Suite Analyst to be installed on a desktop PC.
Oxygen Forensic ® Suite Enterprise (also called Network) Edition - the first product on the market of Mobile Forensics, which allows the client to significantly save money if the number of experts who use the program at the same time is more than 5. Oxygen Forensic ® Suite Enterprise license only limits the number of experts who use the Oxygen Forensic ® Suite Analyst concurrently, while the number of installations is not limited. The client, relatively speaking, can buy a license for 10 connections and be able to use it for 100 experts worldwide. And all these 100 experts will be able to use Oxygen Forensic ® Suite Analyst. This provides huge savings to the customers.
We recently released Oxygen Forensic ® Extractor - in fact, this module provides the ability to retrieve data from mobile devices, and acts as a dedicated stand-alone product. Oxygen Forensic ® Extractor is designed for use as an OEM-solution with third-party hardware and software products, which gives the capability for their manufacturers to easily and cost-effectively add mobile forensics functionality.
How does Oxygen Forensic Suite compare with other mobile forensic software tools available to investigators? What are its main advantages?
First of all, since the first version of Oxygen Forensic ® Suite, which came out in 2008, we always focused on smartphones. Starting 10 years ago I have said that smartphones are the future. And now we see that it is finally happening. People stop using SMS features and begin to communicate using social media and a wide variety of internet messengers. Therefore, analysis of just the calls and SMS messages is not enough. It is necessary to further extract all the data from all third-party applications installed on your phone. Oxygen Forensic ® Suite has always been (and still is) a leader in the number of supported 3rd party applications.
Currently, Oxygen Forensic ® Suite is the only tool on the market that fully extracts data from the Windows Phone 7/8, and Blackberry 10 smartphones.
But, extraction of the data is only half of the story. Oxygen Forensic ® Suite has, in the opinion of our customers, the most user-friendly interface to browse, search and analyze the extracted information. Oxygen Forensic ® Suite was the first tool on the market that included the Timeline feature (formerly known as Phone Activity), which presents all the events from calls and SMS messages to geo-locations and social media communications in chronological order. With flexible and, most importantly, fast running filters in the Timeline section, you can instantly view all events for the specific time frame that are of interest to the investigator, or view the entire history of communication of the phone device owner and a specific contact (or multiple contacts). Also, in the Timeline section, you can clearly see the history of movement of the phone owner on the map - see www.oxygen-forensic.com/images/whatsnew/630/ReconstructRoutes.png.
With the help of the Aggregated Contacts section, which includes not only the contacts from the phone book, but also from all installed applications on your phone, you can quickly learn the circle of acquaintances of the user and obtain evidence of communication between the owner and the contact of interest.
Links & Stats Section - quickly and clearly shows who the owner of the phone communicated with more frequently than others, communication preferences, and builds a chart of relations and communication schedule activity within a designated time.
I am also proud of our integrated search function. Not only does it support a variety of search options (for example, absolutely all e-mail and MAC addresses that ever appeared in the phone records, can be found) and regular expressions, but runs completely in the background without bothering the user while working with Oxygen Forensic ® Suite. The search history is saved and the user can always retrieve that information by viewing the records, the results of which can be easily printed or exported to one of the nine most popular file formats.
Our users praise Oxygen Forensic ® SQLite Viewer not only for great results in recovery of deleted data, but also due to several other functions that make the life of an expert much easier. Some of those features include automatic recoding of the data column, which can be based on the size of the data or physical analysis of the regions containing the deleted data.
All of our users also praise the convenient, simple, intuitive and fast interface of the Oxygen Forensic ® Suite.
Oxygen Forensic ® Suite enables you to upload the images retrieved by other mobile forensics products - UFED, XRY, Lantern, Elcomsoft. The list of the image formats that Oxygen Forensic ® Suite supports is quite large, and our users prefer to use our software for parsing and analysis, even if the image itself was obtained from another source.
Oxygen Forensic ® Suite works faster than its competitors, thanks to the fact that all the functions of parsing and data analysis are written in native machine code, instead of using Python or other interpreted (which makes them slower) languages. The difference in speed is especially noticeable with the large amounts of data that are typically present on modern smartphones.
And last, but not least - the price. Oxygen Forensic ® Suite costs several times less than similar products. Those users who have switched to Oxygen Forensic ® Suite from competing products are very pleased to have received more functionality for a much lower price.
Is Oxygen Forensic® Suite only a logical tool?
No, Oxygen Forensic ® Suite has long been able to extract physical dumps of Android smartphones. In version 6.3, we also added the ability to bypass the passcode and retrieve physical dumps of mobile devices based on chipsets manufactured by MediaTek (MTK).
In my opinion, the physical approach is a bloated bubble that is about to burst because of its insolvency. Let's think about it, why do we even need a physical method for retrieving data? There is only one answer - to search for latent data. In modern smartphones (a good example would be Apple devices) due to the use of various memory encryption levels, the recovery of deleted data is simply impossible. And this trend is also gradually moving towards Android-devices.
So, on today's smartphones, practically the only way to recover deleted data files is through carving of the SQLite files and we, as I said above, have that advantage over our competitors.
Yes, the physical approach delivers results on the old feature phones, but how long can they remain on the market, while prices keep falling for Chinese smartphones that are running Android?
Validation of a forensic tool is clearly of paramount importance for investigators when presenting evidence. Please tell us something about the procedures which have been used to ensure that evidence gathered with Oxygen Forensic Suite is admissible in court.
First, I would like to tell an interesting story in this regard. About 10 years ago, at Oxygen Software, we invented a way to extract data from smartphones, with the use of a small agent application, that is loaded onto the phone and from there extracts all the information. All of our competitors have made comments that this approach is not forensically sound, due to the changes that were made to the contents in memory. After a few years, all of them started using this approach, since they were not only allowed to get more information, but in general this was the only way to get certain types of data from Symbian, Windows Mobile and Android smartphone devices.
I told this just to state the fact that everyone who is working in the field of mobile forensics understands that discussing the immutability of the state of the smartphone's internal memory is simply pointless, since system processes change it every second. And one can only require immutability of personal data that act as evidence in the case of the accused.
Therefore validation usually consists of two stages:
1. Rereading phone data using the same program.
2. Reading phone data with another program and then comparing the results.
And to prevent changes on the PC, after extraction, Oxygen Forensic ® Suite protects them by using hash-functions.
What are the biggest challenges you face as a developer of forensic software?
I can see three of the biggest problems that all mobile forensics solution developers face:
1. Diversity of mobile devices.
3. Volumes of data.
We are fortunate that we began to study the market of PC-to-mobile communication software and data transfer protocols in the year 2000. I just cannot even imagine how one can enter this market at this point of time. It is necessary to have a huge background in this industry.
Handset manufacturers are always on the side of their customers. They try, by all means, to ensure the privacy of stored personal information on their phones by introducing new levels of encryption and access protection. We, it turns out, act as "good hackers", because from one side we are trying to decrypt or bypass this protection, but on the other hand we stand on guard for law and order. And the result is a sort of constant pursuit!
It should also be noted that in solving the problems of data protection we receive great assistance from the leaders in this market and our good partners - Elcomsoft and Passware.
When the first version of Oxygen Forensic ® Suite was being developed, about 10 years ago, we could not even imagine that the program will work with dozens (and soon hundreds) of gigabytes of data. Our database engine was simply not designed for it. So, 2 years ago, we had to rewrite it completely so that it could quickly work with the large amounts of information stored in modern smartphones.
What do you currently see as the most significant trends in mobile forensics and what new developments do you anticipate in the future?
First of all - trends in mobile forensics are very dependent on trends in the overall industry of mobile devices.
1. Smartphone prices will continue to drop, and this means that they will continue to steal the market from feature phones. So, I think that we have chosen the right development direction at Oxygen Software.
2. Second trend - an increase in the market share of Chinese manufacturers. Brands such as Lenovo, Huawei and Meizu are already on everyone's minds. They produce very high quality premium-class devices on Android and very soon they will be quite noticeably cramping Apple and Samsung.
3. Multilevel encryption memory on phones and tablets. A physical approach will be completely useless on those devices. Data can only be retrieved logically: from the device, or from the Cloud. Here, incidentally, I am very pleased to say that once again we have surpassed our competitors and already embedded the functionality within Oxygen Forensic ® Suite to retrieve data from Blackberry and Windows Phone cloud storages.
4. With increasing amounts of data stored on mobile devices, the need for analytical tools with Artificial Intelligence functions and the ease of finding clues will increase.
Oxygen Software is based in Russia but has clients around the world. What are the challenges of working with an international client base?
The most important problem for us for a long time was the time difference. For example, it was very hard for our clients in the U.S. to get through to our support, and waiting for a reply by e-mail was stretched to a day or more.
Last year we opened a local office in Alexandria, VA, so now I am happy to consider this problem solved. And after hiring additional staff from Seattle, WA, the schedule for our technical support has become almost around the clock.
The second problem - the difference in mentality in the value system and the basic concepts of life. In order to solve this problem, and become closer and clearer to our users, we are actively working with local resellers and distributors in all major markets.
As for the level of employees, the presence of the core team in Russia is a very big plus. After all, few can compete in the ability to code with Russian developers. Actually, I have to say that I am proud of our team and I am confident to say that Oxygen Software are the best of the best. This is what allows us to be super-efficient in terms of profit shares per employee, business and competing directly with companies that employ hundreds of people.
What does the future hold for Oxygen Software? What can we expect to see over the next year or two?
You will see a lot of surprises in flexibility and speed - our main competitive advantages.
When you’re not working, what do you do to relax?
Confucius said: "Choose a job you love and you will never have to work a day in your life." What I do at Oxygen Software, and since last year at Oxygen Forensics, USA, gives me pleasure. Therefore, I don’t feel a great need to relax. However, during my free from work time, I enjoy a variety of different activities: playing with the kids, going on fishing trips, meeting with friends, watching football / rugby / biathlon / tennis / hockey, listening to music and reading books.
Oleg Fedorov is the CEO and Founder of Oxygen Software, a leading developer of advanced forensic data examination tools for smartphones and other mobile devices.