How To Use Social Graph In Oxygen Forensic Detective

Hello, this is Keith Lockhart from the Oxygen Forensic training department, and this video is talking about the Social Graph inside Oxygen Forensic Detective.

To fully understand the Social Graph and the things it can do for you, you kind of have to understand several other facets of your data and how that data is analyzed and categorized inside Detective.

So first we have to figure out how the accounts are coordinated for a user of a device. And not only accounts, but the contacts, because sometimes an account can be a contact, and vice versa. Specifically, we’ll view the profile information for the given user of a device, and it’ll be really interesting when we look at a single device that may have fifteen versions of a user on the device.

Think about this for yourself, for a minute. How many different ways do you communicate with people from your own device? Phone number; text message; Skype; WhatsApp; Line; email. If you really sit back and think about this, I can probably name thirteen or fourteen myself, right off the top of my head. So if we check the profile information inside Detective, we can get a really quick snapshot of accounts tied to the user of the phone.

Then we’re going to have to go look at some of the configuration options; (a) because they’re available now in Detective 12 and higher, and depending on how those configuration options are set, Detective will merge those accounts for the user of that profile – the user of the device – as that extraction data is turned into case data for you to utilise.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

That’s going to be really important for you to understand. Because depending on how your configuration is set, is how you will see the aggregation of those contacts not only in the Social Graph, but everywhere there is the ability to filter on accounts. So this is going to become a critical piece of information, and hopefully education, as you continue to use OFD 12 going forward.

The point will be to derive some function from chaos. And I’ll illustrate that by looking at a completely unmerged set of data in the Social Graph in particular. Because the first time you look at it, you may just sit back in a chair and think, What in the world am I doing? How am I going to tell what’s what here? And our job will obviously be to help determine what’s what there, but we’ll do it with effective merging, recognising the profiles of the target of the device.

And not only one device, but we’re going to delve into what happens when you put multiple devices in the graph. It’s really cool, you can see I’m talking to all these different people, and we’re talking back and forth, and when we’re talking. But it’s even cooler when you can put three or four different devices in the graph, and while those different devices don’t really talk to each other, they all happen to be talking to this one particular contact out here in the middle of nowhere. Who is that? Let’s figure out how and why that person sitting there has common contact amongst multiple devices or users or targets, call it what you will.

So that’s our goal in this video, to figure out how Graph works, and to figure out what configurations inside Detective can get our best bang for the buck when we’re trying to figure out what’s goin gon in the Social Graph.

OK. Let’s have a look.

OK. So here’s my Detective. I’m just going to jump into my extraction list, and get down to our old human trafficking case, and in this instance, Alison Kelly’s iPhone.

So let me just start, as we were talking about the bolts of things we needed to understand about the Graph: let’s start here with Alison’s Owner information. So here in this section, you’ll see a lot of information about the data on the device, the information, the extraction and the owner. And I’m literally going to use the Owner section, and while it might look like this to begin with, I’m going to take a look at her full profile.

And just take a look here, and start recognising what’s going on. The full name is Alison Kelly. Here’s another full name for something else: Alison. Here’s an email address: alisonkelly2015 at gmail. There’s a Facebook ID. The phone number of the phone. A Twitter profile. A nickname. Another nickname. An account name. An ID, an ID, an ID, an ID, and I could just go on and on. And it could potentially all be represented in different areas of Detective when you’re doing your analysis.

So (a) great place to start to get a good snapshot of the Owner information; but (b) it would be a great place to help you confirm what you’re seeing, so you’re not losing your mind trying to figure out what’s going on.

For instance, let’s look here. I’ll go to the Calls section for Alison. And when I get here, I’ve got a column 1, column 2 – which is a big grid of data – and column 3, our detail column.

But if I come back here to column 1 where I want to filter things, I have accounts I can filter on. This is a phone number; there’s an Alison, that’s an Alison, there’s an Alison, there’s another Alison. If you don’t understand what’s happening here, you literally sit back and think the tool’s crazy, or you’re crazy. You don’t know what’s going on. Sure, I can dig down on the contacts that Alison’s having discussions with from a call perspective, because I’m in the Calls section right now; or I can even look at the sources of those calls.

And just as a side note, if you’re a Detective 11 user and you remember the old Calls section event log as being the old place you looked at telephone calls, now the Calls section aggregates all types of calls on the device, whether they’re phone calls – still the Event Log designation – or app-specific types of calls. Calls represents everything. So you also have the capability to filter on those sources, where you didn’t have that before, all in an aggregated fashion. But our problem remains. We have a lot of Alisons.

If I go back to the extraction information and go check Messages. Same thing – I can filter by accounts, groups, contacts and sources. If I just expand contacts, that’s great, there’s a bunch of them. Groups, these are group texts, group whatevers, who knows?

But from an accounts perspective, now I’ve got Alison, Alison, alisonkelly2015, alisonkellyNY – what’s going on? Well, we can start making some determination that we have some different Alisons here, because we are looking at the messages section right now, and maybe these accounts are using messages.

OK, let’s go back and just really jump in the rabbit hole. Let me hit the Social Graph for Alison’s phone. Now, based on what we were just talking about, here we go again: oh my gosh, here’s a phone number, there’s a phone number, there’s an Alison, Alison, Alison, Alison Kelly, alisonkelly1015, alisonkellyNY. So I’ve got an Alison. Another Alison. And this Alison. And that one. And this one. And there’s what looks like a centre of a group maybe – here’s one of those phone numbers; here’s an Alison, and there’s… OK. So, for me, this is really dysfunctional. I’m not quite to the matrix mode where I can instantly discern that this is Alison talking to people one way, or another, or another, or another, or another; or several other ways, in one big graph.

I don’t know if I’m good with this, and I especially don’t know if I’m going to be able to explain this to someone else, when it comes to it. When I’m looking through the Social Graph, and I’m seeing all these versions of Alison, and then I’m looking down in Contacts for people, or accounts, or other things that supposedly Alison is talking to and I see Facebook, or I see KakaoTalk, or I see Telegram; I mean, these aren’t Alison’s friend. Why is it even in there? What is going on? What is this graph trying to tell me? What’s a contact? What’s profile information? How are these things impacting on the data we see?

So to help better understand that, let me go out to the configuration options of Detective and have a look at a new specific section, if you haven’t seen it, called Contacts, where I can start to understand and get a look and feel on how Detective is determining what it’s merging together as far as contacts or not.

So there are merge rules; phone number, or account, or email address are the things – the criteria – that Detective would be using to merge together different things, different players, maybe. Maybe different Alisons, so to speak.

And within a device, at a device level, am I doing contacts that are in the same section? Or different sections? Or both? Or neither? And this one is neither, for merging contacts and accounts in the same section or different. Or merging contacts that are in the same section.

Or look: overall, in the same case, if I have the same contacts within the same, or different devices, am I going to merge with different criteria: yes or no?

Within those criteria, don’t worry about cell, home, or work, the labels. Whatever is in those fields, don’t use those as part of your merge. Don’t use the phone number that starts with 112, or in different parts of the world 911, or things that are really not going to be independently unique for a user you are trying to merge together. And is a great email to disregard because it’s probably not having to do with anybody, but maybe a bot mailing something, or who knows what? But that’s not going to be uniquely identifying anybody that we’re after.

So these settings are default. Let’s go see what happens as a result of these settings. And we’ve kind of had a look already at the result of these settings, but we’re going to check a different setting this time.

So I’ll go back to Alison’s phone, and let’s look at Contacts.

So now I’m looking at the accounts that make up the contacts; the contacts that make up the contacts; the groups that make up the contact information; and all the sources that these contacts are communicating with each other.

So if I look from an account perspective – let me turn off contacts and groups – and I have accounts: 15. If I look down at the bottom, I have 15 accounts out of a total number of 293. But if I look in here, there’s an Alison; there’s an Alison; there’s an Alison; there’s an Alison; there’s an Alison. Alison, Alison, Alison, Alison, Alison.

Now these are not merged together right now. As part of this video, I have unmerged all these Alisons to make a point. However, if I come up to this ‘Merge contacts’ and automatically merge contacts, look what happens. Detective takes off, does a little work, does work based on – by the way – does work based on these configuration options: and look what happens to our contacts.

OK: now I’ve got an Alison; there’s an Alison; there’s an Alison; that looks like probably an Alison; there’s an Alison, Alison, Alison. Not sure about this one. But look at the difference here. Look how many different versions of Alison have been turned into one Alison.

That’s merging. If I expand, just to show, I’ve got Viber, Facebook, Facebook Messenger, Safari, text messaging – or WhatsApp, I’m sorry; whatever accounts, phones; all these versions of Alison are now this one Alison.

So let’s go have a look at the Social Graph. It looks a little different, a little more refined, because we’ve got a few less Alisons to deal with. But I’m not happy.

So I’m going to go back to Contacts, and I’m going to start doing things like this. I’ll select this Alison, and I’m going to use the Ctrl key to select this one. And I’m pretty sure this is going to be an Alison Kelly as well; that Alison; and heck, on the picture alone, I’m going to do this one; and this one. And, you know, the main one.

And now that I have them all selected, I’m going to go to ‘Merge contacts’ and ‘Merge selected contacts.’ Now look. Now I’ve got one Alison, and all of these different representations of Alison, and the clients, tools or applications she’s using to get things done.

Let’s go back and check the Social Graph. Wow. Big difference.

OK, so I’ve got this Pixie Lott who seems to be the centre of some communication universe, and I’ve got an Alison down here, that happens to be the same common Alison who’s talking to all these different people. Wow, is that a lot easier to deal with? Well, OK. Let’s be clear. For me, that is a lot easier to deal with. I am not trying to figure out which Alison is which anymore, because if you look under my accounts, I’ve got all the Alisons together as one Alison.

Look, I am concerned with the fact that Alison is talking to Stephen Bremer. I don’t care what particular client they were using at this point – I can go figure that out, if I need to – but I’m just needing to know those two talked about killing me, or whatever my particular target of investigation is of that particular case. But now I’m only dealing with one Alison. Much more effective use of the Social Graph.

Now, how do I see those communications? Let’s pretend I was after this Stephen Bremer.

Well, there’s 84 communications between Stephen – that Stephen Bremer, I think there might be a couple of them – and that Alison. Well, let’s make sure we utilise the best view.

So if I turn on the Communication view: ah. Now I can click on those 84 messages and see them in the Communication view. Or maybe it was Wonder Girls; there’s one communication between Wonder Girls and Alison. Or John Andders, there’s one there. Or gettaxi, there’s one there.

And you can see down below, as we click on individual users, their messages will populate in the message pane, or the communication pane, down below.

Now, a couple of things going on here, let’s do some good practice.

I’ve got a Stephen Bremer. It looks like I’ve got another Stephen Bremer. And I thought I saw – well, you know what? Let’s just filter up here. Bremer. Stephen, Stephen, Stephen. Oh, that looks like a – OK, what is this? The answer is, it’s a group. There is a phone number and a Stephen Bremer together: OK, fair enough. And here is a bremerstephen.

Let’s employ what we just learned. I’m going to go back to Contacts. And Alison… that’s great. Let me put everybody back together. And I’m just going to filter inside contacts here, with Bremer. Aha. So I’ve got this Stephen Bremer, who looks to be already merged to an extent by the tool, based on those configuration settings when you imported this data, but we’ve got some other ones.

That looks like him; that looks like him; I’ll go out on a limb and say that’s him; and this looks like him. OK, here we go. I’ll hold the Ctrl key, and I’ll select this one, this one, that one, and… let me stop there. So, I’m stopping here why?

OK, here’s the thing. I know these… well. I am surmising that these are individual Stephens. This Stephen I am pretty sure is part of a group; we’ll narrow that down in a minute. And while I’d like to say Stephen is guilty about everything, if this is a group about killing everybody on the planet, it probably isn’t fair for me to associate this group with individual Stephen. You know, if I see a group, individuals are individuals from a merging perspective.

And speaking of merging, look at that little chain up here, that indicates merging, right? It’s the same ‘Merge contacts’ icon we have there. We can see it’s already been done.

Alright, so I’ve got these four. Let’s do ‘Merge selected contacts.’ Ah, look. Now look at my Stephen. And now let’s go back to the Social Graph.

OK. So I’ve still got my Pixie Lott which I’m pretty sure – let’s just check – Pixie Lott is a group, indeed. And then – oh, look at this – if I give myself a little real estate, there is the Stephen in the other phone number group which we saw earlier, which we didn’t merge into Stephen, and that’s OK.

So now I’ve got Alison talking to a Stephen Bremer, and I think I’ve got all of the other Stephen Bremers put together. So now there are 94 lines of communciation between these two. And I could come down here and sort between Viber and WhatsApp; again, I’m just worried the fact one of them said “Will write u a bit later” to the other one. That’s the smoking gun, it’s a WhatsApp message, if I really need to figure that out.

Matter of fact, I could select that message and I can… oh my gosh, there it is, it’s the one between Stephen and Alison, it’s my smoking gun. Do what you need to do with it, at that point. You can use Social Graph to filter your way down to communication between people.

Now let’s go back and do something else. Now that we’ve kind of narrowed down our contact and our account problem to where I’ve got one Alison; I understand the groups that are involved; my display is that much clearer. Now let’s go down to the contacts themselves. And Daniele Rizzo, you know, I could check that out, there’s one message: “Hey, let’s switch to Telegram.” OK, maybe that’s super important, or not.

This one has one message: it is a voice message, I think. That’s great. But, you know, gettaxi having two messages to me; those are GetTaxi messages. Facebook is a contact of mine – do we talk a lot? No, not really. That’s a – oh, a confirmation code.

OK. Think about all the multi-factor verifications you go through. Telegram: there’s a Telegram code. WhatsApp: there’s a WhatsApp code. There are a billion of these things on your phone, if you’ve used it for any length of time. But guess what? They’re all communicating, they just don’t happen to be communications we’re interested in.

So let’s do this. Let me come up here to this filter, where I can slide the number of communications I want to see, or not. For instance, let me just bump it up. Show me only things that are greater than one. And look at what happens to all that noise.

Now, some of them might not be noise. I might want to go and look at Daniele’s, or this one, or this one. But the majority of those single messages that could be confirmation codes, or two-factor authentication, are out of our view. Because I’m not… that’s noise, I don’t have time to go through all of this anyway; let’s narrow the focus the best we can.

You know what? Maybe I don’t want to include Viber. Maybe I don’t want to include Skype. Now I can start filtering backward, and filtering things out of the conversation I’m not interested in. So I’ve got… oh, Barbara, Stephen, the Weekend Plans group. The gettaxi stuff, Team Snapchat, and Angela.

This is where the filtering capability of the Social Graph goes crazy. The tool in general goes crazy, because we’re a database. We can filter this to that, to this to that, any way we want.

And let’s see: “Mmmm you have nice plans.” Well, that is a smoking gun. Let me just go ahead and mark that as key evidence while I’m here, and go crazy on it.

Like before, look, maybe Stephen’s my guy. Let me just show Stephen’s contact card so I can still go, maybe determine things like information about Stephen; what kind of communications Stephen has had in general; any statistics I would be interested in about Stephen; inbound, outbound or messages; and, you know, if Stephen is part of a group. Hmm. That group, and the Weekend Plans group.

OK. Let’s just do one more thing before we go. So, pretending we enacted all the things we’ve learned, I have Alison Kelly’s data in the Social Graph, and Lars Jason. Lars is actually a conglomerate of several personalities and people, but the point I have right now is, I have got multiple extractions in the Graph for comparison.

Now I have the ability to filter on each one. Turn off Alison; turn off Patrick – which is also Lars, and a few other names – turn them back on; turn them back on.

What I’m not doing right now is showing any type of contact. And because I have multiple extractions, what I can do is look at things like unique contacts between Alison’s world, in the bubble; or Patrick – or Lars, whoever you want to call him – his world. And that’s cool, because they all have good one-to-one relationships. But based on the data in the Graph, my super-interest is going to be this: the commonality between the two.

And now we can see, once we jump outside Alison’s bubble and Lars’ bubble, we have got in common two different people: Homero and Angela. I don’t know what they’re doing. But those happen to be, I don’t know, drug dealers? Bank robber accomplices? Friends? Who knows what they are? But they are two people that happen to be in common between these two targets.

And if you just saw, I left-clicked and highlighted those two people together; so then I can view all their conversations in the pane down below. That is massive power from an analytic standpoint.

OK, thanks for watching. I appreciate you spending time with the video, learning a little bit more about the Social Graph, and I hope to see you in class soon. Take care.

Learn more about the Social Graph and many other tools, tips, and workflows with Oxygen Forensic Detective by attending an in-person or online training course. Check the Oxygen Forensics website for course dates, locations and descriptions. 

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles