Oxygen Forensic Detective From Oxygen Forensics
Posted Monday December 17, 2018 (16:42:56)
by Scar de Courcier
Oxygen Forensic Detective is a powerful tool used extensively by investigators both in law enforcement and in the private sector. It is split into two sections, Extractor and Detective, but once you have bought it there are no hidden add-ons that require extra payments, which is a huge plus right upfront.
Oxygen’s Extractor tool runs independently of Detective. This is significant because it means you can image a number of devices at one time; you are only limited by what your machine can handle. Each Extractor runs independently, so you can have several going at once.
Oxygen Forensic Detective supports lots of physical device acquisitions, including LG devices, Android dumps, Samsung, MTK, Motorola, and DJI drones, which run on an Android operating system. There is no need to do a chip-off acquisition with the drones, since a full physical image can be acquired through the micro USB port. Oxygen have also partnered with MITRE to bring Android Jet-Imager into their list of features; this allows devices to be imaged in about half the normal tiem.
It is also possible to disable lock screens on the initial page, specifically with LG devices. Disabling the screen lock means you can get a logical backup, although LG have now encrypted the user partition by default, so you will get a physical image with no data.
Importing a backup into Oxygen Forensic Detective is easy - just click ‘Import File’ and it will give you a breakdown by image type. Supported images include Apple, Android, BlackBerry, Nokia, Windows, UFED, memory card, UICC and drones; Oxygen Forensic Detective also supports other companies’ images such as those from XRY, ElcomSoft and Lantern. GrayKey is one of the most recent additions to the list, so these images can now also be imported.
Clicking ‘Open Case’ takes you to the case management screen. This will show you a list of all the cases you’re working on. Imaging and processing are done upfront, at the same time. Because of this, if you have to restart your computer or leave for a while, your cases will still be there when you come back. There is also an autosave feature, which means that if you close out of a case and then bring it back up it will take you right back to where you were. This is especially helpful for law enforcement investigators, since it is often the case that several months down the line someone needs details of a prior investigation. Backups are automatically saved in the AppData folder, so it’s a good idea to go in and change this default, otherwise your C drive will fill up quickly. The ‘Save to Archive’ button on the top menu allows you to quickly archive devices.
There are two main views: by device, or by case. You can either look at all the key evidence that’s marked across all devices, or you can search across all devices. At the case level you can create timelines, maps and so on across devices that have been saved to the same case. At the device level you get even more options: one of the most popular is the ability to break things down by application type, for example messaging or multimedia.
Clicking ‘Analytics’ in the top menu will show you lots of different options: keywords, timelines, device usage, and so on. The GEO timeline, which shows geographical data within a given time frame, allows you to see what happened, when and where; you can then bring the GEO timeline into maps and routes for a more in-depth analysis.
‘Export’ lets you export reports. You can do this either at the case level or the device level, and you can customise which items you want to include. Reports are available in various formats, including PDF, Word, Excel, XML, and HTML. It is also possible to export a Project VIC JSON for child exploitation identification.
Export Settings lets you customise your reports. The date filter is especially important, particularly in criminal cases where, for example, a judge may have limited acquisition of evidence from the device to ‘within the last two weeks’. This means that although you do have to image the whole phone, you can simply bring back data from the time frame you are allowed to investigate. You can also edit sections in the Export Settings menu; it is possible to remove certain elements to save work on the back end.
It is also very easy to upload your own headers and customise the reports. You can then save these settings for specific cases, so if you have the same kind of report for most child exploitation investigations, you can save your settings as a template so you don’t have to go back through the customisation process in the future. If you have marked specific items as ‘Key Evidence’ whilst analysing your case, you can also run a report that just brings back these items. Clicking ‘Print’ gives you a preview of the report before you actually do the export.
The ‘Help’ feature presents a comprehensive user guide which is very easy to navigate. Next to ‘Help’, the ‘Service’ button lets you contact the support team directly. ‘Supported Devices’ under the ‘Help’ menu will show a full list of supported devices and will tell you exactly what data you can extract from each device.
Call records can be imported directly into Oxygen based on what you receive from a provider, so that juries don’t have to wade through hundreds of pages of Excel documents. For GPS data, for example, you can import the call records, bring this into the Maps section and then map out a potential route based on what the service provider has given you.
Cloud forensics is becoming increasingly important in investigations nowadays, and Oxygen Forensic Detective supports data extraction from cloud devices too. Similar to the traditional Extractor, the cloud version also runs independently, so once again you are only limited by how much your machine can handle. All you need to do is type in the user’s credentials and it will connect; you can then bring back whatever cloud backups are available. One useful thing about cloud data is that it will always have a date assigned to it, so you don’t have to pull ten years’ worth of datal; instead you can limit the date range and it will automatically do this for you.
You can import usernames and passwords into Cloud Extractor automatically by importing a credentials package. For example, if you have imaged a device, Oxygen will identify cloud accounts as one of the automatic categories. This will bring back details of the service, the account, and whether it uses a password or a token. Once this has been found, you can save it as a credentials package and then use it later if you don’t have a search warrant yet. When you use a credentials package in Cloud Extractor it autofills everything for you - it is also possible to add extra details later if you find any information separately.
Oxygen KeyScout is a new tool that helps investigators to find user credentials. It allows you to plug a thumb drive into a suspect’s machine, and it will then run across the device looking for all the usernames, passwords and wifi locations from all the main providers. This is also a useful way to add to your password keylist, since most people reuse the same combinations as passwords. The fact that data is often synced between machines means that you might even be able to see wifi access points and other data from prior computers, so even if the user’s machine is relatively new you may still be able to access some useful historic information.
WhatsApp backup files can also be decrypted via phone number, which is very useful. As far as I know, this feature is exclusive to Oxygen Forensic Detective software.
Once your case is loaded, the search feature is one of the most important aspects; luckily in Oxygen Forensic Detective the search feature is very straightforward. The ‘Search in File Content’ option allows you to deep dive inside all of the data acquired from the device, including in unsupported applications and SQLite databases. You can search for specific words, hash sets, or similar images: a new option which uses PhotoDNA to look for similarities based on file metadata. You can also look for credit card numbers, phone numbers, email addresses and so on.
There are some keyword lists built into Oxygen Forensic Detective, but you can create your own within the case you are working on or import them from .txt files. Hash sets can also be added; supported types include MD5, SHA-1, SHA-256, Project VIC and Photo DNA.
The Social Graph tool is a visually intuitive way of demonstrating the interconnections between users. It lays out circles of communication between people - the bigger the circle, the more communication has occurred - and if you prefer, you can show only those contacts that people of interest have in common. This quickly allows an investigator to see who has been talking to whom the most. The Social Graph can then be saved to a file, or as a snapshot which can be brought into the report later on. Filtering is also available on the Social Graph: you can filter by application type; phone calls; SMS; and various other options. Using the timeline along the bottom, you can zoom in on a specific date range; and you can also filter by number, for example specifying ‘I only want to see people who have spoken to each other more than ten times.’
Clicking on an individual will bring up a contact card, and you can export just this information if required. There is also a chat mode view to show what two people said to one another: this shows up in speech bubbles like you would see on a phone, making it easier for a jury or non-technical investigator to understand.
Using the Timeline feature you can look across all the data from every device in your case, or you can narrow it down. You can filter by date, contact or a whole range of other options; and you can look at the data in list, date or contact view. This can then be exported as a KML file or added to the report later on.
Aggregated Contacts shows you when one individual is using different names. For example, if one person’s details has been saved on two separate phones, one under ‘Bob’ and the other under ‘Robert’, the Aggregated Contacts feature will automatically merge the two. You can also merge contacts manually, and unmerge if required.
The quickest way to look at map data is to go into the Timeline view, then click ‘Maps and Routes’. It will then map out all the information on a map of the world; you can choose from Google Maps, OpenStreet, Google Satellite, or Baidu Maps; and if your machine isn’t connected to the internet, you can also download it ahead of time and use it as an offline map.
Location data from Uber is particularly interesting since it tracks roughly once per second, so it is possible to track a full route. The program automatically identifies possible routes - for example, based on photos taken when a person was walking through New York City, Oxygen Forensic Detective will show the route they probably took based on the timestamps and geographical locations of their photos.
Data Scout brings back public data using Whooster, based on phone numbers; again this can be linked to other data in the case to provide a more in-depth understanding of what’s going on.
Of course it is impossible for any tool to support every application, so Oxygen Forensic Detective has some options for unsupported apps too. The SQLite viewer lets investigators identify unsupported apps, and the tool automatically works out which tables correlate with one another. Timestamp data is automatically decoded over on the right-hand side of the screen. There is also an Apple plist viewer, which does the same thing for Apple devices.
I really liked Oxygen Forensic Detective and can see why so many forensic labs have it as a key part of their toolset. I particularly liked how intuitive the tool is, and how it feels like a very mature tool that has grown with customer feedback, rather than something that has been built and then imposed on users.
Throughout the case work there are several ways to do the same things, so you can use the tool in whichever way feels the most intuitive to you. Information is always on the left, data is in the middle, and filters are on the right, which provides a nice touch of consistency and decreases confusion when switching between views. The diagrams and stats are nicely laid out in a user-friendly, aesthetically pleasing way.
With each software update, new items are supported; instead of having to reparse the whole device, users will see a notification when new data is available, and you can then click on this to see what else can be acquired from your devices.
Overall I would certainly recommend Oxygen Forensic Detective as a fast and intuitive tool, essential for any forensic lab.
Article content received from: Forensic Focus,