Know Your Suspect - Uncovering Hidden Evidence from Mobile Devices with Oxygen Forensics
Posted Tuesday April 22, 2014 (18:52:47)
Presenter: Tatiana Pankova, Oxygen Forensics
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Tatiana Pankova: Hello, everyone. Welcome to Forensic Focus webinar Analytics with Oxygen Forensic Suite. My name is Tatiana, and I’m Marketing Manager at Oxygen Forensics, and today I will tell you how to perform various forensic analytics tasks with our software, Oxygen Forensic Suite.
But first, several words about our company. Oxygen Forensics was founded in the year 2000, and our first product was Oxygen Phone Manager. It was a popular alternative to Nokia PC Suite, and allowed to synchronize data between Nokia phones and computers. It was not a forensic product, it was a product for home users.
In the year 2004, we started to receive requests from police and government [bodies] to release a forensic version of Oxygen Phone Manager. So it was done this year, 2004. And in the year 2008 there was the second version of our forensic software. We called it Oxygen Forensic Suite.
Nowadays, in the year 2014, we have Oxygen Forensic Suite v6. In January, we had 14 years of experience in PC-to-mobile communication protocols research and software development.
So what is Oxygen Forensic Suite? It’s our flagship product, and it’s a PC software, it should be installed on PC. It allows live data acquisition from more than 8000 devices. You should use USB or Bluetooth to connect a device to our software. We support all the most popular platforms and operating systems, Android all versions, Apple iOS, Blackberry, Bada, Symbian, Windows Mobile 5 and 6, and Windows Phones.
Besides live extraction, there is a possibility to import and parse various device images that are produced by other forensic or backup software. I mean iTunes backups, BlackBerry backups, [indecipherable] backups, and various [DNG] images created from iOS devices in other forensic software or in sync software, android backups, and so on.
As a result of data acquisition or backup import, you will have a full set of all digital evidence: contacts, messages, calls, organizer events, (by organizer we mean calendar notes and tasks), the whole file system, internal and external, deleted data, applications user data, dictionaries, web connections (for example Wi-Fi connections, IP connections), and other data. After you extract the data you can generate a data report in one of the most popular formats, like PDF, ITF, XML, XLS, CSV, and so on. All this data that you extracted will go to the report that you, for example, can show in the court or just use to perform other tasks.
So what are the key features of Oxygen Forensic Suite? What features we are proud of – first of all, this is best-in-class analytics. We have several analytical sections that I am going to present today, and they’re included in Oxygen Forensic’s web license. So it’s one program – you extract the data, you see it in our interface, you analyze it, you generate the reports, and just in one program, for one price.
What else? Of course, user data extraction from more than 300 applications. First of all, we are focused on Android and iOS platforms, but that’s not all. So we extract the most popular applications, social networks, web browsers, messengers, travel applications, finance applications, navigation, productivity and so on. Also, password extraction – we extract passwords from application databases and keychain file. Deleted data recovery is possible, either automatic or in our Oxygen Forensic [indecipherable] Viewer. Then, we extract geo data – geo data from applications, from exit headers of photos, from web connections, so from all the sections that have any geo information inside.
Also, Oxygen Forensic Suite allows to import Blackberry 10 backups and parse them, and we were industry first in this – we were the first to introduce this functionality. Also, we offer forensically sound Android rooting and physical analysis. Our Android exploit is written by us, and it’s totally safe and it’s well tested, and it allows to root almost any Android device available on the market. Also, we are proud of state-of-the-art interface for convenient data examination. We try to make our interface user-friendly from version to version, introducing new functionality, new options for convenient analysis of the data.
Number one in this list is best-in-class analytics, and I am going to present to you this feature now, but at first, just several words about mobile communications nowadays.
So what are the main ways of mobile communications? Are they voice calls, SMS, emails? In the year 2014, they are not. People, smartphone users don’t think so. People use different ways just to communicate with the world around. If you look at the chart you will see what happens every 60 seconds nowadays. You will see that a lot of tweets – thousands of tweets are created. Thousands of Snapchat photos are shared. 11,000 LinkedIn connections are established. More than 3000 photos in Instagram are uploaded. Skype communications – millions of Skype connections. Thousands of Facebook posts created. 72 hours of YouTube videos in every 60 seconds. That means that people nowadays prefer to use applications to communicate.
So let’s sum it up. What’s modern ways of communication we can find nowadays? Of course, various messengers – Whatsapp, Kik messenger, Viber, Skype, Line. I believe some other Kakaotalk application… Then social networks, like Facebook, Twitter, Instagram, LinkedIn, even Snapchat, with teenagers, for example. Also, there are programs, there are applications for voice and video calls, like Skype, Viber, Tango. There are also geo-aware services that store current locations, and that store geo-tagging information. That’s Foursquare, Facebook, and even various messengers, because in messengers, now, you can share your locations. For example, in Viber messenger, in Whatsapp messenger – it means that you will see lot of coordinates when you extract the data from these applications. Also, there are media sharing applications that allow you to share your photos and videos with the world around, with your friends or with everybody. So it’s Snapchat, it’s Vine, Instagram, and so on. So lots of ways how to communicate.
What are the challenges in mobile forensics nowadays? I believe it’s already quite obvious. First of all, it’s extracting full set of user data from applications. It’s really important, and you should bear it in mind, that some applications have end-to-end encryption. Sometimes they claim that they have it, but when you look inside the database, you see that the database is not encrypted. Some they really encrypt their databases, but the developers of mobile forensic software of course do their best to decrypt them and to show you applications data decrypted in their programs.
What else? Dealing with huge amounts of data generated by each application. Just image how many contact lists you need to analyze and to examine, because people may communicate in many applications at once, so they may have contact lists in LinkedIn, in Facebook, in Vine application, in Viber application, and so on, and these contact lists will be different. Also, just imagine that everyday more than 64 billion [of Whatsapp] messages are generated worldwide. So lots of chats and lots of messages to analyze. One more challenge is finding relevant data in multiple devices. They may belong to one person or to a group. For example, you need to investigate some group activity, some gang activity, you need to examine several iPhones, 64 GB each. Lots of time to spend to find the data.
One more challenge – establishing links between users in one or several devices. Also very important, just to find common contacts, for example, in several devices, to find what communications they have between each other – so one more challenge. And also, connecting overall statistics about users’ activity. For example, when the person was active, at what period of time, with what people, with what contacts. So you need to spend lots of time to find this data, but our analytical sections will help you cope with these challenges more quickly. So they will simplify your work. Now, I will switch to our software, and I will show you our key features, how they work in real life.
First of all, I will go to Applications – so this is how the section looks like. As I told you, we extract more than 300 applications. It means that you will see not only the icon, not only the list of installed applications like you see now, but you will see all the data, like, contacts, accounts, messages, cache, passwords, history of usage, geo-coordinates, and so on. So let’s take one of the applications – it will be Whatsapp. I think it’s popular all over the world.
So this, I double-clicked on the application in the grid, and I opened the separate card. On the right panel, there are categories of this application. So the first category is Accounts – you see the information about the accounts. So the phone number, the name, the status of the device owner. The second category is called Contacts. Here, you can analyze favorites. Favorites actually means Whatsapp contacts. So these two contacts were registered on Whatsapp. You see names, phone numbers, statuses, even photo of one of the users. And also, you can analyze phonebook contacts. They are put here, because many messengers nowadays copy the original address book, the original phonebook to their own databases and use it. That’s why you see phonebook contacts in Whatsapp.
And you can analyze all messages, group messages and private messages. They are shown separately. For example, this is a chat between the device owner and Mr John Peter Crow. You see the phone numbers, you see the directions, the names, pictures that were shared. Timestamps, in UTC. That’s how they’re stored in application itself, in UTC. You can see coordinates – so this is the coordinate, and if I click on it, a small map will be opened on the panel to the left. So this coordinate was shared in the application. And also, if you use Whatsapp, you know that users may share contacts. So these are two v-cards, these are two contacts that were shared.
So that’s how it works with Whatsapp. Of course all this data can be exported. If I open the same application in the panel below, I will see Export and Print buttons. So it means that you can export all data, with photos, geo-coordinates, all the information, to PDF, RTF, or any other format. I can open, for example, Viber the same way, and you will see also a full set of data. So this is the Viber account details. This is Viber contacts, with names and timestamps and phone numbers. These are Viber calls, so direction, remote party, timestamps, and also all the messages. So in one list, again, sometimes you can see coordinates, sometimes there will be pictures that were shared. All this data is extracted.
If we go to desktop… so we call this the desktop because it allows you to see all the sections that were extracted. And if you look at the panel below, you will see groups of applications that were acquired from this particular device. So you will see lots of messengers, like Kik messenger, Line, WeChat, XMS, Yahoo!, Textie, Skype. I want to say several words about Skype. We are proud to tell you that we extract all Skype accounts. It means that if the person used several Skype accounts – for example work Skype account and private – all the data from both accounts will be extracted, because, well, all the data is inside the database. It’s very good because when you have a device in your hand, at least you’ll be lucky to analyze one account on the device, because you need to know the login and password to the second account to enter it. But our software extracts everything, so you will see calls, information, you will see SMS, chat messages. If you click on any remote party name here, there will be a special, small panel, with all the history of communication. It looks like a real Skype application. And all the information about calls.
Now, I can switch to the second account on the… just choosing on the left panel. So this is already the second account with all the data inside. So this is Skype. A lot of my browsers are supported, like Opera, Safari, Google Chrome, Dolphin, SkyFire, and so on. Various productivity applications, like Google Translate, Evernote, Dropbox, Springpad. Social networks Facebook, LinkedIn, Twitter, Tumblr, Foursquare. Even travel applications – nowadays people travel a lot, and for example, I know that many people have Booking.com application installed. So you’ll be to extract all the data again, the information about their accounts, all their bookings. In case the booking was cancelled, there will be a special cancelled date timestamp here that will indicate that the person actually decided not to go to this place. So all the bookings are here; favorites, the hotels that were added to favorites. That’s Searches – it means that the device owner wanted to go to this place, to this city, to this country, but maybe he didn’t go. And all the history for the searches.
So that’s all about applications. And several words about passwords, because we also extract them from applications, but we show them as separate section. So there are three tabs – Applications, Generic, and Internet. Applications means that you will see the passwords extracted directly from application databases. So you will see account names here that were used for registration and you will see passwords also here. And the Label column shows you in what application these credentials were used. If we switch to Generic or Internet tab, they will show you the data extracted from keychain file. These passwords were safely stored in keychain, but we have a mechanism to decrypt keychain and show all the data already decrypted. Because if you find this file inside the device and open it, open this database, all the data inside will be encrypted, and you won’t be able to understand anything. You will have to find a tool to decrypt it.
So what you can find here – you can find Wi-Fi hotspots, passwords, you can find, for example, YouTube password here, and having a password to YouTube means that you have passwords to all Google services, because the same password is used in all Google services.
If I switch to Internet, you will see mainly the passwords for email accounts. For Gmail, for AIM accounts, for Yahoo! accounts and so on. Again, we are good because you can log in, for example, and analyze all the emails, even in your web browser, not on device. So this is the information about passwords. And now, so you see how many applications can be found in one device, you see that lots of data has to be analyzed, and now I will switch to the first analytical section. It’s called timeline.
Timeline section allows to view all facts of mobile device usage in one sorted list. This section organizes all calls, messages, calendar events, geo data, and other activities in chronological way. [Second is] we follow the conversation history without the need to switch between different sections. Just to imagine, to understand how many data can be put in this Timeline section, I opened Filter by Type for you, and you will see lots of data that goes to Timeline. Of course, first of all, lots of applications, because all messengers, all social networks, all web browsers have events with timestamps that go to Timeline. So you will see, for example, such events like history of hotel booking, web browser cache here, web browser history here, of course messages and chats… for example, the date when a note was created in some application, and so on. So all events that have timestamps, that have date and time, go to Timeline.
Besides applications, there will be of course calls – there will be plain calls and Facetime calls that are made from one iOS device to another. There will be messages of various types – SMS, MMS, iMessages, emails. There will be organizer events, like notes, appointments, tasks. There will be web connections – Wi-Fi connections, IP connections, because they also have timestamps. Also, you will be able to analyze photos here, pictures that were made with the device camera, because nowadays pictures store information about the time when they were made, and even the location, the place where they were made by the device owner.
So all this data goes to timeline, and the section has four tabs – List, Date, Contact, and GEO Data. They group the data according to certain principles. So List tab just shows a list of events, just in chronological order from the earliest one to the latest one. So if I scroll, you will see how many events. Evernote notes, Textie messages, VK messages – that’s a social network. What else? Mercury web browser bookmark creation, IP connection, notes, SMS, Facebook activity, Whatsapp messages, Kik messages. So you see not only the event itself, but you see the timestamp of this event, you see the direction, remote party, and description. And description, mainly there will be messages, texts. So Skype, Touch messages, lots of events actually in this device, 2700 events.
So this is a list. Of course, it can be very, very huge, and you need various filters to filter the data. If you look to the right you will see different filters. First of all, we have a Quick filter. It’s in every section in the right upper corner. So you can type anything here, for example, let’s find something about money. So I entered the word “money” and the grid was filtered, so we have some messages where the word “money” was used. So I press Reset Filter button, and the data is reset. The filters are reset.
There are some other filters – Date filter, for example. I want to view the messages for a particular period of time, so I can play with this date filter to filter the data in the grid. There are also remote party filters. It means that you can select a particular remote party – for example, let’s take Andy Williams. And you will see only the events that are connected with this Andy Williams quantity in the grid. One more small filter in the bottom panel – All events or Communications. If I select Communications, only communications data will be in the grid – I mean, social networks and messengers. If I switch to All events, it means that I will see events like web connections, like notes, like calendar events, that are not communications, but they are also included in this section.
So this is list view. And one more small thing – for example, let’s take some message with attachments. I select only messages in the filter, and now I have only messages in the grid. For example, let’s take this message – if I double-click, there will be a panel, with the text of this message. If I switch to attachments, I will see the attachments that were sent in this message. So you shouldn’t go to your Messages section to see what data was transferred in this MMS message. You can analyze it here. Moreover, you can press Save button, and this picture will be saved on your PC. So everything for better analysis right here, just to save your time.
Let’s switch to the second tab, it’s called Date. I think you can guess that on this tab, all the events that were on the first list tab are grouped according to a certain date. Very convenient when you, for example, need to see what events happened on a particular date. For example, some crime was committed, or any other things happened. For example, let’s take this date – 4th of March, 2013. You see that 40 events happened on this date. This figure is in blue, 40. And what happens? You see Viber messages and Viber calls, you see some booking history, so two Booking.com history, also TripIt trip events. TripIt is an application where you can organize your trips. So the person wanted to go somewhere, and also, he or she was active in Viber application. That’s all events that happened on this date. So there were, for example, no MMS messages on this date, there were no IP connections or Wi-Fi connections on this date.
And this tab has a small option – if you press Sort button on the toolbar, you will be able to view the same events sorted not by date, but by activity. What it means – now, I sorted by activity, what is the difference? If you sort by activity, the first… you will see the most active date on top. So in this particular device, the date 19th of April, 2013 was the most active, because 479 events happened on this date. I can expand it, and you will see that really there were a lot of Dropbox camera uploads on this date. Probably the person wanted to share something with somebody in Dropbox. There were loads of WeChat messages, Ebuddy messages, Zello talk, Google Chrome browser history, and so on. So lots of data on this date. Probably the device owner planned something on this date. I don’t know why so much activity happened on this particular date. But it allows you to see the most active periods of the device usage if you sort by activity.
And of course you can see icons here. So you can analyze what events are inside. For example, on the 7th of September, there were lots of photos. If I select a picture you will see the picture on the left panel. So the device owner made lots of pictures on this date. The third tab is called Contact here. All the events are grouped around certain contacts. Let’s take… Lars Jason contact. And you will see all the activity that happens between the device owner and Lars Jason. So these two people communicated on Skype. You can see Skype chats and Skype calls here, with the timestamps and the texts. And the last tab is called GEO Data tab. Here, all the events have not only timestamps, but also geo coordinates. So if you want to see what geo data is inside this device, go to Timeline, to GEO Data tab, and you will see all coordinates that can be found on this particular device. Again, you shouldn’t switch from section to section, from photos to applications to find this data. So what can go to this section? Of course, pictures, because pictures have coordinates, and various applications. For example, Whatsapp, Viber, Evernote… I believe you know what Evernote is – it’s a very popular application to create notes. You can share them with your friends, you can stores them online, it’s very convenient. But when you create an Evernote note, it is created with geo coordinates, so the place where it was created. So it’s very good evidence of the locations where the device owner was.
Of course, other messengers, like [XMS] Messenger, like Facebook Messenger will be also here, because if geo locations are allowed on the device, each Facebook message will be sent with coordinates. So good evidence for us forensic examiners.
So the list of coordinates – it’s the third column. If you click on any coordinates, you will be offered several options. Show Location on Google Maps or Show Location on OpenStreetMap. OpenStreetMap is a free project that… to find some more interesting coordinate… OpenStreetMap is a free project. These are maps, like Google Maps. So that was a booking somewhere in Paris, hotel booking. And I can open the same coordinate in Google Maps for example. That’s how it looks in Google Maps. And they also have a very interesting option on the left panel – it’s called ‘Show checked coordinates on the map’. So you check all the coordinates – by default all the events are checked in the first column. So I press it, and you see all the places on the map where the device owner was. So you see just places in the United States of America, in Europe… so you can zoom the map if you wish. And actually, this functionality will be improved in the next release. But now, it works like this.
In case you don’t have internet on your PC, there is a possibility to export all coordinates to Google Earth. [So] just export it somewhere to your PC, all the coordinates, and then you can open them in Google Earth – it does not require internet to show maps.
So I switch to list again, and I want to tell you that this particular section timeline can be built for one device or for several devices. So if I go to desktop and select a case and go to Timeline, then I will see all the events from [case devices], from two devices. There will be one more column, it’s called Device Owner column, here. So you will see sometimes iPhone 4S events, sometimes there will be events from HTC EVO – so from two devices. Now, you can analyze events from two devices in one list, maybe find communications between them, and so on.
That’s Timeline. Let’s go to another section, it’s called Aggregated Contacts. It’s one more analytical tool that allows you to analyze contacts from multiple sources, like phonebook, messages, calls, applications, in one list. Just to understand how many contacts can be here, you need to look at the right panel. You will see sections like Messages, Calls, Phonebooks, and Applications, like Skype, Touch, Viber, and Whatsapp, and in brackets you will see number of contacts taken from this section. So if you analyze closely, you will see that 62 contacts are taken from Skype, and only 22 contacts are taken from phonebook. It means that the device owner was very active on Skype, probably he or she has several Skype accounts with different contact lists. But the device owner did not have many phonebook contacts. That’s actually our reality in the year 2014 – we prefer to communicate in applications.
So in the grid, you see aggregated contacts. So the section automatically reveals same people in different sources, and groups them together in one meta-contact. Let’s take one contact, so let’s take… one girl… Jane Rosen. So let’s analyze Jane Rosen contact. So you see, the whole information about this contact – the photo, the contact name, the mobile phones, addresses, occupations, and also, there is ‘Date source’ column – that allows you to understand from what sections the contact is taken. So it’s taken from phonebook, event log (event log means calls), messages, and also from Fring, Kakao Talk, Viber, and Whatsapp applications.
If I expand the contact, you will see the separate contacts from which this meta-contact is made of. So these are separate contacts in the yellow background, and you can easily see that actually, if you look at phones column, you see that the same phone number is found in phonebook, in Viber, in Kakao Talk, in Whatsapp. So the program automatically analyzes all the fields of all the contacts, and if it finds the contacts with the same fields… I won’t go in detail here to explain the mechanism, but if it finds the same fields, it aggregates the contact into one meta-contact.
If you think that the contact is aggregated in the wrong way, of course you have an opportunity to unmerge the contacts. You need to press ‘Merge contacts’ button, and here, choose ‘Unmerge’. And then this aggregated contact will be shown as separate contacts, it will be unmerged.
One more interesting feature – if you select a contact and press ‘Communications’, you will see all communications between this particular contact and the device owner. Again, you shouldn’t switch from section to section – you shouldn’t go to Kakao Talk, for example, to Whatsapp, to Fring application, to see the communications. You see all of them here. So you see directions, remote parties, timestamps, and texts in one window.
The same section can be built for two devices. Not only for two, but for as many as you wish. I go to desktop, I select a case with two devices inside, and go to Aggregated Contacts. Now, we have one more column, it’s called ‘Device Owner Name’ column. And here, you see aggregated contacts from two devices. Let’s find our Jane Rosen.
Here she is. I see that now, she is aggregated and taken from two devices – Simon Payge’s 4S and Patrick Payge’s HTC EVO. You see two pictures, you see different names, you see the sources. I can expand and you will see that in one phone, Jane Rosen has one picture, in iPhone 4S. In HTC EVO she has another picture, but she is the same person. So both device owners knew her.
So that’s about aggregated contacts. So if you need to analyze common contacts, if you need to find aggregated contacts, go to this section.
Now, one more powerful analytical tool – it’s called ‘Links and Stats’. I will switch to table view first. This section quickly reveals social connections between users of mobile devices under investigation, and their contacts. So it allows you to see connections between the device owner and his contacts, or between several device owners and their contacts. We have two tabs here and two views. The first view is called Communication Statistics, it’s here. It’s a table view, with general statistics about communications. Here, you will be able to see with what contacts, for example, the device owner had lots of communications. If you look at Total column, you will see 266 communications between the device owner and John Peter Crow. So that was the most frequently contacted person on this device.
Links and Stats actually explores social connections between device users by analyzing calls, text messages, and applications activity. Again, all the data is analyzed. And in the Type column, you can actually see from what … what communications in what applications happened between the device owner and the contacts. So Line messages, ICQ, Skype, MMS, Viber, Kakao Talk, everything here. And one more interesting column – first date and last date – two columns. They allow you to see the period of time within which there were communications. It means that before this date, there were no communications with this contact, and after this date too.
If you look at the chart, in the left panel, you will see what types of communications were preferred by the device owner. So in this particular [backup], the device owner preferred Kakao Talk, 12% of all communications. And only 2% is voice. It means that calls were only 2% of all communications. So now, I’m switching to direct links. The second tab, I want to zoom the diagram. You see the diagram. Actually, it’s a graphical chart that presents a quick overlook of communication circles, and it allows forensic experts to determine and analyze suspects’ communications, with all the details at a glance. So in the center of this diagram, there is a device owner, and there are circles. The closer the circle, the more communications there were between the device owner and the contacts.
Let’s take our Jane Rosen again, and you will see that 87 communications between her and the device owner. If I select any contact on the diagram, and if I look to the left, I will see all the information about the contact. So the photo, the name, how many communications of each type happened, the first and the last date, and so on. And there will be one more small, colorful chart on the left panel, it shows you what contacts were the most popular, what contacts were most frequently contacted by this device owner.
So #1 is actually John Peter Crow – 23% of all communications happened between him and the device owner. If I select anything on the diagram and if I press Details, go to Communications, I will see again, all communications between the focused contact on the diagram and the device owner – again, one list. You can save it to your PC and analyze all these communications in one list on your computer. And also, there is one more thing – you can select the contacts for which you want to build the diagram. For example, I select several contacts, I go to diagram, and I see only these contacts on the diagram.
Okay, I select everything… the diagram can be built for case devices too. I go to desktop, I select Case, and I go to Links and Stats. Direct links. Now, we have a diagram for two devices. I will enlarge it. We have two views here. The first view is all contacts view, you see it right now. Two device owners in the center of the diagram. I select one device owner, and I see the contacts that belong to this device owner. In small circles near contacts, you see the number of communications. I select another device owner, and I see the contacts that belong to this device owner. It’s good, but…
How to see the common contacts? How to see the contacts that belong to two devices? Or to three devices, in [indecipherable]. I switch to Common contacts view here, and now, I have only common contacts. It means that all these contacts can be found in both devices. Both device owners knew these people. Let’s take our Jane Rosen again, and look to the right. On the right panel, you will see the details about this common contact, and you see that the first contact, one picture is taken from Simon Payge’s iPhone 4S. If you look a bit below, you see that the second contact, with another picture, is taken from HTC EVO 3D. What’s common about this contact? Of course phone number. So this phone number and this phone number is the same. So the same phone number is found in two deices. For example, if I take this Henri contact, you see that the same Skype account was found in two devices. Again, it’s a common contact. Both device owners knew this person.
And by the way, this diagram can be saved of course – can be saved as a picture on your PC, just for further analysis. And of course everything can be exported. So you can export it to PDF, RTF, CSV, TSV, and so on. It means that you export not only the diagram, but you will export this communications list too, that can be opened for a particular contact on the diagram. This is a diagram here. But you also have one more section that actually does the same thing, but shows these contacts on the graph. It’s called Social Graph. I opened it for two devices. So the same principal. The first device – Patrick Payge. The second device – Simon Payge. If I focus the device owner in the center, you see the number of communications between the owner and his or her contacts. They are in small, orange circles. So the contacts that are in a kind of a cloud belong only to this device owner. The contacts that are in the center, they are grey, belong to two devices. It means that these contacts are common. Again, I can find Jane Rosen – here she is. If I focus on these contacts… you see two links. The first link goes to Patrick Payge, 11. It means 11 communications. And the second link goes to Simon Payge, 87 communications.
And again, all the detailed information about Jane Rosen is on the left panel. You see the photo, you see the overall statistics of communications here, the first and the last dates, and so on. The graph can be saved to file, and also, you can perform some other actions. For example, there is a date filter below. You can play with it, and see what communications with what contacts happened within a particular period of time here. If you click on any device owner, you will see only him in the grid – so it will look like this. Clicking anywhere in the grid will just return you to the previous screen. So it’s highly adjustable, you can play with this craft in different ways.
Again, the same as with Links and Stats, a graph allows you to see connections and to see common contacts in as many devices as you wish.
And the last analytical section for today is Search of course. Because as you saw, lots of data can be extracted, and sometimes you are just interested in particular data, you need to find it in the device. We allow to search in one device, and the program also enables you to search in several devices. Again, you can select a case and go to Search.
So this is our Search section. You can type anything in text field, and the program will search for this data. Of course, you can customize in many ways. First of all, you can select in what sections to search. For example, you need to search only in applications. You select this section, and the search will be done only here.
What else? Various options here. Search for any word, for exact phrase, for all the words that you enter. You can use regular expressions. We have a regular expressions library here with templates. They can be modified, and you can create your own regular expression template here. Also, the program allows you to create keywords lists, and find the data by these keywords. For example, you all the time need to search for certain slang words, certain drug words, or for certain names in different devices. You can create your own keywords list here, you can import keywords lists from your TXT file, from your PC. And if you select this keyword list here, the program will search only for these keywords.
Some other options – you can search for text, you can search for phone numbers, for email addresses, for geo coordinates, for credit card numbers, for example, some close friends or just relatives, shared credit card numbers somewhere, in some application or the credit card number was saved somewhere, deep inside the database. This credit card number will be found. Also, you can search for any IP and MAC addresses. For example, let’s search for MAC addresses. You can see a progress bar. And search is a separate process, because you can go to any other sections, you can connect devices, you can analyze data in some sections, and the search will be done. And search progress will be in the small window in the tray, [and will be] shown here, in the tray.
So the program is searching for MAC addresses, and you can see some intermediate search results already in the grid. So mainly MAC addresses are in Wi-Fi connections and in IP connections. If you select anything in the grid, for example any search result, you will see the details about it on the right panel. So you will see – if it is Wi-Fi connection, you will see SSID. It means Wi-Fi hotspot name. You will see BSSID – actually, this is a MAC address. And some timestamps.
And the first is a link that goes to the section from where this search result is taken. So if I click on Wi-Fi connections, I will be transferred to Wi-Fi connections section. I won’t do it. But that’s good, because you can find some data here, for example some contact or some message, you can click on the link, and you can go directly to the section where this data is taken, and the focus will be on this particular search result. So you won’t need to again, manually switch from section to section.
So it’s almost done. Of course all the search results can be exported, for example to PDF, RTF, because there are Export and Print buttons. Also, history will be on the left panel, so you will see what you searched and what period of time, and what were the results. So everything is done for your convenience.
I believe this is all about search, and this is… by the way, MAC addresses are also found in Viber and in Line Messenger, because some MAC addresses will be everywhere shared in messengers. So it means that all databases are searched, analyzed, and processed.
So this is all about our analytical tasks. I hope that this presentation was useful for you, that you learned something about or software, Oxygen Forensic Suite. And in case you have any questions about the presentation or about the software, or about how to get it, you can contact us on Forensic Focus web forum, or you can contact us directly at the email address that is shown on the slide – [email protected] – or you can call us – you see the USA and UK numbers here.
So thank you for listening, thank you for your time here. Have a nice day, and thank you for coming.
End of Transcript
Article content received from: Forensic Focus,