The call log and CDR comparison feature was introduced in Oxygen Forensic® Detective v.15.0. This feature allows investigators to compare the device call and messages log with the data received from the mobile operator. This takes away the time-consuming process of merging the call log and CDR lists and having to manually compare them.
How to use the call log and CDR comparison feature in Oxygen Forensic® Detective
Before starting the comparison, please make sure that the extraction with the call and message logs are added to the same case as the CDR extraction.
Please note that call data records from mobile operators may have time stamps, not in UTC, but in the default time zone of the device user. In this case, the investigator might set the device time zone offset in the CDR data extraction.
To start the comparison, first open the “Timeline” section of the case containing both extractions or of one of the extractions within such case. Expand the “Smart filters” button and select the “Compare call and message logs with call data records” option from the drop-down list.
A new window will open, where investigators can select data to compare. In this window, they will have to:
- Choose one or several CDRs that are present in the extraction.
- Select call and message logs of one or several extractions within the case.
- Enter phone numbers and IMSI of the device owners to filter the billing events by them, if CDR data has not been filtered by the number of interest before import. If phone numbers and IMSI are displayed in the “Device info” of the extractions under examination, they will be placed automatically in the corresponding fields. IMSI is required in cases when the phone number of the device owner is not displayed in the “Device info”, which occurs in Android extractions. Please note that since IMSI and phone numbers are added automatically from all devices within the case, if only one such extraction is of interest, the IMSI and phone numbers from the other extractions will have to be deleted manually. The phone numbers entered to this field are normalized before the comparison starts. Thus, a number can be entered in any format, be it +1 234 567 89 00, or + 1(234)567-89-00, or 12345678900.
- If only entries from the CDRs that are missing from the call log are to be detected, tick a corresponding checkbox. Thus, only entries that were deleted by the device owner, will be shown in the grid as soon as the analysis is complete.
- Click “Compare” to start the process.
As a result, only entries from stated logs and CDRs filtered by entered phone numbers and IMSI will be displayed in the grid. The unique billing entries that are missing from the log and supposedly were deleted by the device owner will be marked with a corresponding icon within the “Type” column.
If the checkbox next to “Show CDR events missing from the call and messages logs” has been ticked before the comparison started, only unique entries will be displayed in the grid. There will be no corresponding icon next to them.
Call log sources
The log data that is compared to the CDR is compiled from the following applications.
Android
Event Log (com.sec.android.provider.logsprovider or com.android.providers.telephony);
Messages (com.google.android.apps.messaging);
Phone by Google (com.google.android.dialer);
Talkatone (com.talkatone.android);
TrueCaller (com.truecaller);
Textra (com.textra);
BiP (com.turkcell.bip);
Message+ (Verizon Messages) (com.verizon.messaging.vzmsgs);
SMS Center (uplay.SMSCenter);
TrueCaller (com.truesoftware.TrueCallerOther);
Skype Lite (com.skype.m2).
iOS
Event Log (com.apple.telephony);
Apple Messages (com.apple.messages).
KaiOS
Event Log (EventLog.KAI);
Messages (Messages.KAI).
