Reviewed by Götz Güttich
Oxygen Forensic Detective is software that assists users to extract and analyze data from mobile devices, SIM-cards, storage cards, drones and IoT devices. It is intended to be used by law enforcement, special services, and corporations. We decided to test this tool in our lab to see what features are available and how it performs.
The program allows the bypass of screen locks on Android devices as well as the import of various backups and device images for further investigation. What is more, the examiner has access to more than 60 cloud services, including all of the most widely used applications. Also, the software allows examiners to extract call details, analyze social connections, and see frequently visited places on the map.When it comes to using this program, examiners most often create forensic images of mobile devices and analyze the collected data from a copy of the original device. Even more functions can be available for an expert if they use their SQLite Viewer for analysis of databases, an incredibly useful timeline view, a powerful Search feature that allows examiners to quickly find the information in data sources, and a file browser too.
Let’s talk a bit about the most important functions of this forensic solution. In the Applications section examiners can find information from social networks, messengers, web browsers, navigation apps, productivity tools, travel, finance, fitness and multimedia apps, including applications that enable the user to communicate with drones. These applications contain an enormous amount of potentially valuable data that waits to be discovered.
If you need to work with cloud data, the software will help you there as well. The software provides collected information from various cloud services including Google, Huawei, iCloud, Mi Cloud, Microsoft, Samsung, WhatsApp, IMAP mail server, and social networks like Facebook, Instagram and Twitter. The user can access the cloud data via extracted credentials or tokens, even with activated two-step authentication.
What about the layout of data? All information is organized into sections. Some examples are: contacts, messages, event log, notes, apps, photos, videos and file system.
A partner of Oxygen Forensics, Passware, is responsible for decoding and finding passwords. Passware uses various methods to include distributed processing, GPU acceleration with ATI- and NVidia-Cards, brute force, dictionary, and Xieve attacks along with many more.
The export of data plays an important role in completing an investigation. Oxygen Forensic Detective provides its users with an opportunity to extract and present the needed data in HTML, PDF, RTF, XLS, XLSX and XML. The reports can be produced for only for one device or for several of them. It is also possible to export only selected sections or pieces of information.
In order to test Oxygen Forensic Detective, we installed the latest version (22.214.171.124) on a PC running the 64-bit version of Windows 10 (1803). After installation we closely investigated the features that are available within the software. In order to test all the functions and capabilities of the software we used two backup images of one Android and one iOS device provided by Oxygen Forensics. We also extracted an image from our testing iOS device in order to determine whether the software was able to collect and present all the data from the device, and all the applications on it.
If you are to launch Oxygen Forensic Detective, the software will need to be installed. During installation, a wizard opens to give options to select the language and installation paths for the application. After all the decisions are made the application can be launched. However, the wizard will suggest installing the manufacturer’s driver pack, enabling connection via USB to the software of the many supported mobile devices. When the setup is complete, the software will be available for use.
Import of iOS backups
After launching the software we decided to import an iOS device image provided by Oxygen Forensics. To do this, we selected Import backup file from the toolbar and selected our previously extracted iOS image from the file extractor window. As we clicked Next, the backup process started.
After processing of the backup image completed, we opened the supported applications section to take a look at them, and discover what data had been acquired. The list of supported applications is highly impressive, containing 4734 Android, 3786 iOS, 16 Blackberry and 60 Windows Phone applications.
The next step was looking at the iOS backup structure itself. On the left side of the main window of the application there is a tree structure. The folders (Device Information, Aggregated Contacts, Phonebook, Event Log, Passwords, and more) are shown. One of the sections in the tree contains information from the installed applications, which is organized into several categories (Fitness, Messengers, Navigation, etc.). There is no problem in finding the application you need to examine from this section.
We decided to investigate the extracted data from WhatsApp messenger within the decoded backup of the phone, which belonged to Amy Rivers who is a virtual person with a test account. The extracted information is organized into folders.
The Application files folder consists of data stored within an application, such as SQLite files, media, thumbnails, etc. All of the extracted data can be opened in another window by double-clicking (SQLite databases would be opened within the built-in SQLite viewer).
Especially interesting is the folder that contains valuable user data. In this folder can be found not only information about the user’s contacts, but it also allows investigators to read individual communications themselves. In our testing, we found out our test user, Amy, obviously has a drug problem and is addicted to cocaine.
Apart from that, the user data area of WhatsApp also provides information about calls made using the app and related information, including location, photos and more. Investigator can bookmark identified information immediately from this view to be later viewed in the Key Evidence section.
Investigators can also use the cloud section to access data that has been previously deleted from the phone and unavailable in a standard backup. Within the built-in cloud extractor many cloud services are supported, including WhatsApp, WhatsApp backups, Dropbox and Facebook.
During our testing we decided to test the WhatsApp backup function. To use this feature, we launched Oxygen Forensic Cloud Extractor. We had imported credentials for the app and selected WhatsApp from the displayed supported applications. It took some time for the system to check whether the entered credentials were valid, but after successfully validating the data we were asked to enter credentials for other cloud services or start extracting the data from WhatsApp. Since the WhatsApp backup had already validated the credentials, we started the extraction. The cloud tool contacted the selected cloud service and begin to extract the data.
WhatsApp tokens can also be used to extract data. With a token, WhatsApp data can be accessed even if the iPhone is locked or not even in your possession. WhatsApp backups that have been stored on the internal or external memory card by a user can also be examined. These backups can be decrypted and decoded via the user’s telephone number.
Our next step in testing was to take a closer look at the social network applications Facebook, Twitter and Instagram. These applications did not provide us with much data. Information included pages on Instagram which Amy followed, Facebook cookies, and search history from Twitter. This data was not as thorough as the WhatsApp data, but still provided some information.
We decided to take a look at the Android device image, which was also provided by the manufacturer. The import of the image was completed much like the iOS image, via Import Image on the toolbar. The device owner, Jay Jazzy, was determined after the import to also be involved in drugs.
As before, we started the testing by investigating the data from the application section. The analysis and testing is similar to what we did with the iOS device.
While investigating the Android device image, we decided to analyze the Google location history. Most of the data from this app is not stored on the phone itself, but in the Google cloud. Since a Google token is available after reading the phone, experts can not only extract location history, but most Google services. As a result of our testing, we succeeded in obtaining and viewing a detailed location profile, detailing movements of the test user Jay Jazzy. In addition, our investigation of the test data revealed that Jay is an associate of Amy from the iOS image.
Live iOS Device
After we became familiar with the software and its features, we decided to extract and analyze data from a smartphone. The device we used was an iPhone 6 running iOS 12.1.1. To extract this device, we had previously installed iTunes on the computer to obtain the drivers needed to access the device. For other devices, the Drivers Pack of Oxygen Forensics must be installed on the computer instead. Once the installation of iTunes was completed, we connected the test iPhone to the computer and checked that there was a working connection between them. Once the connection was made we tried to read the device while locked. As expected, this did not work. Further, support by the software does allow the lock be bypassed using a special lockdown function.
For more information, see this PDF.
As soon as we unlocked the phone, we were able to connect to the device using the Connect Device / Auto Device Connection function and extract the device’s data within minutes. The produced image was in a similar format to the above-mentioned demo backup of the iOS device. During the extraction process, the software explains clearly what it is doing. For example, the program alerted us that the iPhone backup was encrypted and immediately tried to identify the password. Also, we were presented with an option to enter a password, if known, to speed up the process. At the completion of the extraction and parsing, we were presented with the recovered data which included deleted data, including contacts.
The program provides the users not only with the already mentioned features like the search function and the SQLite Viewer, but also with the other ones, like Timeline. Timeline aggregates data from various sources (for example from the Dropbox and Facebook App) chronologically, giving an overview of what actions the user has taken over time.
Worth noting is the Social Graph tool, which shows a graphical overview of all contacts and the connections between them. The Social Graph uses information from different sources including aggregated contracts, the call log, messages and App databases.
Oxygen Forensic Detective surprised us with the massive amount of information available and acquired from mobile devices. During the test, and so as not to exceed the scope of the article, we could only reference a few applications to demonstrate the functionality of the software. In this context it should be noted that many applications, including Tinder, Booking.com, and various browsers, can be read completely within the program. Identifying travel activities or search history within a browser using this forensic solution is possible as well.
About Oxygen Forensic Detective
Oxygen Forensic Detective combines information stored on the device and the associated clouds services, ensuring that all information will be available to the investigator. The built-in analysis tools contained in this forensic solution ensures the software will automatically process essential core information and make it available to the investigator quickly. Find out more on Oxygen Forensics' website.
About the reviewer
Götz Güttich has been working in the IT area since 1996. He has worked as IT consultant and as editor as well as editor in chief for various IT publications. Over the years, he has carried out extensive tests of IT products for leading German network magazines.