I have been using Oxygen Forensic Detective for academic and professional investigations since 2016, when the last available version was 8.4. Mobile forensics procedures have evolved a lot. Mobile software and hardware, applications and the information stored in smart devices don’t stop growing. Although mobile forensics pillars still remain, the constant evolution forces to forensics software capabilities to be adapted to cover current needs: smartwatches, drones, Cloud data and backups, IoT devices and supporting more and more smartphones and tablet devices and all their firmware versions. All of these make it mandatory for mobile forensics practitioners to have trustable and updated tools to be able to acquire, understand, index and exploit as much information as possible to obtain the best results.
Current mobile hardware and firmware does not make the job easy to the analyst, as device vendors patch every security bug that could allow us to perform physical acquisitions. Encryption and device access controls, which ensure privacy of the information kept by the devices, makes life more difficult when conducting an investigation where those devices are key.
The evolution in user trends, storing sensitive and relevant information for a forensics investigation, in a crazy universe of mobile applications that has never stopped growing, makes the need to be able to support and understand the internal structure of all of these and their updates an important issue to have in mind.
This scenario forces a professional forensics practitioner to count with tools able to deal with every device, extracting the information needed for every investigation, no matter which hardware or firmware version.
For all these reasons, to be able to accomplish a professional activity, a commercial up-to-date forensics suite is needed.
Oxygen Forensics is one of the big players in this area. This review will look at Oxygen Forensic Detective v.18.104.22.168, licensed in USB Dongle mode.
Powerful and complete tools need to be intuitive for users. Having a tool that is too complex to use could lead to human errors in the middle of an investigation, that could even end ruining it.
Oxygen Forensics Detective comes with a clean initial GUI that guides the analyst to the main available tasks that can be performed.
Forensic investigations follow mainly these phases: Acquisition, Analysis, Reporting and Exposition.
Oxygen Forensic Detective plays hard in Acquisition, Analysis and Reporting phases, as Exposition is the job of the human analyst, so far.
Acquisition: the most important phase?
It is said that acquisition is the most important phase in a forensic process. From my point of view, all phases are important, but of course, if the first one is not performed in the right way, the results could be called into question later.
The goal of acquisition tools is to extract as much reliable information as possible, to be indexed and added into a database, and this will depend on the sources supported by the tool.
Oxygen Forensic Detective supports live acquisitions, when the original device from which information will be extracted is available to be connected to a forensics station. It also does the job of importing data from backups made with different tools (since ADB Android or iTunes Apple Backups to physical images made with other commercial vendors), cloud repositories or even images made by other forensic suites.
These heterogeneous data sources make it mandatory to import and understand the information processed and transformed into a homogeneous structure. Having a common definition of where information is stored will make the next phase, Analysis, much easier.
Analysis: How information will be exploited
Once the information has been ingested, it will be time to exploit it: to analyze its contents and transform them into useful information. Oxygen Forensic Detective is able to understand and correlate those sources in different sections, showing them in the GUI. Mobile device system information, calls, SMS, Camera Roll, Social Networks, Applications, etc, are the typical categories. But Oxygen Forensic Detective adds value identifying and presenting valuable information extracted from different ones.
Every single application stores the information needed individually. But combining all those data to be shown in different ways could make a difference. Users interact with several applications making use of their smart devices at the same time, and even the applications interact among themselves. A typical example should be the camera roll, commonly used to save pictures and videos that could be used for several applications.
Usually, investigations require us to find out what activity occurred on a device within a time range. Having a device with many sources that generate timestamped forensic events is vital to count with a tool able to create a super-timeline merging all of them, allowing us to know the full activity of a device between the desired dates and times.
Most applications store information locally into the device, where the user can keep or delete information. But also, many applications make use of cloud services to store old or up-to-date information that could be shared among different devices. The Cloud Extractor tool allows Oxygen Forensic Detective to acquire more valuable information from related applications that make use of Cloud storage, making use of credentials, cookies or tokens extracted from the device, discovered after a first pass.
Not everyone makes use of the same applications, and people do not use them in the same way. It could be possible to extract sensitive and relevant information, like account numbers, lists or even credentials, from browsed and stored pictures.
One of the capabilities of Oxygen Forensic Detective is to recognize text, executing an integrated OCR engine against all extracted images, adding the results to the project.
Specific and useful information can be extracted from pictures, and not only text. To be able to identify objects that could belong to classified categories like guns, pornography, drugs and even face recognition, are very interesting features implemented by built-in engines that could add value, and even be the key to an investigation.
Reporting and exporting: Extracting the key evidence
Every investigation ends in a written report. The final quality will depend on the amount and utility of the extracted and parsed information, and of course, the ability, experience and know-how of the analyst writer.
The structure and body of the report will depend on the requirements of every case, the findings extracted from the mobile device and the relevance of them. Oxygen Forensic Detective allows users to export key evidence to different formats. Many of them may be parsed by the analyst, or just added as an annex or digital evidence in a read-only storage support medium.
Oxygen Forensic Detective is a stable, powerful and trustable tool that makes life easier for forensics professionals. Fortunately, human handling still will be needed to perform the selection, analysis and understanding of relevant information for every case, but the results extracted with one of the most well-known tools in the forensics world is always an advanced starting point, helpful for every case where evidence stored on a mobile device perform a key role.
About the Reviewer
Lorenzo Martínez Rodríguez is CTO at Securízame based in Madrid, Spain. At Securízame we help you with the management, investigation and recovery of your security incident so that you can return back to production as soon as possible. The quality of the consulting services that we offer is guaranteed by the experience acquired over many years by the Securízame team. Our specialization in computer forensics will help you to react to a security incident, to find a malicious activity or to recover information eliminated by an attacker: our Forensic Analysis services are very effective.