Reviewed by K. Gus Dimitrelos CEO – Cyber Forensics 360
Opening the Oxygen Forensic Detective Dongle packaging I did not expect my forensics world of 20 years and counting to change so quickly. As a retired Secret Service agent, I began forensics in the dark ages of 1996 and would never have forecasted the growth of the mobile device market or their involvement or use in criminal enterprise. The importance of connecting device extracted data, event timelines, and linked communications with the associated web, social and cloud artifacts has re-defined the role of examiners and detectives. Welcome to the future and the new baseline of mobile device and data forensics. Oxygen Forensic Detective moved the line across from the typical data-dump style result to a more analytical and fully functioning Swiss cyber knife.From the moment of simplistic installation, I quickly recognized the tool’s robustness and reinvented layout, which made my navigation of evidence functional. The auto-detection of mobile devices actually worked, unlike the other tools I use in the lab, and my ability to simultaneously connect multiple devices helped me find evidence in a three phone criminal case in less than one hour. The software interface is a library of analytical choices with numerous data locating and hidden password recovery options. Of the hundreds of features I narrowed down my top 10 reasons I am switching our lab to Oxygen Forensic Detective.
10. Built-in Cloud data recovery using the Oxygen Forensic Cloud Extractor. This is the most robust cloud extractor I have used. You can either use the credentials that have been extracted from the mobile device or even add ones that were located on a computer or supplied to you in the investigation. The amount of data from Google, Microsoft, Apple, Dropbox, WhatsApp, Facebook, IMAP accounts and many more cloud accounts is truly incredible.
9. Contact aggregation identifies linked suspect profiles from all different sources stored including app accounts. This is a contact list on steroids! This is one stop shopping to find each account for both individuals and group. The real kicker is when you have multiple devices in a single case you can now uncover additional usernames for individuals when multiple accounts are used, but on different devices. No more hiding using an alias or secondary user name! It is also a great place where I can see the conversations between the device owner and their contacts.
8. I wanted to know the most common communication type or the person to whom all the devices might know and have been communicating. I used the Social Graph, which at first seemed a little confusing, but then I discovered the Common Contacts button. Pressing the Common Contacts button allowed me to immediately see the most frequently communicated with individuals between multiple device owners. I could quickly see who the investigation should concentrate on. What a great feature for so many cases when you are trying to determine who knows who and who is speaking with whom. Using this feature is a life saver.
7. Within both the file browser and Timeline, I was able to quickly map images and most importantly any geolocation containing app data. This means any check-in, map lookup, website visited, or message sent and received that contains geo-location metadata can be mapped on the fly! With the built-in Oxygen Forensic Maps feature my job just became that much easier. I am now able to map, not only a single device’s locations, but also all devices within a case! Using this feature I was able to show the common locations between two or more devices to prove those device owners were at the same location at the same time. This was proved by the quick decoding of geo metadata in the Oxygen Forensic Maps feature showing the valuable artifacts in a precise map format. No longer is it just the mapping of geolocation evidence from photos, but the most popular apps as well.
6. Apps are today’s goldmine in mobile forensics and I was unbelievably impressed by the parsing and decoding of application data (Whatsapp, Tinder, Viber, Kik, Facebook Messenger, VK) in Oxygen Forensic Detective. Not only are so many apps supported, there is a built in SQLite Viewer that decodes and recovers deleted data from the main database and associated write-ahead-logs. What is equally important is that it appears Oxygen Forensics understands that there will never be a tool that can parse and decode each app on the market, but they give a tool in Detective that can help me parse and decode any app which is using SQLite databases to store data. Essentially, there is not only the automated decoding of many apps, but Oxygen Forensic Detective allows me to uncover data not yet supported. This is essential because my investigations often involve new apps which may not yet be supported by forensic tools.
5. Today’s investigations are all about creating a timeline. With Detective I could immediately identify communications, contacts, and geo-information. Taking it a step farther I was able to find the most common manner the device is being utilized and what time and day of the week the user was most active. This can all be found using the built-in timeline feature and this feature can be used against a single device or many devices within a single case. In testing, I was able to create a timeline of events for a case, which contained multiple devices, in a little less than five minutes. This timeline identified the actions of the device user before, during, and after the event I had been investigating. Unbelievably easy to use and operate.
4. I understand, as does Oxygen Forensic it appears, that there are multiple mobile forensic solutions out there. With this understanding I would expect this mobile forensic solution to be able to ingest other formats from other solutions. Oxygen Forensic Detective did not disappoint. I was able to import images from three other mobile forensic solutions, JTAG/ISP images, chip-off dumps, and raw DD files. Better yet was the fact I uncovered additional evidence from apps that the other tools did not support! By having a tool that can be versatile allowed me to not have to reacquire the mobile device, instead I just imported the other solutions’ files. A huge time-saver with massive benefits.
3. The time consuming and often frustrating job of call detail records is simplified in Oxygen Forensic Detective. With the built in Call Data Expert module the importing and mapping of call detail records for all cellular providers is made easy. Cellular providers often send records in various formats from XLS to CSV. With Call Data Expert I could import any format provided, build a template in Oxygen Forensic Detective using drag and drop functionality, and immediately display the data in a visual format that quickly identifies the most frequently contacted subscribers and relative tower information. Having the ability to analyze call detail records from various carriers in an all-in-one solution is phenomenal.
2. Instantly identify and investigate the most common social links and spotlight the heaviest usage and activity periods. This native link analysis is built-in; unlike other software which requires an additional purchased license. This capability allows the analyst to instantly visualize and establish connections between suspect(s), associate(s) and victim(s).
1. Flat fee licensing eliminating unnecessary costs for agencies or examiners without a single compromise. Having everything built-in with no added modules to have to worry about, Detective is the most comprehensive software solution for mobile devices available. While others will nickel-and-dime with add-ons Detective just delivers the cutting-edge features we depend upon but at no additional cost.
Spending more money on other tools will only empty your wallet and will not provide any additional evidence results. Oxygen Forensic Detective is the new baseline; redesigned and written for forensic examiners and cyber detective sleuths in mind.
About the Reviewer
Gus is a retired US Secret Service agent and a member of the first federal digital forensics certification training course in 1996. Upon retirement in 2005, Gus created and managed the Alabama Cyber Forenscis Laboratory and the US Department of Justice, US Attorney’s Office Cyber Forensics Laboratory. Gus, along with Steve, are course developers for the Department of state and was the cyber training coordinaotr for Mexico. Currently, Gus is managing all training and services in the Middle East and Africa directly handling cases of Terrorism, Organized crime, Human Trafficking and government network data breach investigations. Gus is a certified expert witness in Federal and State courts as a Mobile Device Forensic, Cellular Triangulation, and Cyber Forensics expert.
About Oxygen Forensic Detective
Oxygen Forensic Detective provides investigators with the full range of tools necessary in mobile forensic cases. Find out more and order a copy here.