Si Biles, co-host of the Forensic Focus podcast, reviews Oxygen Forensics Extraction in a Box (XiB), a three-day instructor-led course for those looking to deepen their knowledge of Oxygen Forensics Extractor.
Mobile phone acquisition is a bit of a dark art – the actual processes are often hidden behind tools, and they often require skills more familiar to our black-hatted brethren in the “hacking” community. The art of teaching mobile phone acquisition is similarly challenging. How do you tackle the question of the myriad of available devices, the requirement for hands-on experience, processes that only work a percentage of the time, and keeping a class going? Oh, and let’s throw another variable into the mix – how on earth do you do that with both local and remote students?
I have to admit that I’ve been excited to try Oxygen’s Extraction in a Box (XiB) class since I first heard of it, and it may have been me saying that out loud that resulted in it being offered to me through Forensic Focus for this review (no complaint here!).
As a teacher myself, having done both remote and in-person – but never the hybrid of both – I wanted to know how this would work, and honestly, before experiencing it, I had my doubts that it could.
Despite the kind offer of an in-person attendance at a class in Virginia, my schedule (in a different country no less) prohibited it. But in reality, this turned out to be the ideal way to test the remote offering of an inherently hands-on class.
As usual, time zones – the bane of all forensic tasks and international collaboration alike – made for a more interesting daily schedule: starting at 1400 and theoretically finishing at 2200 hrs daily for the three days of the course (0900–1700 hrs local time). One day I’ll learn not to work four-thirds of a day in these circumstances – doing my normal work in the first half of the day and then doing the course in the afternoon and evening – but this occasion wasn’t it. I suspect that this gave our instructor, Ryan Ebersole, a greater challenge with me, particularly towards the end of the session, but he managed to keep me energised and engaged throughout. Credit to him as a teacher.
A few days before the course was due to begin, a substantial parcel arrived via FedEx. It measured a good 50 cm cubed (about a foot and a half if you’re not metric). Inside the cardboard box, wrapped in much scrunched-up brown paper, was a natty blue mini-Peli case. Opening this up revealed my selection of phones for the week (see packing list below for full details), the requisite charger (US spec, but who doesn’t have access to a USB charger in their own country?), multi-cable, card readers, tweezers, and more PPE than you can shake a stick at. Additionally there was a USB stick with patches to bring Oxygen to current for the course, as well as the course manual. Oh and a free pen and lanyard; you can never have too many pens.
In-person attendees get a physical copy of the course manual, while the electronic edition uses the same “JetEngine” e-book interface as other Oxygen courses. It allows for all the usual things you would expect (turn a page, jump to a page, search, and so on), as well as the capability to add your own annotations. My sole complaint regarding the e-manual is that the page numbering in the table of contents isn’t correct as it relates to the work as a whole. And, as there are no links from the ToC to the content that one can use, finding something that is referenced there isn’t straightforward. However, there are bookmarks that will take you to each of the chapters, which somewhat mitigates this.
Otherwise, the content of the e-book is good – the explanations provide enough background to each subject, and the walkthroughs in each chapter are (a) correct and (b) easy to follow. I do appreciate that the frustration that can be found in mobile phone extractions is well expressed in the relevant places (see screenshot below!).
Ryan made good use of the manual during the class – starting by bringing us all to the same level of understanding of the multitude of acronyms that we face in our industry. I appreciated this being included. Others with more experience of mobile phones may have found it repetitive, but for me it was good to get my FDEs, FBEs, and BFUs in the right order! Overall – in my opinion – the training isn’t targeted for the complete novice, but an early career examiner, with a little knowledge and hands on experience with simpler extractions under their belt, will gain a huge boost in their capability to tackle more challenging extractions.
Ryan didn’t strictly stick to the order of the manual; however, it made logical sense to attack the class in the way that he did, each part led sensibly into the next, and more advanced topics (such as password cracking – covered early in the manual) were left until they could be used against the target device.
In three days, given that extractions take time, the coverage was astounding. There are eight devices in the box – logical, physical and filesystem extraction types – plus SD cards, SIM cards, and a whole forest full of exploits, and we did a significant portion of them.
The Oxygen interface is excellent, and it helps the user see the possibilities that are available for a connected device, which is a great strength. It makes the process straightforward for getting a working acquisition underway.
Oxygen can be run in parallel, which in a lab environment would be hugely advantageous but isn’t made use of in the class. I think it would be a good idea to enable students to try this out and test it for themselves, through the inclusion of a couple more cables and a USB hub. Building this knowledge and faith in the stability and isolation of parallel running before trying it out on important devices would be hugely advantageous to examiners.
In general, remote users would be expected to use their own (or their institutional) copy of Oxygen for the training – this is something to be aware of before you begin. However, as a licensed user, I’m sure that – like I had to – a trial license could be made available for the duration of the course. This trial license isn’t limited or restricted (at least that I found during the course) and was quickly procured within the first quarter of an hour of joining. It was also easy to download and install. Additional required drivers (an ever-present constant in mobile phone connection, it appears) were added during the course by all attendees, were readily available online, and were included on the USB stick.
The highlight of the course for me was accessing a device using the test points and a pair of conducting tweezers to short the pins – hardware level access for me is a rarity, and I wouldn’t have had the confidence to try it before this course. The fact that my test device not only didn’t emit the classic puff of blue smoke as the magic escapes from the chip rendering it useless, but that I got a full forensic image is one of the pinnacles of my education!
The methodologies ranged from highly invasive techniques to various agent and agentless downloads, using methods such as exploiting vulnerabilities on iOS and Android, setting up and accessing ADB (Android Debug Bridge), and performing iOS and Android backups. The critical role of APK downgrades in enabling access to applications through Android backups was also addressed. Entering different boot modes and configurations can require more simultaneous fingerwork than most of us possess, making it an occasional exercise in frustration. However, Oxygen’s in-application guidance is excellent, and its real-time updates on the connected device’s state provide clear feedback on success or failure.
Although Android and iOS are by far the most common operating systems encountered daily, it was good to see coverage of older “feature phones” and alternative OSs such as KaiOS, as well as SIM card and SD card data recovery.
It’s hard to summarise three solid days of training – especially when so much is hands-on. Multiple methodologies on a given device, and multiple exploits where a device has several vulnerabilities, mean that preparation, plug-in and data extraction can take a couple of hours. But the knowledge and experience gained in the lab – under the watchful, supportive eye of the instructors (and while your hand cramps from holding all the buttons) – means that when you have to do this for real it becomes a familiar procedure, not a stab in the dark. And that is priceless.
The class is excellent and well worth the time to take. Ryan was knowledgeable both within the scope of the material and in the wider landscape of mobile phone analysis, and I’m grateful for the way that he managed a single remote student with a room full of people – it’s a credit to his skill as a teacher.
I’m constantly impressed by Oxygen’s honesty about their product: they know what they are good at, and they’re not afraid to say so – I happen to think that their interface is one of the most straightforward I’ve ever come across – and they know their limitations. Oxygen don’t position themselves as an alternative to something like GrayKey – although I was quite surprised at the embedded password cracking. Fundamentally, it’s an excellent tool for the extraction of a device to which you have a reasonable degree of access up front. This – in the UK where we are fundamentally assisted by Section 49 of RIPA – is more often than not exactly what is required.
The training was really enlightening in showing that there is more than one way to get data off a device – and choosing the one that is relevant to what you are trying to achieve will get you further than you might think and almost certainly further than just choosing the simplest option. In the real world this will mean the difference between getting an evidential item in your extraction or not … And you can’t comment on it when you don’t have it …
It’s a well-rounded, mature tool, and I’d recommend both it and the training.
