Analyzing Evidence From Mobile Devices, Including Hidden and Deleted Data

Presenter: Tatiana Pankova, Marketing Manager, Oxygen Forensics

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Tanya Pankova: Hello everybody. Welcome to Oxygen Forensics webinar. My name is Tanya, and I’m Marketing Manager at Oxygen Forensics, and I will be your presenter for this webinar. During the presentation or after it – so it will be for one hour, but I will leave some time to answer your questions – so feel free to submit your questions in our webinar software, and I will answer them in order. This presentation is recorded, so it will be available on our YouTube channel, on our Oxygen YouTube channel, I believe tomorrow.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So I will start, and all your questions will be at the end, yeah?

First some words about the company, Oxygen Forensics. I’m sure you heard about us. Actually, several months ago we celebrated 15th anniversary, so it’s… our company was founded in the year 2000, and at first we were kind of specialized in home user software. So we developed Oxygen Phone Manager – this was an alternative to Nokia PC Suite. And then we started to receive requests from our customers to release a forensic version of this software. So we did it in the year 2004. So our forensic software is already 11 years old.

And we have offices in several countries, including the office in the United States and the office in the European Union, with almost 24-hour support. So you’re welcome all the time to call or to leave a ticket, with all your questions. It’s quite clear who our customers are – so you can see of course it’s law enforcement and government agencies, institutions, corporations, military intelligence and private investigators, as well as Big Four companies, like PricewaterhouseCoopers, all over the world.

And some words about our flagship product in general, Oxygen Forensic Suite, because my talk will be of course based on our software and what we can do to help you to extract all data including deleted and hidden data. Oxygen Forensic Suite is a PC software – you install it on PC, and it allows you to extract the data from almost 10,000 devices, logical and physical extractions included – it means that we support not only logical but physical acquisition of course for particular platforms.

And also, we extract data from more than 600 mobile apps, and this is a kind of separate topic today. We support all popular platforms, like Android, like Apple iOS, like BlackBerry, Bada, MTK, Chinese phones, Symbian, Windows Mobile, Windows Phone, and of course feature phones that actually have no operating system inside. So we support them, we support old phones, old Nokias especially, because we were specialized in them some time ago.

And we have some solutions how to bypass passcodes and how to recover passwords to backups, and we extract all the full set of digital evidence of course, including contacts, messages, calls, and calendar and notes, and the whole file system and applications, passwords, geo data, and so on. And of course like any other forensic software we offer you deleted data recover, and after you extract the data, after you view it of course, there is an opportunity to generate data reports in all popular formats, like PDF, RTF, XML, and so on. Our XML reports are supported by Nuix – I hope you know this company and their software. So XML reports can be imported in Nuix software.

And of course we offer you extensive search and filtering capabilities in all the sections to find required data.

So this is a short overview, and now this is a… I think you know this is a kind of workflow for forensic experts. It consists of three parts – to extract the data, analyze it, and to generate a report after it. So the more extraction methods, the more data sources you use to extract the data, the more data will be available for you for analysis – I think it’s clear.

So we, at Oxygen, offer you quite a lot of extraction methods and data sources that can be combined to receive a really full set of data as a result. Of course we support live data extraction, so you connect via cable, via Bluetooth and get all the data. But you can also import, for example, various backups. I think the most widespread is iTunes backup. So you can find it on the device owner’s PC, laptop, desktop, in iTunes folder, at least one backup – maybe it will be old – can be found, and maybe the data inside will be different will be different from the data that is on the phone, because time passes, so you don’t know what is inside iTunes backup, what is… it can be really different. So we all the time recommend to import iTunes backup to see what was in this backup. The same with BlackBerry backup, the same can be done with Nokia backups, if you by chance find a Nokia phone and you need to analyze it.

So what else? We also allow to import device images that are created in other forensic software. Again, in many cases, I think almost all forensic experts use at least several tools to extract data, and so you can… you need to cross-validate, you need to see, maybe some other forensic software extracts more. So you can import these images into our software and see what we can do with these images.

And one more data source – it’s now cloud backups. So when we released our Oxygen Forensic extractor for clouds last year, many people were… they really doubted, they were suspicious if they can use cloud data, if they can use it as evidence. Now it’s getting more and more popular to speak about it, so we support the import of cloud backups, and we were the first to do it – like iCloud, like Windows Phone, cloud data. Again, it’s one more data source for you.

And one more alternative for you – you can import call data records that are received from cell phone providers, import and analyze connections between callers – so again one more data source.

This is a kind of overview of what we can import – so you can see lots of Apple iOS images, including again iTunes, iCloud, DMG images; Android images including Android JTAG, because now people speak a lot of about JTAG, they take courses in JTAG. So we can import JTAG images – we don’t do them of course. You can import also Android backups and Android zip and so on. And also you can import BlackBerry Chip-Off image – again, quite popular nowadays. Windows Phone 8 JTAG as well. So just bear it in mind.

Sometimes, backups that you try to import can be encrypted. For example, the user in iTunes can create a password to encrypt backup. So if you take this backup and try to import in any forensic software, you will have to enter the password. So we have a solution how to find the password. So our Oxygen Forensic password analyst software helps you to find passwords to iTunes backups, and to Android backups and images. So it uses various attacks, like brute-force, like dictionary attack, and actually attacks can be customized. It also uses full GPU acceleration and distributed computing, for you to find passwords quicker. It highly depends on your machine, on your PC. So there is a solution for encrypted backups. Some advanced users really encrypt their backups because they know it’s really safer.

So some words about Oxygen Forensic Extractor for Clouds. As I told you, this is one more data source, and at first, we received doubtful reviews about it. So forensic experts really doubted that they can use it. So it was released last December. This is a utility inside Oxygen Forensic Suite license, it’s free at the moment, and it imports data from several cloud services, like from Google, from Apple iCloud, and from Microsoft Live, and from some social media services, like Instagram, Dropbox, Twitter, so you can see it on screenshot.

So you import this data, and then you can save it on your PC in a readable format, or you can generate a PDF report. In the upcoming version, you will be able to load all this information into Oxygen Forensic Suite, and then see it together with other backups, in a merged way.

And of course, at the moment, you need to go through authentication process – so it means that you need to answer credentials to access these accounts. So we don’t break, we don’t find passwords, but there is one good solution – you can find passwords to these accounts, to cloud accounts in Oxygen Forensic Suite. So you extract the device or you import the backup, and we have a special section in Oxygen Forensic Suite that is called Passwords, and in Passwords section, as you can see, there is in the third column, if there is a cloud icon, it’s a hint for you that you can use Oxygen Forensic Extractor for Clouds to extract even more data. So you extracted, for example, iPhone or Android device – you can go to Passwords, you see this hint, and it means that you can extract even more from cloud because you know credentials.

And it’s really very useful because, for example, let’s take Instagram – so if you take non-jailbroken device, I mean iOS device, iPhone, and use forensic tools, actually you won’t extract much, because photos, Instagram photos, they are not in iTunes backup. It means that you will extract probably account details, you will extract people whom the device owner follows, contacts, but you won’t extract photos, and you need another method to extract photos. So this method is in cloud, so you can extract photos from Instagram using our cloud utility, of course if you extracted password for it, at the moment. So this is the solution.

And some [good] words about iCloud backups. As I told you, we can import them and decode them, and fully show you the data. What is good about iCloud backups? As you can see on this screenshot, in the cloud, there can be several backups. They have different dates – it means that several backups were made, on my screenshot for backups, from one phone, and they are all stored in my cloud, and you can import them just in several seconds and see all the data. Again, the size is different – it means that there’ll be a bit different data set in every backup. Moreover, if several devices were attached to the same Apple ID, you can extract all these backups of all these devices.

And you need to know credentials, but as I showed you on the previous screen, in Oxygen Forensics you can extract at least some passwords, and you can use them later to acquire data from cloud.

And some words about one more alternative data source, as I told you – it’s Call Data Records, it’s a bit different. So you can receive this call data records from cell phone providers. Mainly they are an XLS file, but they still can have different extensions, a bit different format. So we have a special utility again inside Oxygen Forensic Suite. It’s incorporated in this software. It imports CDRs of any format and any size. If you work with them, you know that first of all, you need to map all the fields. So you can do it in our software, to convert all CDRs to unified formats, and then you can analyze, like on this screenshot, direct links between callers – so you choose several phone numbers, and you analyze links. There will be no names, because there are no names on call data records. These results can be saved on your PC, in your report. Again, it’s a kind of alternative data source, because, well, it will be a good addition to your [… just image] extraction.

So no matter what extraction method you use – live data extraction, backups, cloud data, you will see more or less the same data set, like this – contacts, messages, calls, calendar, file system, external and internal dictionaries, user dictionaries, applications and passwords, Wi-Fi connections history, geo coordinates, and some other data. Of course, all the data is important, but I believe nowadays forensic experts are first of all interested in applications – deleted data in applications, actual data, but still applications, because people prefer to use them to communicate, to navigate, to travel, even to do sport and so on.

So you can see on this small chart what happens in the world of mobile applications every 60 seconds. So actually thousands, and even millions, of different posts, likes, and photos uploaded in every 60 seconds. So lots of data. And what we can do in applications? We are proud to tell that we really have support for more than 600 applications for four main platforms nowadays – Android, iOS, BlackBerry 10, and Windows Phone 8. And what is particular about our support? We support not only social networks, not only messengers and web browsers, I think it’s clear that almost in every software. There is support for WhatsApp, for Skype, for Facebook, for Safari, but we also support travel applications, finance applications like PayPal, for example, lots of productivity applications, and also even health applications. A bit later I will explain why it’s important to support even health applications, and what they can store.

So we also support decryption of secure apps, like Snapchat… I think you know all of them, the Telegram messenger, even Google Maps are not so easy as you can think. And our support means that you can extract really lots of data – so you can extract account details, including passwords; you can extract contacts; communications like group chats, private chats, calls; also shared data, like people share media files, photos, locations, contacts nowadays; cached files; and of course deleted records can be also extracted and recovered.

So this is Viber, how it looks in our software. I can say that Viber is an easily extracted application, because nothing is encrypted. Viber has no password. So all the data, deleted and actual, is very easily extracted. You can find it on your own open databases, and analyze it. So nothing, at least at the moment, nothing difficult about Viber. But it’s very popular, so you see all the data, directions, and photos on this screen.

If you take Google Maps from Android, it’s a more difficult case, because Google Maps stores search, share history, and also routes in binary files. Binary files, it means if you open them… well, you need actually to use special tools to decode the data and to see it in a readable format, you have to analyze what is what inside. And actually, we’re industry firsts, in the previous release, to support extraction of search and shared history and routes. So we show them in a clear way, like on this screenshot. So it’s again already a bit difficult case for forensic examiners, and actually for forensic developers to decode this type of apps. It’s not only Google Maps, just… I took I think one of the most famous apps, navigation apps. Even iOS uses actually Google Maps instead of Apple Maps.

So as you can see, we can extract coordinates, titles, addresses. If you have internet, you can see a small map on the left sidebar; if you don’t have internet, there is a button to export to Google Earth, and to see all these coordinates offline.

So besides binary files, there can be lots of encrypted files inside applications. I think the most popular example here is Whatsapp messenger. It’s on Android devices; you can encrypt messages, put them in the backup, and I think you heard about this encrypt algorithm – so Whatsapp changes it I believe once in several months. The latest is encrypt 8, if I’m not mistaken. So it changes it, and all forensic developers decrypt it, so it’s all the time a kind of a battle between us and Whatsapp.

As you see on the screenshot, we decrypt the data, though it takes some time, and show you already decrypted. The same Telegram messenger – the data is encrypted, secure application; Kakao Talk Messenger, mainly it’s popular in Asia; Snapchat, it’s a very popular application, especially with teenagers, snaps quite securely encrypted. Snaps – I mean images that people share. They encrypt it. So recently we’ve added support for Snapchats, and now we decrypt it too, though it’s not an easy task.

So what else? Many users may use… may have several accounts to the same applications, and they use them on the same phone. For example, Skype – home, kind of personal, and Skype office. For example, I have two Skype accounts on my iPhone. Some people use, for example, two Twitter accounts, again, office and home; two Facebook accounts, and so on; two Gmail, especially, accounts; two Yahoo! accounts.

So if you take the phone, and browse in it, you’ll be able maybe to find one account that is active now. For example, you take my phone, there is Skype – personal Skype account, you see all the data. But you even won’t know if there is another account until you extract the data. So if you extract in our software, you will see all the accounts that were ever used, because the information about accounts and about the data that is inside, it’s stored in the database. So you don’t see it, but when you read the phone… well, I’m not sure about other software, but our software extracts as many accounts as were ever used. And you see this screenshot of Skype, and on the left panel, Account panel, you can switch between the accounts, or in my test backup here, three accounts were used. And you can easily see all the data. So you don’t need to know password; all the data is inside databases.

Some applications can be password-protected. For example, we just got [used] that Whatsapp does not have password, Viber does not have password, many applications like Instagram and Facebook, they have passwords of course, but they enter them once and then you can open application and you don’t enter passwords again and again. But some applications, they’re quite secure. For example, especially finance applications, banking applications, even travel, especially airlines, applications from airlines – so they’re secure, and they require password to be entered each time you open them. Again, it’s… then it’s very good to use forensic software, because like in my screenshot, I show you Fly Delta, so this is an airline. So it requires passwords, but if you extract the data, you see all the personal data that is inside. So sometimes we can even extract password to this application – so it depends on where it’s stored. So again, you can bypass this password if you extract the data in the software.

And there are also some applications that hide personal data. I don’t know if you’ve heard about them, but they have thousands of downloads in Apple store and in Google Play – applications like Hide It Pro, like NQ Vault, like Private Photo Vault, and so on, there are lots of them. So you install them on your device, and you set a password of course, and then you can put in these applications the data that you need to hide from the phone. But mainly these are pictures, it can be videos, it can be messages and contacts – so you put them in this application, you hide it with pin code, and nobody sees all the data that you hide. Again, very popular.

But if you extract the data in Oxygen, for example, you can see what the device owner tried to hide. So it’s not difficult; mainly databases are not encrypted, so in my screenshot, you can see pictures, they are quite innocent in our backup. In many cases, you can even extract pin codes to the application. So that’s how it looks. Again, pay attention, because nowadays these applications are very widespread.

And also spyware, of course. So this spyware – it’s hidden from device menu. So the person who spies installs on the device, and then it hides this application with certain key combinations, and then the spyware sends all the user data to the spyware server, and the person who spies can see all this data just remotely. That’s how it works. It’s quite difficult to spy on iOS user because usually you need to jailbreak the device. It’s much easier to install spyware on Android device.

So we support spyware detection – it means that if spyware… of course only the spyware that we officially support, not everything, because we write special scripts for this. These are our own scripts. So if supported spyware is installed, you can extract, you can see a special spyware section in Oxygen, and with some data inside. It can be some logs, it can be geo coordinates of places where the device owner was, it can be sometimes even the user name of the person who spies. So it highly depends, but again, it’s hidden, but you can extract and see it in Oxygen.

And some words about passwords. So of course it’s good to extract as many passwords as possible from the device. What passwords can be? Of course passwords to application accounts. If they’re available in databases, at least in our software you will see them. Also, passwords to data entered in the web forms. What I mean – some people prefer to use their web browser on the device to log in, and use applications in web browser – for example, I don’t have Gmail application because I don’t use Gmail often, but if I need to login, I use the web browser for this. So web browser saves this data, and if you extract the device, probably you will be lucky to see these saved passwords in the software.

Also, passwords [that are] entered in applications. For example, now it’s very popular to link applications – for example, they have Instagram and you can link Instagram to your Twitter or Facebook account, and when you post something on Instagram, a photo, the information about it appears on Twitter and Facebook. So you link all these social networks together – actually it’s not so safe – and the passwords to all the social networks are saved in the application that links them. So I will show you.

And also, passwords can be extracted from iOS keychain file, I hope many of you have heard about it. So it’s a very encrypted file, it’s securely encrypted, even the fields are encrypted here, in this file. It can be found only in iOS devices, and it stores lots of passwords to applications, to the accounts, to email accounts, and to Wi-Fi networks to which the device was connected.

So this is a screenshot of the password section, and in Service column, it’s the 6th column, you can see the browser, and you can see links, in brackets. So that’s what I was speaking about – that you can enter some credentials in web browser, and in brackets you can see the links to applications to which these passwords really belong. And also, you can see a Bump application on the screenshot, with the links. It means that Bump application, and this is the application to share data between phones, bumping them. So in brackets, there is actually the accounts that was linked in Bump, and password, and account and password information belongs to the social network in brackets. Because the device only linked Twitter, for example, and Bump. Bumped and LinkedIn. So as you see, it’s not so secure, and all these passwords can be saved in the applications.

And deleted data recovery – so all forensic experts expect lots of data to be recovered. Of course it’s very important. So we can offer you two methods – automatic and manual. Automatic, it means that all the data is recovered automatically when you acquire information from [indecipherable] like messages, calls, images, videos, and documents, and lots of application data like accounts and contacts and chats, everything is possible, everything is recovered. And as you can see, all the main platforms are supported for deleted data recovery for iOS devices, you can use even the basic, classic method via iTunes backup, and you will recover lots of data. For Android, we support Android physical dump in our software or Android backup – these two methods will give you also deleted data. Of course physical dump will give you more. And for Windows Phone and BlackBerry it’s better to import JTAG or Chip-off image, and you will see lots of deleted data.

And there is one more method – manual carving for deleted records with Oxygen Forensic SQLite Viewer. So first all I will show you, that’s for example how automatic deleted recovery looks like. You can see lots of pictures, all these pictures have trash bin icons. So it means that they were recovered from physical dumps. So everything is very simple here. And manual carving with Oxygen Forensic SQLite Viewer, I hope again you heard of course about SQLite files. They contain actually all the information, almost all the user information, again, messages and notes and calendar and applications data. They are used by all popular mobile platforms – Android, iOS, BlackBerry 10, and Windows Phone – they all use SQLite databases.

So we have this SQLite viewer, again it’s inside Analyst license, inside Oxygen Forensic Suite, it’s not separate. And it offers you, for example, to convert data from various formats, like Unicode and UNIX, and it offers you to create SQL queries, it enables you to switch the data and to generate a PDF or XLS report. So that’s how it looks like – you can see that you can automatically convert the whole column, for example Date column, to one of the formats. So the iOS devices usually use OS X Epoch Time format for timestamps. Android devices use UNIX Epoch time [milliseconds] and so on. So all this data can be exported, and you can search it and so on.

So this is a kind of manual search for deleted data, because you can see some data in the yellow background in this screenshot with trash bin icons in the sort column – so it means that these are deleted records, you can look for them manually if you need to validate. So manually all the data is recovered, from SQLite databases.

And of course geo data and locations – they are very important evidence. Usually, all forensic software extracts it from the same sources – applications; also photos and videos, [exit] headers of photos and videos, because in all the devices, modern devices, photos and videos are usually made with the information about timestamp and location; also, for example, geo information can be extracted from Wi-Fi connections history.

So you extract coordinates, and then you can receive maps and addresses of the locations, and you can view this geo information, these coordinates on Google Maps, or OpenStreetMaps online, if you have internet, and you can use Google Earth to show them offline, if you don’t have internet. Again, I want to explain applications in more detail, geo data and applications in more detail. So what geo information can be received from applications, in our software at least.

So of course shared locations – you can share your current location in WhatsApp, in Viber, in iMessage even, you can share in Facebook, for example doing Facebook check-in, or you can even share it in Facebook Messenger, and so on. So lots of applications nowadays allow you to tell your friends where you are. Also, you can extract location search – for example, in Google Maps, in Apple Maps. Also, you can extract the information from travel applications, for example, from Booking.com, from Expedia, because when you search for a hotel, when you book a hotel, like on Booking.com, of course there is information about where this hotel is located, and we extract coordinates, so you can see where the device owner wanted to go, where he or she booked a hotel, and so on. And also, lots of applications kind of register current user locations, in many cases people even don’t know about that. So for forensic experts, that’s very good.

For example, let’s take Evernote – Evernote is a cross-platform application, very popular, you can use it on your desktop, you can use it on mobile device, so you can create notes, notes with pictures, notes with voice records, and so on. Quite a lot of functionalities, it’s very popular. And when you create notes, it’s created with locations, with your current location. So I don’t remember if you can disable it, but by default, coordinates are inside the notes. So we extract and you see it like this – note, timestamp, coordinates, and there will be of course text field too.

And also, now it’s very popular to use sport, kind of health applications, like Endomondo, Runtastic, and RunKeeper, so you do sports somewhere, and in many cases people even boast, they post their sport results on Facebook, on Twitter. Why we support these applications – not because… well, forensic experts can be interested in health or in sports, [just victims or suspects do]. Just because these applications, they also store lots of coordinates, so as you can see on this small screenshot, there is a coordinates column, there is timestamp column, and as you can see, the locations are recorded every several seconds. So actually, if you open our software and timeline, for example, you will see a route, you will see a way how the device owner moved and where he usually does sport activities, goes in for sport. So again, it’s quite good evidence. Sometimes, it’s useful to know where the device owner is, and so on. Maybe it was his last way, and so on.

So that is it, and in Oxygen you can build routes from coordinates. It looks like this, it was our test phone, travelling from exhibition to exhibition. So you can see all the coordinates on the left panel, you can choose the coordinates. For example, you can choose coordinates for… I don’t know, for one day, that were recorded within a particular period of time, you select them, and you see the device owner’s way, like this visualized, this picture, this is actually a Google Map. It can be saved on your PC, it can be printed. You can see photos, like on this screenshot, or you can switch off this function, because sometimes it’s not useful at all. So that’s how you can visualize the device owner’s way. At the moment for one person; in future it can be done in this nice way for several device owners too, just to see common locations of [those] device owners.

So you extracted the data, you’ve viewed the data, and finally you need to analyze it using some analytical tools. You need to find connections between data, between contacts, you need to analyze data for a particular time, so we can offer you lots of analytical tools inside Oxygen Forensic Suite, like timeline, aggregated contacts, links and stats, social graph, key evidence, and global search. Analytics can be done on one device or it can be done on several devices that are put in the same case.

So in brief, our oldest section, our Timeline is five years old. It allows you to see all events of the device in one list. All events – I mean all applications events, all messages, all calls, even photos with timestamps – so all this data can be viewed in one list in Timeline. It can be sorted by date; you can find a date, open, and see what happened on this particular date – including deleted records of course, not only actual but deleted. It can be sorted by activity, most active days on top. Sometimes it’s useful to know, for example, [when] two people communicated the most, maybe they plotted something, so you sort two devices with activity on top, and see these active days on top for two people.

Also sorted by contact, if you needed to see events for a particular contact only. Aggregated contacts – if you need to… right now, as I told you, people use lots of applications. Sometimes we communicate with the same contacts one day in Facebook, another day in Whatsapp, then in Viber, then in Skype, then send them just a plain SMS message, with the same contact. And if you need to view all this contact lists in one section, to work with all the contact lists – it can be hundreds of contacts, as you realize – so you can go to Aggregated Contacts, you will see this list, and we also have kind of simplified the job for you. We aggregate the contacts from different sources into one [meta] contact.

So on the screenshot, you can see Stephen Bremer. This is the contact that is aggregated, and in Data Source column, you can see that the same contact, this Stephen was found in phonebook, in Kakao Talk, in Viber, and in WhatsApp. So in several applications, and the device owner communicated with this contact in several sources. Of course you can switch from section to section, but it will take lots of time. So you can see this meta contact in this section, and actually if you click on the left, on the contact name on the left sidebar, you will see the list of all communications. So you don’t need to go to any other section, all the list of communications for these contacts will be here, again meta contacts.

So that is it, and of course, links – so in all forensic software now, there are certain tools to find links between contacts or between device owners. So actually, we introduced this section again several years ago – Links and Stats. It allows you to see, to reveal the [closest] circle of communication for a specified device or devices. So on my screenshot it’s one device. The device owner is in the centre, and you can see the closest circle of communication in the first – in the first circle actually, there are only two circles in this diagram. And you can see that Barbara, this is the contact with 144 communications, in the small, orange circle. So it means that Alison Kelly, the device owner, communicated with this contact most of all, and again, if you click on the contact, you will see all the communications between the device owner and the contact.

So this is how you can reveal the closest circle of communication after you extract the data. Of course, this diagram can be saved – you can play with it, hiding contacts, displaying the number of contacts you wish, and so on, and exporting it even to PDF and other file formats.

And we also have Social Graph to visualize complex connections between device owners or inside application groups. So you can see actually two device owners here, Stephen Bremer and Alison Kelly, and some contacts are in the center, grayed out. They are considered to be common contacts that are found in both devices – so both device owners knew these people, and we show them in the center. And also, here you can see application icons, at least WhatsApp and Viber icons, so we show you group communications here, because nowadays, even in groups with my friends. So it’s quite popular to create groups in applications and communicate, and three, four… even adding more people. So we show them these groups here, on Social Graph.

And again, if you click on the group icon on the Social Graph, you will see all participants, and you will see what they actually communicated, and what they… they could call each other, they can chat, so all this information will be inside these application groups. And this Social Graph can be customized, you can set a period of time, you can set from what data sources, from what applications [to your] data. It can be saved as picture, it can be… you can set how many contacts you wish to view here, and many, many other things can be done with this Social Graph.

And the last thing – Search and Watch Lists. So sometimes, you don’t have much time, and you connect the device, and you need to extract the data and to see certain results after extraction. So all you need to do, for example, is to find certain keywords. It can be, for example, some drug names, guns, maybe suspicious phone numbers, names, and so on. But you don’t have time to look through all the data, you need to find something particular. So in our Oxygen Forensic Extractor, after you connect the device, you can create keywords lists, like in my screenshot, my first screenshot.

So I created several keyword lists. They are marked with different colors. So you can select – in my case, I selected some words connected with immigration and some words that I knew that I would find. So I created this keyword list, I started extraction, and once the data is extracted, you press ‘Finish’, and the section Watch Lists is opened, like on the second screenshot, and you see all the results. So it really saves you time, and as you can see, the search results are highlighted, and data is found in all this… actually, the program searches data in all the sections. Again, it’s not on the basic sections, but like on my screenshot, you can see it’s Viber, it’s WhatsApp, it’s Booking.com application, it’s Calendar, and it’s also, remember, the [Milk] application, where you can create tasks and notes too.

So that’s how it works, and of course we have a separate search section, and again, if you need to find only particular words, particular phone numbers, or even credit card number probably, a MAC address, hash in files, or you need to use regular expressions, of course you can go to Search and find required evidence using our search engine. So it’s also possible.

So I think this is all for my presentation. Again, I tried to speak about data analysis, especially [paying attention] to applications and to geo data. And now, if you have… yes, I see [laughs] lots of questions. I will try to [answer them in order], so I left some time.

Can I capture and interpret accelerometer data as well? Well, I am not sure about it. It’s the first question like this. I will put it down, but at the moment I think no. But I am putting it down. I think we don’t support it.

Does [collections and MTK chipset] depend on the brand of the device? No, brands can be different. So if you… we support all MTK chipset phones. So it means that if it has MTK chipset inside, it will be connected and extracted. Because, for example, it can be based on the Android, as you know; it can be just a feature phone, based on MTK; so they all will be extracted. And for MTK Android, we even have a special mode – if you have our software, you can try, there is a special mode. You switch over the device. So it’s switched off, you can [act] and physical dump is extracted. So the device is turned off. It’s very good, because you can bypass password. And you will extract any device in switched-off mode if it’s MTK Android device. So I hope I answered your question.

Can Oxygen read [Lantern] databases? No, it does not read, and we can actually import only [XRY] and [UFED] images. Actually, from time to time we have such questions – can we import some other images of forensic software? And we even tried to contact forensic software developers – I won’t name companies – but they said that they don’t wish it. So we tried to cooperate, but they said that they didn’t want it. I think it’s quite clear. They don’t want to [copyright], so only [UFED] and [XRY] at the moment.

How is iCloud backup able to import? Would you need the user’s Apple ID and password? Yes, at the moment, you need the Apple ID and password. But as I told you, sometimes you can see it in Passwords section in our software. It depends – sometimes you can see it, if you extract, for example, iOS device, then you can use these credentials to additionally extract data from iCloud. But at the moment, yes, you need to have credentials.

Can I run Oxygen on the [Amazon] environment? No, it runs only on Windows, and you can also run it on a virtual machine if you have Mac OS. But only in virtual machines, like… well, I think the most popular are supported, not this one.

I can export Google Map data to [KMS] format to Google Earth? Yes. So I told you a bit later that yes, Google Earth is supported, and you can automatically pressing one button, you can import to Google Earth, and this Google Earth will be opened for you with all the coordinates.

Is there any way to determine if a photo was shared? When a photo is shared, will the iPhone store a record of this in any particular database or is it application-specific? Well, if… I think in applications, for example, in messengers – let’s take WhatsApp. It’s quite easy to determine if it was shared because there is a direction in the message, there is a direction, like incoming and message – it means that somebody shared with you. If outgoing direction and image, it means that you shared image with somebody. So it’s quite easy. In applications, at least in our case, I think it’s quite easy to determine. If you go to File Browser, we have this section with all the pictures. Then there will be a link. If you select a picture, there will be a link to the picture in the database, on the left sidebar. Again, it will show you from where the picture is taken. So if you are interested in particular about it, I can send you maybe some screenshots – so if you contact me. But actually, sometimes it’s really possible to see at least from what application this picture is taken, and then you will go to Application, and you will see the direction. So you will understand if it was shared or not.

What about LastPass app? No, we don’t support it, and actually it’s the first time I hear about it, I put it down. So I will ask our developers. Actually, it’s not so difficult – I think it’s a week to add support for applications. And actually, in our software, in Applications section, there is a kind of option to send requests. So if you have our software and the application is not supported, you press the button and support ticket is created, and usually we all the time try to add support for applications if it’s a customer request. I will check this application.

Also, what actions could potentially cause all photos to have the same last accessed date/time? Would sharing of photos [indecipherable]? I’m not sure about last access, but last modified, it’s quite easy. It’s when, for example, probably you synchronize with iTunes or synchronize with iCloud. Maybe timestamps… at least, for example, when you synchronize contacts with iTunes, all the contacts will have the same last modified date – it will be the date when they were synchronized. So maybe it’s the same with pictures. So again, you need to check it.

JTAG Android [indecipherable] version, do you recommend any JTAG device? Well, I can’t recommend anything, but yes, I heard about [RIFF Box]. Actually, all JTAG images are supported, as far as I know, so if you create a JTAG image from Android, it must be imported into our software. I don’t remember about any restrictions and any limitations.

Snapchat, Telegram [auto-destruction can recover]? Actually, how we recover data from applications and how all people do it – they recover data from SQLite databases, including Snapchat and Telegram, so if the information is deleted but this information is still in SQLite databases, we can recover. That’s how it works, and not only in our software. If it’s deleted forever, it can be like this, then you can’t recover. So it depends. Again, you can take the same two iPhones – on one iPhone you will recover, on another iPhone with the same iOS version you won’t. And with the same software. It highly depends. But mainly, it’s from SQLite databases.

What can you obtain from a device [via application]? I’m not sure about the question. If you mean if the device was reset to default settings, [yes, so-called,] then it really wipes all the data, especially if we talk about iOS devices. So with Androids, maybe you read this news, that not all the data is deleted. So we can recover something.

Geo data – what about [feedbit]? Can I filter by geo region, so Oxygen will know what IP addresses are in a specific city? Well, an interesting question. At the moment, I think we don’t offer this functionality, because for example, well, we have geo coordinates, and we can receive addresses from them if you have internet. If you sort, probably by addresses, at least you will see the regions, the countries. As for IP addresses, we extract them only from a particular database, but it’s hidden. From the latest iOS devices, for example, it’s not available anymore, so I’m not sure about IP addresses, they are not extracted. And as for region, again, I will put down this idea. At the moment, I think no. So you can receive addresses, you can see the places, but how t filter, I’m not sure. And as for [feedbit], again, I’m putting down actually… as far as I know, [they’ll be] [indecipherable] with your question, so I will work with them and with our developers later.

People are using spoofing software to make a fake caller ID, a [indecipherable] on the recipient’s device. Does Oxygen help [to work] with this? Again, it’s a very interesting question. I think I’m not ready to answer it. Again, I will put it down and we will check. Because as far as I know, we never heard… we heard about it, but we never thought about it. So fake caller ID – again, we will try to look deeper in it. So at the moment, I think no is my answer.

Does phone access to a social media account like Facebook, uploading photos, sending messages, if done on the cellular network, not Wi-Fi, leave any evidence, artifacts on the phone and Facebook servers? You know, actually, I will maybe disappoint you here, as for Facebook. For example, from iOS devices, not much data is extracted. You need to take iOS jailbroken device to extract Facebook, or, with Androids it’s easier, you can extract just quite a common data sets. It will be account, it will be messages, and it will be contacts. Yes, and that’s all. And as for your question, I think there’ll be no more data. So if you’re lucky, you will get just this very common data set – contacts, accounts, and messages. So there’ll be no additional data, no matter what was used, because this data is not in databases again. So it’s not an SQLite databases, you’ll be lucky if you extract at least contacts and messages and accounts. So nothing like this, and Facebook is quite secure. So you can see that actually not much data is stored in databases. So you won’t extract more. I think in the nearest future, we will add probably extraction… kind of remote extraction from Facebook, cloud extraction from Facebook, maybe there will be more data. But I can’t tell you at the moment. So for mobile devices, not much data.

Can you share this presentation please? Yes. If you contact me, because there are lots of emails. If you contact me, and actually the contact information for all of you is on this screen right now. It’s my slide, so there is the email address, it’s my email address, you can contact me for any information. There is the address, the site address, and there is a phone number. But better contact me by email, and I will send you the presentation. Of course.

Some other questions, just a second. I’m lost somewhere.

How about data from WeChat application? Yes, we support WeChat from Android and iOS, and I’m not sure about the latest versions. So what is bad about applications – so each new version is released, sometimes we need to update application support fully. So it means that we support – till what version, I don’t remember. Actually, in our Oxygen Forensic Suite, there is a menu, help menu with the information about what versions of what applications we support. But we support, yeah.

At the very beginning of the presentation, you mentioned Nuix when you were speaking. How will that work? Yes, we support Nuix. So you export all the data, even deleted data, to XML file format. So it’s XML, and then you can import this XML – so no matter what’s inside, it can be pictures… [it cannot be pictures, no.] It can be deleted records and actual records. You import this XML to Nuix, and analytics tools, and you see the data in Nuix. So we are kind of compatible, yeah, that’s what I meant. So we have this partnership. So it’s an XML file; you export the XML from Oxygen, and then you import XML to Nuix.

Are cell phone dumps the same as extractions? Can you explain the process for cell tower dumps? Well, phone dumps… well, in some cases, they are even good than extractions, as I told you, because, for example, if you take Android, for example… actually, maybe it’s the same, because you can, for example, create physical dump in our software from Android. So people consider it to be the best choice to create physical dumps, you have the whole file system, and all applications and deleted records. It’s okay. And you can import some Android dumps from other from other software, or JTAG dump.

So actually, I believe the amount of data will be more or less the same, but if you take Windows Phone, for example – so it’s quite secure, and if you extract the data from live Windows Phone, connecting via cable, you won’t get much data. You will get just basic data, like only some sections. But if you create a JTAG image of Windows Phone… and JTAG courses are everywhere nowadays, all the people are speaking about JTAG. If you create this JTAG image of Windows Phone and import in our software, you will get much more data. So we’ll get all the data, including applications and including deleted records, deleted files and videos and images. So it’s better for Windows Phone to have a dump than to run this live data extraction. So the same for example with BlackBerry. We support BlackBerry Chip-off, it’s much more complicated than simple JTAG. But Chip-off allows you to get access to deleted data, to more deleted data, to applications, so it will be better. So it highly depends. But it can be a kind of additional source of information, to import dumps.

If a person using an iPhone 6 deletes an application such as Kik, will there be traces of deletion of the application in Kik and Timeline? First of all, we support Kik – so if it’s installed, Kik Messenger is fully supported. If it’s uninstalled… in previous versions of Oxygen, not for all applications, but there was a record of these applications in Applications section. But this application had no identifier, no icon. So you can see traces, but I’m not sure that all the time again. It depends. Because as I told you, almost all information from iOS, Android, this information is in SQLite, and we can’t… sometimes in [indecipherable] files, but in many cases in SQLite, and we can’t guarantee what can be inside. It highly depends. So can’t tell you – no yes, no no.

Will Oxygen Forensic report include cell tower [info]? Well, actually, I’m not sure from which database you can extract cell towers. I know one database, I think many of you heard about – [consolidated.db], there was a scandal several years ago with the Apple company. Actually, it was renamed after the scandal – now it’s called [encrypteda.db]; previously it was [consolidated.db]. So in this file, there was information about cell towers. Actually, it was a very good file; still it’s on the phone. But you can take it only from jailbroken devices. If you speak about iOS. So it’s renamed to [encrypted.db], you can see all the cell towers that the phone saw around it, so it’s a kind of history of all cell towers to which the phone was connected. It’s very good database, but it’s from only jailbroken devices.

If we take Android, these databases, they were also removed from, I believe, Android version 4.0 already, so… actually, developers care, sometimes, about user security, so I think this was the only place… at least I don’t remember the other one, where you can see the cell towers. And not so many chances to see them now.

Is Oxygen generating hash values for [pics] and files? Yes, so actually for every entry in Oxygen Forensic Suite – for files, for pictures, for contacts, for every data, there is a hash column. You can choose before data extraction, you can choose hash algorithms, so by default, it is [HA2]; it can be MD5, it can be some others. So we support up to five, so every file, every picture, the hash is calculated of course.

[inaudible] [hash value dictionary] [inaudible]? Yes. So of course you will see hash, for sure.

Do you require a password in order to perform cloud extractions or you provide a bypass? Yes, at the moment, you need to know password to access cloud data. But we are searching, and I believe in one of the next versions, we will offer you some solutions how to bypass. So just because we released this Oxygen Forensic extractor for clouds in December, and there were kind of doubtful reviews – it was not accepted, people said that it couldn’t be used as evidence, we don’t need it. But at the moment, more and more people speak, and more and more people are interested in the cloud forensics, and of course we will continue. So at the moment, you need to know passwords, but again, I told you that you can find some passwords from extracted device. So in future, I think we will offer you something more interesting.

If the [anti-forensic] erase all information, can Oxygen recover the data? No, as I told you, if you erase all the data, for example, on iOS, and we checked it, if you delete all this data with some… it can be a remote wiped. The data is really wiped, yes. So all the databases and SQLite databases, they are really cleaned. Maybe you read this news about Android, that even some… all these wipe applications and all these wipe functions, sometimes they don’t work on Android, and you can find some artifacts on Android. So for iOS, it’s really clean. So we can’t recover it.

Is there [a skin tone] filter for graphics? I think no, but we are working on it, yes. So to make our software more user friendly in this way – so at the moment, I think the answer is no.

What about cost? [laughs] Well, I can’t announce any prices here, because … so many people I hear. But if you go to our site, oxygen-forensic.com and if you ask for a quote, or you can ask me for a quote in the email, of course I will announce the price. But actually, it’s quite affordable, and what is good, all these functions that I enumerated and I shown, all our analytical features, like Timeline and Links and Stats, and this cloud extractor and call data records, all these features, they are available with the basic license. It’s Oxygen Forensic Suite Analyst. So if you ask for a quote for Analyst license, so it includes all the functionality, it’s not separate utilities. It’s all in one. And you can ask for a price from me in the email or from our support team on the site. Or you can call – maybe it’s really better. If you are in the United States, you can use this phone number.

And again, you receive a license for one year, with lots of updates. And after one year, it works – it’s not limited. You don’t receive updates if you don’t renew. You don’t receive updates, but you connect phones, you extract data. Only the phones that are on the market after… the new phones, they won’t be connected of course. But all the phones that are before expiration date, that are supported before expiration date – so at the moment, it’s 10,000 devices. You will connect, you will extract the data, it’s not limited.

There is Oxygen user dongle? Yes, of course. There are two types of licenses. First is internet-based. It means that you activate license via internet. So you activate, and then you can work offline of course. And there is a dongle, yes, USB dongle. You insert on the machine, and you work with it, any machine you wish. For example, you can install on several machines, you use one USB dongle. It’s for one user. And also, there is a network dongle of course, for five, 10, 20, and 50 connections, concurrent connections. Of course, this license will be a bit more expensive. But if you are a big company, you can use network dongle that is inserted on your server, and so from five to 50 concurrent connections, you can enjoy them. But basic license, it can be internet-based or USB dongle-based.

And also, we have [rugged] kits. So it’s a case, it’s a [rugged] case, it’s a [rugged] tablet PC, with Analyst inside, already installed. Another copy – there are two copies of Analyst licenses, another copy on DVD disk for you, to be installed on the PC. So inside these case also there is cable set, with all the cables, and some instructions, and… I think this is all. So there is a kind of hardware for you to work in the field of course. The information is on our site.

Yes, dongle works with virtual machine. This is also now [a site].

You have special discount for law enforcement to renew license? Well, actually, license is renewed… it’s 40% of the price. So you pay really less for license renewal, and for people in the United States, we are registered for [JC] programs, so you can contact our support, and there will be discounts, but only for the USA government and military. Again, the information is on our site. For other people, outside the United States, usually no discounts on license, because it’s not quite expensive. But we can negotiate – again, if you contact us… it depends on many factors. But renewal is actually 40% from the main price, so you can calculate, it’s not much. It’s less than 50%.

What is the difference between dongle and internet license [key type]? Internet license is a bit cheaper, it’s for actually two… for desktop and laptop. So you can install it twice, for example on two PCs. You install it, and you need to activate, send in your hardware ID to our server. That’s why it’s internet – you need to have internet to send this information to register your PC, because you can use only two computers. So you receive updated key code, and then you don’t use internet. So the internet is used only for activation. Just for us to activate two computers.

And then, as for dongle, you don’t need to have internet. We ship the dongle via some DHL or FedEx service to you, and you install the software. The key code is inside the dongle, you insert the dongle, and you work. It’s offline, no registration. Actually, even unlimited number of computers, because you can install on some computers, use one USB dongle, so no internet connection.

Yes, of course you can move. The internet license is for two computers. But if you, for example, update your hardware or update your computer, you can contact us, and of course we understand it, and we give you one more slot for registration. But actually, it’s limited for two, but you can contact our support team and we will give you one more slot of course, if it’s not like 100. [laughs] Then yes.

If I have standard license, is there a discounted price to upgrade? If you have free standard license because… actually, all people can contact our support, and they will receive free standard license. It’s quite limited, yeah. I mean, you can extract basic data with it, but you won’t extract applications, you won’t have these analytic tools. If you have free standard, you can’t upgrade, because it’s free. So you need to purchase Analyst. If you, for certain reasons, purchased standard license some time ago, of course you can upgrade – so you pay the difference. You pay the price difference, and you upgrade to Analyst. I think it’s quite simple. If it’s free, yeah, well…

Actually, there is one way – if you have a free standard license, you can subscribe to our webinars. Certification webinars, the information is on our site, in the Webinar section. So you get, as a result of these webinars, you get lifetime standard, you get 20% discount on Analyst, and you become a certified user. You get a certificate. So if you want to have some training, and have discounts, to order Analyst and to have lifetime standard, you can take our webinars.

Can I buy someone else’s expired [indecipherable] licenses of… well, we don’t have this practice to buy… well, I’m not sure, because all the licenses, they are registered for a particular person, and particular email address. So at the moment, it’s not possible. And by the way, just all people who are here, who attended this webinar, actually if you contact our support, we can give you a demo license. It will be a full Analyst license for several weeks, or maybe for a month as well, it depends. It will be a full Analyst demo license, to try to use it. Again, you can contact us, and then you can make a decision and we can negotiate every particular case. So expired licenses, [laughs] you can’t buy them I think.

I have a business in my country. Can I have support from Oxygen? Yes, of course. Contact our support, and ask the questions you wish. Yes. So it depends on what support you are asking. Yeah, of course we can discuss it.

Yes, what type of support you can contact… I think me or just general, our support team, yeah. So it will be… I don’t know – if you have business, and if you, for example, train law enforcement, we can give you, for example, an educational license, to train. So it depends on what support you wish. We can give you brochures… I don’t know. Any other support.

So I think I managed to answer all the questions. I tried to be attentive. So any other questions… again, for presentations, contact me directly. And for any other questions, feel free to contact me directly.

Well, it’s written on this slide, you should see it. Just a second – yes, you see it on the slide. This is my address, yeah. So you can put it down.

So if no other questions, then thank you for your comments. Thank you for your [indecipherable], and thank you for coming here and for the interest in our software. Again, ask for [demo]. Ask for the [demo] on our site… not on our site, but you need to leave a ticket, because it’s not available for download. It’s hidden, so contact our support for [demo] if you wish, and I wish you a nice day. And thank you. Thank you once again. Bye-bye.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles