Deep Diving for Forensic Gold – Applications and Deleted Data

Presenter: Lee Reiber, COO at Oxygen Forensics

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Lee Reiber: …[golds] here at Oxygen Forensics. And there are still a few people still showing up, but I know those who have been waiting actually have shown up on time. We will just begin, so… this will be recorded, hopefully, so that if you guys have to leave or some people that were not able to attend, you’ll be able to view it at a later date. So hopefully everything is going well [with you]. I’m just going to fire this back up. So hopefully you guys can see this screen.

What I would also ask you guys to do as well is if you can, I’m going to make sure that I make the opportunity for people to ask questions. And there’s a little question box that you might have. I will keep it muted during the session, just because with this many people there’s quite enough. If you want to ask a question or… I know that there are some people raising their hands. If you can, just put it into the question box, and I’ll try to get to those, say, in the last ten minutes hopefully, or five minutes, I’ll have time to go through some of the questions as they… not necessarily as they come in, but towards the end of the broadcast. So if you can, please try and make sure that you have the information, write it straightaway into the question box as you think of it. And then I’ll make sure that I get to it.

So if I could have just someone on there, hopefully… it shows that my audio is good. So I’m trusting, obviously, the technology, that audio is good. So like I said, I will make sure that I will have the question box open, so that if you guys do have questions, like I said, I’ll jump to that towards the end of it, because again, I’m sure that you guys will have questions, and with the large number that we have in this presentation, I can’t stop as we’re going through there. I’m only given an hour. And if you guys have seen me speak before, an hour is kind of difficult for me sometimes to keep up with.

So we’ll go through, obviously, some slides, but then we’ll get into the product as well, show you some of the features that I really like, really diving into that data. So again, this is Deep Diving for Forensic Gold, and I’m Lee Reiber, I’m the COO at Oxygen Forensics, Inc. And like I said, we’ll make sure that if there are some questions, I will get to as many as I can at the end of the presentation. So as we’re going through this again, just throw it into the question box.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So just a little bit about… if we have… with the company itself. Oxygen, it was formed in 2000. In 2013 [obviously the] US company Oxygen Forensics, Inc. is opened in Alexandria, Virginia. The best part about it – we have users across the globe, and everywhere that I go in and either speak, across the world, people are utilizing Oxygen Forensics products for their mobile forensic needs, and it is quite wonderful. But again, they’re all over the world, as I’m sure that are represented within this webinar. A lot of people always speak well… is it utilized, who’s using it, primarily, and [it’s people] in the US government, almost every branch in the US government as well as, we call it, as the Computer Analysis Response Team or CART certified, being used in the most sensitive cases that we have, at least in the US. So it’s used, again, by a majority of law enforcements throughout the world, but now we’re finding it especially in discovery needs, in a lot of the large corporations across the world as well.

Because as you guys all know that mobile devices are really… they’re not going anywhere, right? They’re utilized in not only crimes, but our personal lives, and in the corporate side, in the corporate world, especially when we start talking about e-discovery needs, it’s also involved there as well. So we’re seeing in about everything that you have a zero and a one from a mobile device, Oxygen Forensics, our tools are being utilized. So it’s quite nice.

So when I talk about… especially [when we get to] [unclear] the support that we have, it’s always a numbers game that you’re playing. So as the slide comes up, we have 13,000-plus mobile devices via live acquisition, and I make that, just as a term that we say, that we support that. But honestly, it’s way more than that, because if you guys know that there’s over 13,000 Android devices anyway, being that I can pretty much have it on ATC [unclear], LG, Samsung – well, not a lot of people are with the Samsungs now, just because of the news – but obviously, there are many, many Android devices. And like I said, they estimate at over 13,000. Oxygen Forensics supports those devices anyway, even if we do not have the profile that is built in. Because obviously, it’s based on with the operating system.

What’s so nice, especially about the support in our products is the ability to actually import images from other tools. If you’re utilizing other mobile forensics tools, whether it be MSAB, Cellebrite, and other tools, you’re able to actually import their images, which allows you to uncover additional information that either hasn’t been built into that tool or just that because we have that robust support for those different types of files. So again, like you guys all know, unfortunately, it comes to a multiple-tool situation, because there’s really not a tool that’s going to be supporting 100% of the mobile devices out there. There’s just too many of them, there’s too many protocols, there’s too many profiles to actually support everything out there.

But again, the capability of actually bringing in images, that kind of takes the device out of it, and it just comes down to a file system, which, obviously our tools do a fantastic job, and then I will show you, a lot of the information contained within the file system.

We talk about the support for physical acquisitions of Android devices, which is… with each release becomes better. When we start talking about temporary roots or shell rooting with the device itself, obtaining that user data partition, we have that ability with those devices. Also built in is with the password bypass, meaning that if there is a password gesture biometrics on, say, an Android, allowing to bypass that and achieve a full physical on those devices. So again, it’s a cat-and-mouse game really when we start talking about mobile devices and Android side, and being able to utilize this type of technology. But again, our products continue to innovate and bring to the user the ability on the most common devices that are seen, especially into the Samsung side, LG side as well. With the most current Galaxy versions of Samsung being supported if it is indeed still locked and you do not have the ability for ADB. We can still achieve a physical collection on those devices.

And also, I call about invasive images. Invasive images – that’s the term that I utilize for, say, a physical collection when destruction or the device could be compromised. And by compromised I mean either if you’re using JTAG and ISP or CHIPOFF, you know, there is… because either you’re removing the back of the phone or you’re actually removing the [unclear], that becomes an issue, because you’re not going to be able to put, especially on the CHIPOFF side, the device back together. But knowing that, and knowing that especially unlocked bootloaders on devices that we need to support via JTAG, ISP, that type of rout, being able to now bring those images into Oxygen Forensic Detective and allow the examiner, the expert to parse and decode that information is enormous. Because all is lost, you would think, if the device is either locked and the state of the bootloader is locked, there’s no tool out there that is able to actually bypass that via, say, a USB connection recovery download mode. But utilizing those methods, we see that, obviously, as a need to be able to decode and parse those images. So we support that with both Android, some BB10 device, as well as Windows Phone 8. You can bring those images in, and allow the user to now uncover that digital gold that is contained within that file system and that structure that we wind up rebuilding.

Now, if we look at really the big thing that a lot of people are talking about – and we’ll talk about this more within this talk – is going to be with our cloud extractions. Because you have to have that, and understanding in today’s environment, especially on the mobile devices, applications that are in the device, either… if I just have a standard, we would call it a file system logical extraction or ADB backup or, say, iTunes extraction, where the databases just are not available to you unless you have, say, root on the device, on an Android device, or able to receive a physical… obtaining those database files can be difficult. But now, looking at, say the additional storage locations that mobile devices are using, along with… on the cloud, bringing that into a tool like Oxygen Forensic Detective that’s now addition that additional support for the expert is tremendous. Because again, like I said, the data, if it’s stored, say, off the device, you still have that ability to uncover that information.

So again, I think that that’s, especially with… in Oxygen is the innovation, the responding to the needs, and really providing solutions to the problems that are there today is really one of the benefits, and that’s what we will talk about as we move in to this presentation.

Now, let’s talk about some of the apps, and really, about app support, because that’s where we really need to understand… because you guys all know that… just think about your communication, your communication trends. Everyone is utilizing third-party mobile applications to communicate today. No longer are we simply using just email or SMS and MMS. It really comes down to the third-party apps. And that’s not just for us as everyday users, but that comes down to those people that we might be investigating, those people that, in the law enforcement side, those groups that are forming coups, those groups that are forming terrorist attacks. We really have to think about those applications. So we look at the support that we have that’s built in, with over 2,000 supported applications, 2000-plus really, supported applications on there. And then when we start talking about over 300 unique apps, it really becomes a game, right? When we start talking about 2000-plus, that just has to do obviously with version numbers of different apps… but when we talk about unique apps, that’s a very important number. Because that’s the actual app that is supported. Now, as we get and progress during the presentation, it’s just a drop in the bucket, but to be able to go in and have over 300 applications or unique apps that are supported to help in the processing of that third-party information and communication is tremendous.

Not only is that displaying the data, the logical data within, say, SQLite database, a json-string xml, however its formatted for that app, now it’s recovering the information, if they deleted data, say, from the free page area of the main database, from the [right-ahead] log. Bringing that information in and presenting that to you automated, again, is extremely important. But as we progress, again, in this, we’ll talk about really… these are produced by man, and with the support of the apps, but really, quite honestly, in today’s mobile forensic investigations, there needs to be more. There needs to be more involvement by actually the experts.

Though what’s great is the automated date and time interpretation, when we start talking about, say, Android devices when they’re represented by milliseconds, microseconds, UNIX time. Say, Chrome, which is just… if you have a Java time. You have all of these different types and formats, and we’re talking about Mac or OS10 or just the standard UNIX. There’s a lot of different representations of dates and times, really. Remember the epoch, right? Seconds [unclear]. So that you have this information. But hey, I remember always having to try to automate that, build an Excel spreadsheet and trying to say seconds and trying to figure out exactly, going from the date that I know, and reversing that down to seconds, and trying to figure out exactly what the epoch.

I mean, going back to the MFI days, when we were doing… we’d call it a GPS, all the different… GPS time that you would have. BlackBerry would have its own time. So really breaking that down was a lot of work. Obviously, building a tool not only with the app support, because as an app developer, I can decide what I’m going to utilize within my app, of how I’m going to keep time. And when those really come up, it does take a lot of work. But now, having a robust tool, Oxygen Forensic Detective, allows us to go and interpret those dates and times.

But now it really comes down to… especially the tools that are out there now. Or excuse me, the apps – they’re utilizing encryption. We start talking about WhatsApp, we start talking about SnapChat, we have all of these different types of apps. We have three… there are so many out there that they want to encrypt that data. Again, for personal protection of the user and the user data, either it’s point to point, or it’s stored within a SQLite database in an encrypted state. Really coming down to solving that problem, I think, is what brings innovation to the Oxygen tools, and uncovering that information, and presenting that to the expert is quite amazing. Because it’s not only just going and presenting the information, but it’s actually decrypting that data, decoding that information, and presenting it to the expert. It’s quite amazing.

But again, we’ll see more and more of these third-party apps that are going to be encrypting the data. And when they start encrypting the data, again, it makes it more difficult for, say, the mobile forensic tool to uncover that. Because again, that is some R&D, but that’s I think the strongest point that I can make, especially for the company.

Now, if we look as well… again, we support a lot of unique apps. As we talked about the number of apps that are out there, that becomes an issue. So again, building into the tool, the ability to give you, the expert, the availability to review that information, to see the information [as it is] within the SQLite database, or even a property list. With our built-in SQLite viewer and property list, it allows you to not only go in and view the information from the tables, but also convert that, say, the column, to UTF-8 or convert the information… you interpret the date and time, but now convert the entire column, so that you can see the information, can present that information in an investigative report, even if the application is not directly supported within the app to be decoded. So again, allowing you… and we’ll look at that as, say, a case study, as we’re going and looking at the tool live.

So again, extremely important, but really, how do we, as a company, as Oxygen Forensics and Oxygen Forensic Detective, attack really the problem of the applications that are out there? I think it comes down to a couple of things. One, being able to go in and search across the entire device image, the entire case, with multiple devices, or across multiple cases, to identify information. So being able to have a global search function, where you can go and search for your regular expression, where you can search for your text, you can use numbers. And most importantly, especially in a law enforcement side, formulating an attack based upon hashes, being able to go and import a hash list that you have, with thousands of known CP that you’re able to go in and import that information, the hash list, and being able to have that… you’d be immediately notified [with either] watch lists or even running a keyword list search with imported keyword list that runs all the time, [when] running your importing or the parsing of the data, so that you’re immediately notified for critical information based upon a hash. That’s extremely important to have built in within a tool.

So performing a live search within files as well, which is important, because some tools, you’d be able to do searching, but it only searches across the database. So not only can we search across the database within Oxygen Forensic Detective, but we’re able to go and search within the files. And why is that important? Because if you’re looking for a certain keyword, if you’re looking for an email address, if you’re looking for credit card numbers, if you’re looking for information that, say, isn’t supported and decoded and parsed by the tool, you should hope you can still find it. Because once you go in and do a search across what’s in the files, you can now uncover and see, “Oh, you know what? It’s [actually within] the database file. It’s not directly supported, but you know what, I have the SQLite Viewer that I can now go and review that information, I can see the information that’s in there, I can now uncover that data and support that app by utilizing built-in tools, by going and digging deeper within the application.”

Just because it’s not directly supported by a tool… you still have the ability to go in and find that information within the application itself. So you must make sure that you have… and you can get that information and you can have it available even though it’s not directly supported – which again, it all comes down to being able… you perform that search, now you’re able to go in and get that information still, even if it isn’t supported.

Again, now, just because you can search… now, every examination that you’re going to do, I would say the majority that you’re going to do, have to do with not just a single device but multiple devices. You go to a scene or someone brings mobile devices to you, it’s typically not just a single device. It’s multiples, and Android, iOS, multiple Android devices, multiple iOS devices that were either received at a search warrant, at a scene, and you have to process those. Now, no longer should you be processing and just saying, “You know what, I’m going to do one at a time and I’m going to try to print a report or I’m going to try to remember this information that I have. I’m going to go and create some search information that we have.”

So really, what it comes down to is how can I go in and find out who the most important people are across the devices, the most important application across the devices. What date and times are these people meeting each, what locations are these people meeting each other at? So being able to now run the analytics across all of these devices now is critical. And built into obviously Oxygen Forensic Detective are analytical tools that you can prove via timelines, that you can do via aggregated contacts, being able to do and run social graphs across multiple [devices and identify] immediately who the most common contacts are, so that you can start the investigation on that individual that might not be part of this group.

Being able to map out the relationships that are involved, again, is extremely critical in today’s investigations. It’s no longer just looking for, say, communication that you’re having, but now it’s looking, who knows who? Who’s communicating with who? Who’s the major operator for all of these people and these devices? So now, this is what is needed within a mobile forensic tool. And again, Oxygen Forensics allows you to see this information visually, but also look into the information and identify that communication or those locations that they might have been in this area.

Then again, we start talking about off-device storage. So if we’re talking about SD cards that might be located at a scene, or within a device, or within another device, being able to go and do a full physical within Oxygen Forensic Detective of that media card, being able to uncover deleted files, being able to uncover deleted information is available. But also, I talk about the cloud storage again, is that being able to now go in and pull that information from the cloud, utilizing the built-in cloud extractor, include that in the case – now you can do analytics across the cloud, and now you can go ahead and do, across the cloud, across the device, across all devices, now I’m going into analytics. So I now put those into the same case that I have, the actual physical devices and the cloud information, so I get a complete picture of not only the device but all of the data that might be involved.

So the problem really has to do with… so all of the data, how can I go in and fine-tune the information? And how can I go in and take all the information from off-site storage from multiple devices into one area. And that’s really, we can deliver with Oxygen Forensic Detective.

So looking again at the additional information that we have – so we talk about today’s communication, that I’ve mentioned a couple of times. Not only calls – people don’t use their standard phone… excuse me, their phone line to make calls. They’re using Google Voice, they’re using Skype, they’re using Vibr, they’re using WhatsApp to have this different communication. And when I go and communicate with someone, be it chat, we’re talking about WhatsApp, Kik Messenger, Telegram, so many of those applications that are available out there, and we start talking about the different social networks that we have. Many, many different, from QQ, Wechat, Twitter, Facebook Messenger, you have all of this… there are so many different social networks out there that people are using to communicate in there.

What we’ll touch on today in the live demonstration is really web browsers. Because there’s a critical source within web browsers that everyone… I would say… well, hopefully you’re not missing but I would say the majority of you are not looking into diving for that type of gold, because within web browsers there is some critical information that mobile device tools are not automating and parsing out, simply because of the issues or the variables that are involved within that. But I think what’s so important and critical is that we, as experts, especially when we’re doing our examinations, are looking into games.

Games are today’s new chat area. For not playing a game, but utilizing those to hide from law enforcement. Because they know what’s supported. Okay, these tools support WhatsApp, they support all of these different types of tools. But how can we go and communicate under the radar that, say, a tool doesn’t support it. Why don’t I go use a game? Why don’t I go use this game? I have this game installed, I know that there’s a chat function, but I’m going to play the game, but you know what, I’m going to communicate with my other members of my group through this particular application. Because I know that’s not automated.

But see, that information is available to you within Oxygen Forensic Detective. Again, remember I talked about performing searches. If you’re looking for certain information, search within files, and now you have the ability to go in and uncover this plot that was built into [A Clash of Kings], was built into this, where I can perform these different types of communication or chat. Words with Friends, those types of games, where you can go and communicate and chat with other users. All I simply have to do is create a user account, have the app, and now they know my user account, we can communicate via chat within a game.

So now, looking at that type of communication, that’s where a lot of nefarious information is going to be located. So please, when we start looking and we start talking about this presentation, we need to make sure that we are looking at and looking in the information of this.

Okay, great. So still moving on, that we have here, today… so we start talking about storage. [Built into] Oxygen Forensic Detective is an extremely robust cloud extractor. Our cloud extractor is built into the product, and there are so many formats, especially with the Google side of it. Anything Google, as long as I have username, password, or token, I can go and conduct an extraction from the cloud, utilizing that information, just be able to go now and include that in the case.

So we continue to build in new cloud formats or containers that we can go in and pull that information out, and again, built into our Oxygen Forensic Detective is the cloud extractor, which is going to most certainly help in your cases that you’re going to be involved in as the apps start utilizing cloud storage more and more, Google being the number one of bringing in and pushing up a lot of the information, a lot of the data that is out there.

Now, if we start looking as well… these are just some statistics that I want you to think about. If we look about this as of June 2016 there are over 2 million apps on the Apple store. Now, we look at Google Play, we’re at 2.2. Now, these are available. Now we look at the others, say, Amazon, the Windows store, and BlackBerry, 2.1 million. So we have these statistics that I grabbed off here. Now, these are the apps that are available. So if we do the math, we’re looking at that, about 6.3 million apps that are available. That’s a lot, right? That’s a ton. But now let’s look at this next statistic. If we start looking about today’s app support… so we look at… and I’m talking across the tools, the available apps are approximately 6.3 million, and the apps that are actually supported within a mobile forensics tool, and I just said approximately 400 apps.

So we look at that statistic, of the apps supported versus the apps available, it’s quite astounding, right? If we start looking at the probabilities. We start looking at the probabilities, because I like numbers and statistics – if we look at the probability of the apps available to the supported apps – remember I said 6.3 to 6.4 – we start looking at it as 0.00006 or roughly 0.006 per cent of the apps available are supported by a mobile forensic tool. So again, we look at the reality side of it, you’re actually more likely to drop your smartphone in the toilet, to run into utilizing or… you’re more likely to do that than run into one of these that are supported.

Now, I bring that up as kind of funny on the probability side, but the enormous, the number of apps that are actually out and available to the users that they can use versus the ones that are supported means you have to work hard. You have to work extremely hard, because it’s quite likely that you’re going to be investigating an app that might not be directly supported. But if I start looking at some of the realistic probabilities, if we look at Oxygen, we support almost 88 per cent, we’ll say 87 per cent of the most popular apps that are out there. If you look at the popular apps that are listed out – Facebook, YouTube, Gmail, Pandora, you’d have Instagram, you have Apple Maps, you have all of those, Pokemon Go – we support that. 13 out of the 15 of the most popular apps, so we look at about 87 per cent, we’re supported by Oxygen Forensic Detective. That’s really how we have to concentrate, is those apps that are the most popular, that are utilized, but again, we still run into the probability issue like everyone else of an app that might not be directly supported for decoding, what do we do? That is where we run into and we have some of the issues.

But again, realistically, we support almost 87 per cent of the most popular apps, which again leads credence to the innovation that we have of targeting the most popular apps that are out around the globe, and attacking those as well. But still, giving you the ability as an expert to look into the information that’s out there. Because in all actuality, you’re going to run into – and I call them the zero day apps, where one might be released the day before you conduct an examination. Like “What is this app? This is bizarre.” So obviously, no one is going to be supporting that, that particular type of app. But then we start talking about, well, it’s an unpopular app. Well, the problem is the most unpopular apps are always the ones you’re going to run into, right?

You might call up someone and say, “You know what, I have this app, I need it supported.” They’re like “Ah, it’s not popular.” Well, unfortunately, it’s extremely popular to you, because that is what you’re doing the investigation on. So that is really again one of those issues of running into the 6.3 million apps that are out there. You just so happen to have the one that is not supported. Well, unfortunately, we look at the probabilities, and it’s pretty high.

But if you look at the currently unknown, that’s along the lines of the zero day, but currently unknown might be an app that’s been out forever, but it is not a known app to be a chat app, or a popular app that we have people… and like I said, I’ve done cases with Words with Friends that is not supported, or supported by other apps, or Clash of Kings, or some of the popular apps, but they are seemingly unpopular to the mobile forensics side. That’s the actuality of it, is that you quite possibly are going to run into an app that is not directly supported by any tool out there. So really, what do we do?

So if we look at how do we dig deeper? What do we need to do? And looking into the investigation, this is really where we come down to the power of Oxygen. Being able to take Oxygen Forensic Detective to do and run the powerful searching like I had mentioned, within files, across it, utilizing hashes, utilizing regular expressions, looking for information, across all devices, across cases, across a single device, it’s all there, and it’s all built in and available. Not only that, but using the analytics to quickly uncover [plots], to quickly uncover the most common version between multiple devices, to now being an investigation. You give it out to an investigator and say, “We need to find this guy. This is the guy that we’re actually looking for. We have all these little guys, but this is the big guy, this is the big player. We need to go out and we need to find that.”

So by utilizing those powerful analytics within Oxygen Forensic Detective, we can now uncover that information quickly. Quickly, to now go in and stop the threat, and be able to uncover things, instead of having to do single device: “Alright, yeah, I think I saw this name. Yeah, this name is common.” Or putting it into another system, pressing a button and hoping that the analytics prove to be true. So now, being able to do that and identify those common connections and the communications, that you can now go in and even dig deeper into it, looking for additional information that you might not have had before.

Being able to go into what we already support within our tool, and find that information, deleted data that has been decoded and parsed out of a SQLite database, a json string, or a text file, or even a file that had been deleted, a picture, that information. Being able to quickly have and analyze that, we support the analysis and decoding of so much information and so much data. But then, really, what that does is lead us down the road of really digging into the files, into the file system, to grab the information or the gold that is within that file system, that maybe is not automatically decoded.

So here’s what we’re going to do. We’re going to look at a live situation, and with Detective, and we’re going to go through and look at this, extracting some additional storage areas, looking into the cloud, right? Now, bringing that information in, starting and look at some of the relationships that we might have in there, identify maybe some possible suspects that we might have based upon a collective analysis. We can conduct a search within some of those files, for some information that we might be looking for, say the investigator has given us some information that we can go in and search across the information, and really take and formulate timelines. But then we’ll look into the file system for information that is not going to be parsed out or is not going to be uncovered. So let’s go ahead, we’ll take a look at some of this information, as we go and we have here ourselves a few minutes to go in and look at actually a live situation.

Okay, so I’m going to bring up our Oxygen Forensic Detective that we have that’s listed out here, that you see it, and we’re just going to again formulate kind of a plan. Because I’m looking here, and I know that I have a subject here, Patrick Payge, and in the analysis of this, and I look into the file system, the file system area, I quickly find, down towards the bottom, there’s cloud accounts associated. Because we did an extraction of this Android device, and I see now we have cloud accounts. I can immediately open up these cloud accounts and say, “You know what, I know, because I was in that webinar, there is additional information that could help within this case.”

So I simply go in and I take this information, and I can go in now and extract the information that’s listed out from the cloud, based upon the user names, passwords, as well as any of the information that I have that’s built within, say, the user that we have that’s listed out over here. So it gives us that ability to go in and fire up with our cloud extractor, and autofill the information that’s available. I can now go beginning, and say, “Alright, you know what?” Obviously, in the interests of time, I’m just going to go in… I’m going to extract the Google photos that we might have in here, I’m just going to select some of these other items that I have here, but also, I can also add a cloud service. If it’s not on the device, I can add his Dropbox account, the Box account, Facebook, that might not be listed on here. I can add additional accounts. So I’m just going to add a couple of these Google accounts that are listed out here. Okay, I have some history, some more photos. I’m going to validate those.

So I’m going to go out and I’m going to make sure that the username, password, or the token is valid. You’ll see here, listed on the side, I get green arrows. I can now press Next, and I can cycle through all of these different histories, and decide what I want to extract from this area – images, videos, fantastic. I can even associate a date range. If my search warrant states this is what I need to do, I can still do a date range of that.

So once I have that information, I’m going to hit Next, and now begins the process of downloading this data. You’ll see obviously it goes quickly, just based upon the sheer volume of data. It’ll download this information off of the cloud stores, where the information is located. Once that information is completely downloaded, it now allows me to bring that and either save it off as a… look at it immediately in my Maps. Say, because of Google photos, along with the [unclear] data, giving latitude and longitude information, I can now go in and overlay that information immediately on a map if I need to identify that location.

So once it’s done I’m going to hit Next. It now brings up again… it tells me that the extraction has been completed, it gives me the summary, and I now press Next again. It now tells me… alright, I want to open it up in Forensic Detective, or also… you know, I want to go into where the actual OCB is, the backup itself, and I want to show the locations in the Oxygen Forensic maps. Whatever I select, it allows me to do that.

So I’m just going to open it in Oxygen Forensic Detective. So what’s great about this – it now then brings that into the case that I’ve assigned it to, and once that brings it into the case that I have assigned it to, it now allows me to do all of my analytics across this. So it’s going to extract all the data, it’s going to bring it into that case, and now I’m ready to go and look at the analytics, to identify… remember, like I said, relationships. Finding the relationships of data, find the… and looking at the different timelines.

So once it’s done I’m just going to open the extraction itself, and it’s now going to begin and give me the extraction. You’re going to notice, it’s going to come in now to the main page, and in my main dashboard, it now has the cloud service, built within my human trafficking case. So now I have not only the three devices that I had [unclear] but now the cloud accounts that I obtained from Patrick Payge. I could immediately go now to the Human Trafficking, and I could say, “You know what, let’s go in and look at the analytics, because I want to go in and find the relationships involved.”

So I immediately can come right here to the Social Graph. In our Social Graph, it’s now going to go and it’s aggregating all of the information, all the data from all these devices. It aggregates the information, it brings that information in, it gives me all of these different stores. So now you’ll see it as it comes up on the screen, I have that information. But what’s great is I can immediately come right up here and show the common contacts. Once I show the common contacts, I immediately… it identifies with those common contacts right here, between those three devices that we had that’s listed on here. I have this individual, Homero Flores Romero, that I can immediately now go in and say boom – I’m going to go and click and show his contact card, and what’s in this area here in his contact card. I now have all the communications that this individual has had in between all of these three devices that are listed out over here. Boom – I can give that to the investigator, they can follow up on this guy, because he’s not part of it. I can see the additional names that are listed out on this person. But this person is identified between those three devices, as again a common contact, with the highest number of the communication that’s involved in this particular area.

So what’s even better is I can immediately go right here, alright, I have this particular guy, I look at the dates in the communication, the dates in the communication are telling me… alright, I have from 2015, 5/2015 to 7 of 2012. Perfect – I have a date range. I can now go into again some analytics within our timeline version, and in my timeline I can go in and say alright… now I’m in the timeline, and based upon this Homero Flores, I’m going to take my date filter down to February, and I’m going to go 2013, and I’m going to put this to 5/30, and I’m going to say 2015.

So once I have 2015, I can filter down only the record. So now, I’m looking at only the information that’s based upon this, those dates that I would have here, that’s listed out on this particular area. I now have just the geo-timeline information that’s listed out for this particular individual, and I can immediately go and show this information on my Oxy maps that are built in.

So now, once I have the Oxygen maps that’ll show up… now, I have now four items that we’re looking at with the cloud storage that you’re looking at over here. I want to immediately go in and I want to show my common locations between two or more of these devices, or even with the cloud store. I immediately go Common Locations, Identify locations within, say, 50 meters and three minutes of each other. It gives me right here, there’s eight locations. I can immediately go into those locations, and as I zoom in, I now have the locations of these individuals, and exactly what was going on between this Simon Payge and Patrick Payge. It gives me that information, that detail, that they were on a line message or Foursquare check-in in this particular area, once I click and I have that information.

So now I’ve identified common locations. Simon Payge and Patrick Payge are obviously involved, they know each other, based upon these common locations that we found within our map. So now what happens is we’re really starting to build a case within and for these particular users.

So extremely important that we’re utilizing our analytics that are based upon with timelines, with our social graph, with our different links and stats, with our aggregated contacts. There’s so many ways to go in and look at the analytics, we just simply don’t have all of that time. But what we want to do is we want to look at the apps, right? Like I’ve been saying, third-party applications are so important.

So again, if we’re looking at Patrick Payge, we have so many of these apps that are directly parsed out, right? So we have our applications, we have our Facebook Messenger that’s listed out. If I click on any of these particular apps, it lists out the information that I have within my app, my view, it recovers the deleted records that are indicated that you have with the trashcan. Also, right here in the contact area… so we’re covering the contacts that we have listed out over, that are listed here as well. But I think what’s so important to this is the tab that we have, and it’s called Application Files – or Apps. You know there’s a ton of different files – we have our different files, we have not only our database files, but our [write ahead] logs that are located… we list out and bring everything together. So it’s not just within that file system.

We have everything that’s listed in this particular area from that app. So not only the pictures, but also the database files, everything else that’s listed out, as you see, that we have information within this area. So not only do we support the 300-plus unique apps and 2000 apps or over 2000 apps all together, but we’re going to parse and decode that information out for you, for the user, allowing you to uncover some additional information.

But say you wanted to go in and you’re looking for some additional information, not only within the apps, but you want to look over, say, within this Patrick Payge. We can go in and we hit our Search, and it allows me to go in and search for different items within the database, but also right here, it allows me to search within file content. So I can search within the file, which means I’m going to look into database files, property list files, text files, XML files, within all of that information, by utilizing our powerful search.

Like I mentioned, we have our keyword lists, where we can go in and create – here’s a sample hash, here’s all our hashes that we’ve done, we’ve imported the file, we have all the hashes that we can get hits on immediately. So let’s go and look at that here, the sample hash search right here, and we’re going to go in and search for this particular item right here. I’m going to search the keyword list, we’ll search this right here, I’m going to find this information out. So now it immediately goes through, it’s looking across everything, it looks within our file browser. Immediately we get hits within these hashes. For example, these were CP hashes that you have – we immediately have that information that I can go now and bookmark all of the data. I can bookmark all this information right, I can now say, “Okay, you know what, I’m going to go in and give all these particular items, our known hashes, from CP, I now have these, I bookmark [those as] key evidence, CP hash hits, I now have all of those, they can now be added with the evidence, as part of it.” I also have the ability to go in and take these, and I can go immediately into the file system, the area where they’re located, directly off of this with our search functions.

So again, extremely robust with the file. And this is just across the database, but if I go and I search within the file itself for any kind of… or using any text, using those other items, it’s now going to allow me to search across and locate that information, utilizing the other items within or built within that search itself.

So again, starting off our investigation, now we’re searching by finding, say Homero Flores. We now go in and find every reference towards a Homero Flores, the communication, because again, they might have been using a different third-party app that isn’t directly supported. So using that search function can be extremely powerful. Okay, so once we formulate our searches with our different timelines, we’re going to get hits within different files. So let’s look at… remember, I said web browsers are extremely important, right?

So let’s just first look at our default web browser that we have here. So obviously we support it, but I want to point something out. We support parsing out and recovering deleted data from the application, but let’s look here in the application files. Within the application files I notice this is where we pull the user information from. But look at it – we have other database files that are listed out over here. We also have, if you’ll notice, if we go down to the browser, where we do parse out, you’ll notice our browser db, 59 KB, but we have our [write ahead] log, where all data is put first – we don’t have time to talk about what they are – but we have almost 670 KB. What’s great is I can go now to this browser, I can open up this in our SQLite viewer. Once I open this up within our SQLite viewer, what it allows us to do now is it’s giving us the ability to now recover the deleted records, but it’s also going to show us what was in the [write ahead] log, by identifying that.

So if we went to the bookmarks, I immediately come over to this area, and I look down here, it tells me, this information came from the [write ahead] log. Extremely critical that we’re parsing that [write ahead] log of information, because again, this indicates here a recovered record from the free page area. Extremely important. So now we can go and create reports based upon that. Because it might not have been recovered in, say, the automatic decoded parsing. So being able to use that and identifying, like I said, it came from the [write ahead] log – it’s crazy, it’s very important. And it’s such a great feature.

Now, looking back into this area here, I want to go and show you, exactly, if we look at these items… remember I showed you this, where we have with these database files? These are called webkit. Webkit’s a platform, and inside browsers, any time you go to a website that has a mobile app look to it, it utilizes this platform, [like] HTML5 it’ll look like. So what that does is actually create a database itself, and it’s going to store data. So let’s take a look. Because those are not directly supported. Those aren’t supported by any type of tool. So I’m going to go into, and we’re going to look into, say, this Dolphin browser. And if I look into these application files, you’ll notice, lookit – this person utilized his browser to log into their Gmail. And now, what? Can we recover some of that Gmail?

So if I go into this storage that I have that’s listed out over here, I can go in, I can click on this local storage… again, this isn’t parsed out by any tool, this webkit and this information, because it’s too variable. But now, say I got a hit. Now look at what we have here. We’re going to recover some additional information on here, but now, we’re actually recovering, right here, his email address that doesn’t exist anywhere. This email address isn’t anywhere within that they utilized this to log into this information within this or for this different table. We can now go into additional, the database files within that, or we now can perform a search for this jayparker54 to find and recover… now fragments, now the additional emails, get resources from that email address, based upon they had utilized that database to log in. And this is just right here giving me the login information, but right here, inside the database DD, it actually identifies where the information and data stored from the mail. So I can come right here to this main database, open up that main database, and now we’ve uncovered. Now fragments of the email, subject lines of emails, the cached messages, contacts.

You’ll notice as I open this up, now we’re looking at messages. Now I have the messages that might be cached that’s listed out over here, we’re talking about HTML that we have, here’s a snippet from it. I can go and convert this column to UTF8, I can now read all the information, I can report on all the information that’s listed out over here. I can look at any of these other items that are listed out over here. If I had… here’s the data that’s listed out. I can convert these columns, I can convert these columns that are listed out over here to say, “Okay, perfect, I just converted the column, here’s when it was received: 9/6 of 2012.” Fantastic. I have now just supported this, and again, we’ll convert this column to UTF8. I converted this column, it’s not supported by any tool, because again, too many of the variables that are built in, I don’t know what the person is going to log into on their browser. But they logged into a website, and when they logged into the website, they can now search… now they have their Google, right? They do Facebook. Facebook can be done like this. So now you have all the information, and you’re all ready to go.

So there’s so much information that obviously you can do, that we did in just an hour, to show, and we uncovered additional information that was parsed and decoded, but now we’ve gone a step further, and now we’ve uncovered information that no tool is going to parse and decode, by utilizing the built-in SQLite viewer that we have, that’s built in. So taking it a step further is going to help you uncover the additional information and help you really find that digital gold, to help you solve the cases.

Now, how do you start it? Perform a search. You’re looking for keywords, you’re looking for terms. Now, once you have a keyword and you have a term found within a database that’s not necessarily supported, or found within a text file or a json file, XML file, you can now view that, you can create a report, and you can uncover additional information that someone might be hiding from you using a third-party app that’s not directly supported, because they know you don’t support it, and you’re ready to go.

So all of that, in a nutshell, is built within our Oxygen Forensic Detective. It’s an extremely, extremely robust tool that allows you to do so much for your investigations. It’s critical that you utilize the tool that’s not just automating the process for you. We do a fantastic job with that. But really, a tool that’s going to uncover, show common relationships, be able to show information for multiple people, being able to now uncover information within files that aren’t directly supported, and utilizing that tool is… in your toolbox, for mobile forensics is essential, and it’s extremely important within the Oxygen Forensics portfolio.

So our Detective software is available. You can go in… if you want more information on that, our website is located on the final slide, at Listed on there, you can compare the different products, Analyst and Detective, what is offered on there as well. If you are a current Analyst, you can always upgrade to Detective as well. We would love to talk about this more, we have training classes that are available as well, where we cover all this information in detail. So hopefully, I’ll see you [either on a train].

I know I’m a little over, but I have a couple of… I’m going to go and look through some of these questions. I’ll most certainly try and answer all of these. We have the list that I can send out if I don’t get to all of them. But let me just go in and look at some of these as well. I’m going to try and open this up. Alright, hold on.

There’s quite a few questions. But I’m going to go through from… just really quick.

Yup, iOS 10 will be supported here in our next release that we have. Oxygen Cloud Extractor is built into Oxygen Forensic Detective. Is cloud extractor available? Yes, it is available to non law enforcement users, but again, it’s only available within Detective that we have there. Oxygen… [only for] Mobile Forensics.

Now, you can bring in a hard drive image if you wanted to, but again, we decode and parse that information out, of only mobile forensic profiles that you would have, that you look.

Is text across device indexed? Yeah, so if it’s within the database itself, it’s extremely fast. Any time you do a search within file, it is going to be slower, obviously, because we are going to be looking through the actual files themselves. This is recorded, and it will definitely be available for you as well, that you can have. The materials will not be available, but you will be able to review the webinar itself.

We are not phasing out Analyst, no. But Analyst does not include the cloud extractor, and it’s CBR, it does not include the Samsung, bypass, a lot of the new features, out data scout features are not included within Analyst as well.

Alright, so yeah, the download link, please just go to the web page, so that you can in and you can go to our support that’s on the site as well. Okay, excellent.

And I appreciate all of you guys’ time. Thank you guys very, very much. And you can go on to our website and compare the differences between Analyst and Detective, and we are good to go. This current version of Detective is available, it’s been available. We will have an update to it… so we update this thing, Detective, every month about, so that you will have the most current devices supported, as well as the most current apps that are out there.

Alright, if you guys have any other further questions that you have, you can just go ahead and send it to I’ll be happy to answer any of the questions that you guys have that I did not get answered in this webinar.

I appreciate all of you guys’ attendance. Thank you so very much for your attentiveness during this. And hopefully, you guys will download Detective, and see and give it a try for yourself. Thank you guys so much.

End of Transcript

Leave a Comment

Latest Articles