Oxygen Forensic Suite
Oxygen Forensic Suite killer features or “Why do experts and Law Enforcement Units prefer Oxygen Forensic Suite”?
- Strong support for Symbian OS, Apple iPhone, Android, Windows Mobile and RIM BlackBerry devices. The popularity of smartphones is constantly growing. These devices store tons of vital forensic data that cannot be extracted by standard PC-to-mobile protocols. In 2002 Oxygen Software invented the advanced Agent application approach that allows Oxygen Forensic Suite to extract much more information from smartphones than other logical tools.
Analyze contacts from multiple sources such as the Phonebook, Messages, Event Log, Skype, chat and messaging applications in Aggregated Contacts.
Section automatically reveals same people in different sources and group them together in one meta-contact.
When the contacts have no matches, but expert detected that the contacts in various sources belong to one person, he can manually merge these contacts. Later this contact will be used as a single item for Communication Statistics analysis.
Section offers quick filter functionality, convenient data sources filter and sorting for faster analysis.
Preparing and printing reports is easy as in every section of Oxygen Forensic™ Suite.
Rooting a device based on Android OS reveals the complete set of user data to the investigator.
Generally this procedure needs certain knowledge and research, but Oxygen Forensic™ Suite helps experts to automate this operation.
Rooting procedure is a part Data Extraction Wizard that guides you through the whole process of gaining the root rights to the device. The important benefit of the proprietary method is that the root access will be revoked immediately after rebooting the device. This method makes rooting and further extraction completely forensic and safe.
Android Rooting add-on grants an access to:
- Full file system, stored both on internal memory and memory card
- Application saved data including logins, passwords, history, cache and much more
- Geo-location information for tracking suspect position in the past
- Deleted data in database tables
Oxygen Forensic™ Suite retrieves numerous application data from a mobile device. In Applications section experts view the list of pre-installed and user applications with the files created by these programs.
Each application can contain valuable user data, like passwords, logs, history, files and so on.
Section offers the following main features:
- Get logins and passwords to the app
- Find geo-location of the last run
- Inspect all used or created app files
- Know exactly when the app was used
- Access to system and user apps
- Filter apps by a certain term
- Export and print selected items
Many popular applications have a special User Data data tab where experts find application data categorized and prepared for effective analysis.
Experts can always access source files to learn how Oxygen Forensic™ Suite gathers information for User Data tab or to analyze applications that were not automatically prepared.
Oxygen Forensic™ Suite is the only smart phone forensics software that allows analyzing Applications in such a deep and structured way.
Skype & Messengers
Oxygen Forensic™ Suite supports a lot of mobile messengers like Skype, Facebook, WhatsApp, Viber and others.
Oxygen Forensic™ Suite 2013 retrieves all available data from messengers. Depending on the application the feature set may vary:
- Chat history with individuals (including unauthorized contacts) and groups
- Contact list with photos, all fields and notes
- Sent SMS text, recipient phone number, timestamp and cost
- Complete calls information: recipient name or phone number; direction; length; time stamp and even cost
- Account details: name, address, phone numbers, e-mail, birthday and other information filled by suspect
- Geo-location where the action took place
Extract data from the backup files acquired from suspects’ computers or portable drives.
iTunes, Android, Blackberry backups, DMG or other forensic software images will appear in Oxygen Forensic™ Suite like data extracted from the real device.
IPD and BBB Backups
BBB and IPD are the Blackberry device backup files made with Blackberry Desktop Manager. These files can be found on a suspect computer or external media like CD, DVD, memory disks and cards etc.
Oxygen Forensic™ Suite is able to extract and present forensically important information from IPD backup files.
iTunes backup found on a suspect computer is a regular practice due to the popularity of Apple devices.
Oxygen Forensic™ Suite offers experts an easy way to extract suspects’ private data from the iTunes backup files.
Various data viewers helps experts to analyze extracted data in a convenient way.
Oxygen Forensic™ Suite has built-in HEX-viewer, picture viewer, music and video players, text viewer with code page converter, HTML, SQLite and Plist Viewers.
Modern mobile devices create and numerous number of files during their life cycle. The very basic tool to open them is HEX viewer that will allow analyzing data in a raw manner. Built-in HEX viewer in Oxygen Forensic™ Suite allows experts to search data, make bytes conversions of the selected parts, save files on disk.
In case of multimedia files it is convenient to use built-in media player that will allow to play recorded video and voice messages, view camera shots. Additionally experts can view EXIF information and Geo-data if they are available.
For text documents and saved or cached web pages Oxygen Forensic™ Suite offers text viewer with code page setup and safe web browser.
SQLite Viewer allows to explore the database files with the following extensions: .sqlite, .sqlite3, .sqlitedb, .db, .db3.
Experts has the access to the actual and deleted data stored in databases created by system and user applications.
Plist files, known as Property List XML Files, contain a lot of valuable forensic information in Apple devices. Browser history, Wi-Fi access points, speed dials, Bluetooth settings, global applications settings, Apple Store settings and even more data can be extracted from .plist files.
Chinese Phones Support
Chinese Phones Support enables forensic experts to extract data from popular phone replicas and low-cost devices.
Oxygen Forensic™ Suite is able to acquire from Chinese devices important user data like event log, messages, contacts and files.
Chinese-branded phones occupy a major part of the Asian mobile market, and are on the rise in North American, European and international markets due to their low cost and a better value-for-money than offered by traditional manufacturers. On emerging markets, Chinese-branded phones dominate in the low-budget niche. North American and European wireless communication companies often give these low-cost devices away to new customers and prepaid users.
Oxygen Forensic™ Suite handles a huge variety of devices based on MTK (Mediatek) chipset and grants forensic access to the following user data:
- Basic information. This includes IMEI/IMEI2, hardware revision, firmware revision and baseband.
- Phonebook. Retrieve contacts from SIM and phone memory, access groups details.
- Calendar. Supported event types: Meeting, Call, Anniversary, Birthday, Training, Reminder, Notes.
- Calls log includes dialed, answered and missed calls.
- Messages: SMS and MMS in default folders.
- Files in phone memory and external memory card.
Communications Statistics section provides a convenient tool to explore social connections between device users by analyzing calls, text, multimedia and e-mail messages and Skype activities.
Diagram view with a graphical chart presents a quick overlook of communication circles, allowing forensic experts to determine and analyze suspects’ communications with all details at a glance.
Switching to the table view offers in-depth analysis of the device user’s communication including all contacts, phone numbers and remote parties along with communication duration and produces a concise summary of the forensically important data.
Oxygen Forensic™ Suite offers investigators the ability to analyze interactions among users of multiple seized mobile devices. The feature builds and displays a Communication Statistics diagram with a chart for multiple devices, clearly visualizing connections between the phones’ users.
Dictionaries section shows all the words ever entered in device messages, notes and calendar.
These are not words from the device system dictionary, they are from unique user dictionary that is created by device owner when using it.
Dictionaries section main features:
- View all words entered by a suspect
- Reveal passwords
- Phrase simulation
- Choose certain language on demand
- Find out each word usage frequency
- Reveal the order words were used
- Filter words by language
- Export and print selected items
Dictionaries section provides a list of words entered by a suspect. An expert can determine the order that the words appeared, how often the word was used, filter and reorder the words in the list.
Phrase simulation feature is a highly valuable tool for an expert. Using it he can suppose the phrases that the suspect typed. This can be a password, address, or even a deleted message.
Global Search allows discovering user data in every section of the device.
Tool offers searching for text, phone numbers, emails, geo coordinates, IP addresses, MAC addresses, Credit Card numbers. Regular expressions library is available for more custom search.
Experts can search data in a single device, all devices of the case or all acquired devices. They can choose the sections where to search the query, apply boolean terms or chose any of predefined patterns.
Keyword list manager allows creating custom set of terms and perform search for all these terms at once. For example, these can be the lists of names or the set of offensive words and phrases.
Global Search tool saves all results and offers printing and preparing reports for any number of searches.
Key Evidence section offers clean, uncluttered view of evidence marked as essential by investigators.
Forensic specialists can mark certain items belonging to various sections as being essential evidence, then reviewing them all at once regardless of their original location.
Key Evidence is an aggregated view that can display selected items from Phonebook, Calendar, Messages, Camera shots, Web Connections and Location Services, Applications, as well as other sections available in Oxygen Forensic™ Suite. The section offers the ability to review relevant information at a single glance, concentrating one’s efforts on what really matters and filtering out distracting, unimportant data.
Forensic examiners are able to sort, filter and group data for the best viewing results. Tagging and notes makes Key Evidence section even more convenient to use.
Oxygen Forensic™ Suite is the only one cell phone forensics software that allows investigator to browse all important data in one place.
Passwords section displays logins and passwords extracted from default secure storage like keychain database.
Applications files can also contain this valuable data. Oxygen Forensic™ Suite parses them for it and displays nearby.
Password recovery is available for iOS and Android devices.
In Apple iOS devices including iPhone and iPad, sensitive information is stored in the keychain. The keychain provides means to securely store data such as passwords to email accounts, Web sites and certain third-party software, as well as other private, financial and sensitive data.
The content is stored securely encrypted with device-specific hardware keys that are unique to each individual device. Oxygen Forensic™ Suite adds the ability to access protected content stored in the keychain, extracting and displaying user passwords.
More passwords are hidden in applications files. Passwords section also extracts this data and displays passwords from applications at one place.
Timeline allows to view all facts of mobile device usage in one sorted list.
This section organizes all calls, messages, calendar events, geo data and other activities in chronological way, so you can easily follow the conversation history without the need to switch between different sections.
Forensic examiners will be able to sort, filter and group phone activity list by dates, people specific phone numbers and geo data activity.
A graphical chart is available to display user activities for selected periods of time. The chart allows grouping all possible mobile device events over different time intervals (from one second to one year) and filtering them by various parameters.
The chart enables forensic experts to easily analyze detailed activities of a single contact or group of contacts at a glance.
Printing and exporting data in popular formats is also available in Timeline section.
Web Connections & Locations
Web Connections & Locations section reveals suspects’ visited places and routes.
Experts can analyze several sources of Geo data: Wifi connections, IP connections and Locations databases.
With Wi-Fi Connections list forensic experts are able to determine where and when suspect used Wi-Fi internet access (public or even private) and ascertain his location.
Entries in hot spot list have the following parameters: hotspot name (SSID), hotspot BSSID (MAC-address) and RSSI (Signal level), last time when suspect used hotspot. Processing this data Oxygen Forensic™ Suite acquires geo-coordinates and mini-maps for each location.
IP Connections tab shows all the history of Web connections (Wi-Fi, GPRS, LTE) and their details: MAC and VPN addresses, device and router IPs, DNS name, region, time stamp, etc.
Locations tab represents consolidated.db and cache_encryptedA.db files contents in an extremely convenient way. Initially this file stores all the network activity of the device basing on GPS/Cell/Wi-Fi data. Experts can track device movements and determine device owner location basing in Locations data.
Experts can view geographical coordinates and maps directly in Oxygen Forensic™ Suite or export data to KML format to see the route in Google Earth application. Standard reporting and printing features available.