10 Analytic Tools Available in Oxygen Forensic® Detective

Digital forensic analytic tools are important for investigators due to the increasing use of computers and mobile devices by offenders when committing crimes.

Analytic tools are useful in helping put the pieces of a case together while providing an in-depth analysis and examination that can be used in court proceedings. 

Oxygen Forensic® Detective Analytic Tools

At Oxygen Forensics we saw the benefit to investigators of providing software that not only offered the ability to extract data from digital devices but also provided analytic tools in the same software. 

Ten years ago we introduced Timeline, our first analytic tool in Oxygen Forensic® Detective. Today, we offer 10 analytic tools at no additional cost. Let’s go through all of them.

 

1. Timeline

Our Timeline section provides a view of all device events in a single list. The Timeline tool allows investigators to view events, filter data, view geo coordinates, and track activity through the activity matrix.

Events

Events that are able to be viewed include:

  • Chats within apps
  • Calls
  • Web activity
  • Web connections
  • Photos
  • Videos
  • Calendar Events

 

Events can be viewed for one device or a group of devices, allowing easy identification of common group activities.

Filter

Sort and filter by date, time, activity frequency, contact, remote party, or other data points to focus only on the most relevant data.

Geo Location

The Geo locations tab contains the full list of geo coordinates from all the sources that include photos, videos, apps, drone flight logs, and more.

Activity Matrix

In addition, the Activity matrix located in the bottom panel helps to detect when the device was most used.

Smart Filters

This feature is designed to make investigations more efficient and insightful by offering a variety of intuitive filters which helps narrow Timeline searches.

 

The Oxygen Forensic® Detective analytic tool, Timeline, being used to view events on mobile devices.

2. Social Graph

The built-in Social Graph provides a convenient platform to explore social connections between a device owner, contacts, or between devices.

Contacts

Using the Social Graph investigators can identify the device owners closest  contacts  in  one  click. Click on any contact to open a card containing detailed information about the selected contact and all communications across device sources. 

Drag and Drop

The Social Graph interface is dynamic and agile. Investigators can drag and drop to move, hide, or merge contacts while producing a crystal clear view of device and case connections.

Define Contact Paths

It is also possible to define the shortest path between selected contacts (by default up to 5 intermediaries). That allows investigators to visually see that the device owner did not speak directly to someone, but spoke to a contact, who spoke to another, and then spoke to the identified target.

 

Social Graph, tool offered in Oxygen Forensic® Detective, being used to identify contacts and the messages that were sent with the device.

3.  Image Categorization

Oxygen Forensic® Detective provides the ability to categorize  images  from different  classes:

  1. Pornography
  2. Nudity
  3. Child abuse
  4. Extremism
  5. Drugs
  6. Alcohol
  7. Weapons
  8. Graphic violence
  9. Gambling
  10. Currency
  11. ID / Credit card
  12. Document
  13. Vehicles
  14. Chat
  15. QR /Barcodes
  16. Maps
  17. Tattoos
  18. Aircraft

 

Our image categorization is available when importing device data and also on already imported extractions. 

Investigators can select all or selected categories while also having the ability to fine-tune the positive “hit” settings. After running the image analysis, the number of matching images for each supported category is tagged and shown in Key Evidence and in the Files sections. Investigators can review the tagged data and manually exclude any false positives.

 

Screenshot of all the images that are tagged as a weapons category in image categorization

 

4. Facial Categorization

Oxygen Forensic® Detective offers investigators the ability to categorize human faces.

The facial categorization is available in the Faces section. The unique features include:

  • Detailed face analytics (gender, age, accessories)
  • Detecting similar faces and “familiar with” people
  • Multi-thread categorization using CPU and GPU
  • Support for massive volumes of data

 

Using built-in facial recognition investigators will save valuable time when looking through thousands of photos or videos in mobile, cloud, or drone extractions.

 

Using the Facial Categorization tool to identify faces in a devices photos

5. Maps

Oxygen Forensic® Detective acquires geo coordinates from all possible sources including mobile devices, drones, cloud storage, media cards, and imported mages.

Once analyzed, the data can be viewed within our Oxygen Forensic® Maps, either online or offline.

The Maps module includes the ability to: 

  • Identify a device’s frequently visited places
  • Pinpoint common locations of several devices
  • Visualize a device’s movements within specific periods of time
  • Play an animated route showing the direction of travel

 

Using the Maps forensic tool to get the locations where the offender used the device

 

6. Data Search

Oxygen Forensic® Detective allows investigators the option to search across a single device, all the devices in a case, or all devices in a database.

Investigators can search:

  • Texts 
  • Phone numbers 
  • Email addresses 
  • Geo-coordinates 
  • IP addresses 
  • MAC addresses 
  • Credit card numbers
  • File hashes including Project VIC

 

A “Regular Expression” library is available for custom search functions, and investigators can create a set of keywords or hex lists for a data search.

There is also an opportunity to create face sets from uploaded photos and search faces in extracted evidence.

Moreover, there are 4 ways how a search can be done: in parsed data, in files, in file metadata, and in file content such as SQLite databases.

 

Window of the forensic analytic tool, Data Search, offered in Oxygen Forensic® Detective, that allows investigators to search across a device

 

7. Key Evidence

The Key Evidence section displays all records that have been bookmarked in other sections by the investigator. This section is where all entries identified as relevant to a case are found, making data analysis easier and saving valuable time.

Bookmark

Investigators can bookmark important evidence in a single device, or several devices, and export it later to one data report.

Tags

 Oxygen Forensic® Detective also offers a number of predefined tags, including: Nudity, Weapon, Guns, Important, and several others.

Create Tags

Investigators can also create and set their own tags and export entries to data reports by  simply selecting the relevant tags.

 

Function in Oxygen Forensic® Detective that allows investigators to extract data from a device and tag or bookmark the data that is considered key evidence

 

8. Optical Character Recognition

Optical Character Recognition (OCR) automatically identifies typed, handwritten, or printed text located within an image and converts it into machine-encoded text. Whether it’s from a scanned document, a photo of a document, a screenshot of a conversation, or an image with subtitles, we can convert it.

Using the built-in, automated OCR module, investigators can easily conduct searches for words located in images.  This is done by converting images containing text to allow for recognizable searchable characters.

This feature is an incredible time-saver, as investigators no longer need to manually search image data for possible evidentiary material. The OCR tool becomes even more useful when dealing with large backups, taking little time to recognize and convert all text from images and screenshots on the device.

 

Oxygen Forensic® Detective window with the OCR section

 

9. SQLite Viewer

The built-in Oxygen Forensic® SQLite Viewer is a powerful 64-bit tool for examining SQLite files.

With this tool, investigators can open any SQLite database, recover deleted records, convert values to a readable format, build visual and non-visual  SQL queries, save them for further use, run a search, and export the selected entries to customized data reports. 

 

SQLite Viewer in Oxygen Forensic® Detective that allows investigators to view SQLite databases

 

10. Statistics

Oxygen Forensic® Detective offers investigators a new Statistics section that shows detailed statistics about the extraction:

  • Activity chart
  • Activity matrix
  • Top 10 applications with the greatest number of communications
  • Top 10 groups
  • Top 10 contacts
  • Last contacted
  • Key Evidence with tags and notes.

 

Statistics that allows investigators to view statistics across all groups, applications, and contacts

 

Get more from Oxygen Forensic® Detective

At Oxygen Forensics our software is updated multiple times every year. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on new features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.

Don’t have Oxygen Forensic® Detective and want to try it out? Request a free-trial.

 

Related Resources.

Check out similar resources.