Data Search in Oxygen Forensic® Detective

Oxygen Forensic^® Detective is one of the few solutions in the forensic market that has  advanced analytical capabilities. Our powerful built-in search tool enables investigators to search through one or several extractions, all in one interface.

Table of contents

• How to view and filter searches in Oxygen Forensic® Detective
  • Locate Search Section
  • View Any Data
  • Filter Results and Search Criteria
  • Export Search Results
• Dive deeper: search criteria tabs
  • Text
  • Keyword Lists
  • Hash Sets
  • Regular Expressions
  • Face Sets
  • Hex Search and Hex Lists

How to view and filter searches in Oxygen Forensic^®Detective

Follow these steps to view the search analytics in Oxygen Forensic^® Detective:

1.     Locate Search Section

Open the extraction or case home screen and scroll down to the “Analytics” section – locating the “Search” tool.

2. View Any Data

Once the “Search” section is opened, the past searches will be listed in the upper part of the left sidebar.

Investigators can select any search from the list to overview its results. The filters are located below, allowing to exclude data sources of no interest from the search results.

To learn more about any entry highlighted in the grid, click on it. The detailed information will appear on the right sidebar.

3. Filter Results with Search Criteria

In the main grid, where the tabs with various search criteria are located, is where you can filter the data. After a search, the results that match a filter, will be displayed below with detected matches highlighted in bright orange.

Any search can be saved to a template. This will allow investigators to save time with fine-tuning the search criteria when they need to run a similar search.

4. Export Search Results

Investigators can export search results directly from this section.  Select “Export” on the toolbar above the grid. Click “View” to manage whether the tags, labels, thumbnails, and highlights should be visible. Click “Search templates” to create, edit, and delete search templates or expand the “Lists managers” menu to work with keywords, regular expressions, hex lists, hash and faces sets.

Let’s take a closer look at each of them.

Dive deeper: Search Criteria Tabs

Search Criteria tabs help investigators sort data and easily find what they are looking for in an extraction.

The following search criteria tabs are available:

• Text
• Keyword lists
• Hash sets
• Regular expressions
• Faces sets
• Hex
• Hex lists

Text

From this tab, investigators can locate the presence of an exact word or phrase in the extracted data.

Expand advanced settings to set the searched data type (all text data, phone numbers, emails, credit card numbers, URLs, IP-addresses, MAC-addresses, or geo coordinates) and whether any word matches the searched text, all words or the exact match has to be detected.

Tick the checkboxes next to “Case sensitive” and “Whole words only” to reduce the number of faulty results.

Use the checkboxes under “Search in” to select what will be searched through. Upon ticking a box next to “File content”, users will be asked to select the file types of interest (media, images, databases, documents, Plist files, JSON files, archives, applications, or other files), and the encodings. Investigators can also set a threshold of maximum number of matches from there.

Keyword lists

Open this tab to search data by a list of keywords. Although some lists are already pre-installed in the software, investigators can always create their own lists that will be used for detection of data of interest.

The previously described advanced settings, including search in file metadata, are available for this search criteria as well.

Click on “Select keywords” to expand the list of available keywords lists. It is possible to pick one or several keywords lists.

Click on “Keyword lists” button to open the keywords manager. From there, investigators can overview existing lists, delete keywords from it by clicking on a bin icon next to a keyword or add new keywords by selecting the “Enter new keywords” option below the list.

To create a new list of keywords, first click on the “+” icon, name the list, and then add keywords to it in an opened window. Please note that there should be one keyword or key-phrase per line. Click “OK” when the list is complete. New list can be used as a searching criteria.

Hash sets

Open this tab to initiate a search by a hash set. Same as with keywords, click on the “Select hash set” to expand the lists of available hash sets.

Although the basic hash sets for Android and iOS are pre-installed, investigators can import a set of their own from the Hash sets manager that opens upon clicking on “Hash sets”.

Select “Add hash set” at the bottom of the window to upload a set. Fill in the fields related to the set, select a file with hashes and wait till the upload is over. Then, select the set in the list and click “Search” to use the new set as a search criteria.

Regular expressions

Switch to this tab to search data by Regular expression. Expand the advanced settings to fine-tune what will be searched: parsed data, filenames, file metadata, and/or file content.

To initiate the search, enter a regular expression to the search field or open the regular expressions manager by clicking on the “RegExp” button next to the search field.

From the Regular expressions manager, investigators can overview the existing regular expressions, edit, and export them, or create new ones manually or by importing them as a text or .csv file.

To manually add a new regular expression to the list, click “Add”, name the expression, add a comment to it, and do not forget to enter the expression itself. As soon as everything is written, click “Save”. The expression will be added to the list and can now be used as a search criteria.

Faces sets

Open this tab to detect the faces of interest in available data. To initiate the search, select a faces set from the list. Expand the advanced settings to adjust the similarity threshold.

If no faces sets have been imported previously, investigators can create new ones by clicking on the “Faces sets” button next to “Search”. The Faces manager will open. To manually add a set, click on “+New set”, name the set, and then import the images containing faces of interest by clicking on “Add faces”. As soon as all sought-after faces are available in the grid, click “Search” to initiate the search by faces sets.

Alternatively, investigators can import faces from already analyzed data. To do this, open the “Faces” section of an extraction, faces from which have already been processed and detected. Then, right-click on a person of interest and select “Add to faces set” from a drop-down menu.

Hex search and Hex lists

Hex search in the search sections allows investigators to search by hex in file content. To learn more about how to hex search see: Hex Search in Oxygen Forensic^® Detective.

Get more from Oxygen Forensic^® Detective

At Oxygen Forensics our software is updated multiple times every year. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic^® Detective and stay up to date on new features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.

Don’t have Oxygen Forensic^® Detective and want to try it out? Request a free-trial.