I have been using Oxygen Forensic® Detective for academic and professional investigations since 2016, when the last available version was 8.4. Mobile forensics procedures have evolved a lot. Mobile software and hardware, applications and the information stored in smart devices don’t stop growing. Although mobile forensics pillars still remain, the constant evolution forces to forensics software capabilities to be adapted to cover current needs: smartwatches, drones, Cloud data and backups, IoT devices and supporting more and more smartphones and tablet devices and all their firmware versions. All of these make mandatory for mobile forensics practitioners to have trustable and updated tools to be able to acquire, understand, index and exploit as much information as possible to obtain the best results.
Current mobile hardware and firmware does not make the job easy to the analyst, as devices vendors patches every security bug that could allow to perform a physical acquisition. Encryption and devices access controls, that ensure privacy of the information kept by the devices, makes life more difficult when conducting an investigation where those devices are key.
The evolution in user trends, storing sensitive and relevant information for a forensics investigation, in a crazy universe of mobile applications that never stopped to grow, makes the need to be able to support and understand the internal structure of all of these and their updates, in an issue to have in mind.
This scenario forces a professional forensics practitioner to count with tools able to deal with every device, extracting the information needed for every investigation, no matter which hardware or firmware version.
For all these reasons, to be able to accomplish a professional activity, a commercial up-todated forensics suite is needed.
Oxygen Forensics vendor is one of the big players for this matter. This review is about Oxygen Forensic® Detective v.18.104.22.168, licensed in USB Dongle mode. this matter. This review is about Oxygen Forensic® Detective v.22.214.171.124, licensed in USB Dongle mode.
Powerful and complete tools need to be intuitive for the users. Having a complex to use tool could lead to human errors in the middle of an investigation, that could even end ruining it.
Oxygen Forensic® Detective counts with a clean initial GUI that guides the analyst to the main available tasks that could be performed.
The process of every investigation
Forensics investigations follow mainly these phases: Acquisition, Analysis, Reporting and Exposition.
Oxygen Forensic® Detective plays hard in Acquisition, Analysis and Reporting phases, as Exposition is the job of the human analyst, so far.
Acquisition: the most important phase?
It is said that acquisition is the most important phase in a forensics process. From my point of view, all phases are important, but of course, if the first one is not performed in the right way, the results could be called into question later.
The goal of acquisition tools is to extract as much reliable information as possible, to be indexed and added into a database, and this will depend on the sources supported by the tool.
Oxygen Forensic® Detective supports live acquisitions, when the original device which information will be extracted is available to be connected to a forensics station. It also does the job importing data from backups made with different tools (since ADB Android or iTunes Apple Backups to physical images made with other commercial vendors), cloud repositories or even images made by other forensic suites.
Analysis: How information will be exploited
Once the information has been ingested, it will be the time to exploit it: to analyze its contents and transform them in useful information. Oxygen Forensic® Detective is able to understand and correlate those sources in different sections, showing them in the GUI. Mobile device system information, calls, SMS, Camera Roll, Social Networks, Applications, etc,… are the typical categories. But Oxygen Forensic® Detective adds value identifying and presenting valuable information extracted from different ones.
Every single application stores the information needed to live individually. But combining all those data to be shown in different ways could make the difference. Users interact with several applications making use of their smart devices at the same time, and even the applications interact among them. A typical example should be the camera roll, commonly used to save pictures and videos that could be used for several applications.
Usually, investigations require to find out the activity occurred in a device between a time range. Having a device with many sources that generate timestamped forensics events, is vital to count with a tool able to create a super-timeline merging all of them, allowing to know the full activity of a device, between the desired dates and times.
Most applications store information locally into the device, where the user can keep or delete information. But also, many applications make use of cloud services to store old or up-to-date information that could be shared among different devices. Cloud Extractor tool allows Oxygen Forensic® Detective to achieve more valuable information from related applications that make use of Cloud storage, making use of credentials, cookies or tokens extracted from the device, discovered after a first pass.
Not everyone makes use of the same applications, and even people do not use them in the same way. It could be possible to extract sensitive and relevant information, like account numbers, lists or even credentials, from browsed and stored pictures.
One of the capabilities of Oxygen Forensic® Detective is to recognize text, executing an integrated OCR engine against all extracted images, adding the results to the project.
Specific and useful information can be extracted from pictures, and it is not only text. To be able to identify objects that could belong to classified categories like guns, pornography, drugs and even face recognition, are very interesting features implemented by built-in engines, that could add value, and even be the key of an investigation.
Reporting and Exporting: Extracting the Key Evidence
Every investigation always ends in a written report. The final quality will depend on the amount and utility of the extracted and parsed information, and of course, the ability, experience and know-how of the analyst writer.
The structure and body of the report will depend on the requirements of every case, the findings extracted from the mobile device and the relevance of them. Oxygen Forensic® Detective allows to export key evidence to different formats. Many of them may be parsed by the analyst or just added as an annex or digital evidence in a read-only storage support media.
Oxygen Forensic® Detective is a stable, powerful and trustable tool that makes the life easier to
forensics professionals. Fortunately, human handling still will be needed to perform the
selection, analysis and understanding of relevant information for every case, but the results
extracted with one of the most well-known tools in forensics world is always an advanced
starting point, helpful for every case where evidences stored in a mobile device perform a key
Providing a Digital Forensic Solution to Help Solve More Cases
A letter from our valued customer, SecurizameView the Letter
About the Reviewer
Lorenzo Martínez Rodríguez is a CTO at Securízame based in Madrid, Spain. At Securízame we help you with the management, investigation and recovery of your security incident so that you can return back to production as soon as possible. The quality of the consulting services that we offer is guaranteed by the experience acquired over many years by the Securízame team. Our specialization in computer forensics will help you to react to a security incident, to find a malicious activity or to recover information eliminated by an attacker: our Forensic Analysis services are very effective.