Oxygen Forensics, Inc. was founded in 2000. In the past 23 years, we have witnessed how the evolution of mobile devices has significantly influenced the field of mobile forensics and the way we approach our solutions. As mobile devices advanced in terms of technology, capabilities, storage options, and security measures, mobile forensics had to adapt and develop new techniques and tools to keep pace.
Occasionally, we experience a wave of nostalgia for those times. So, let’s go back to the 2000s and look at how the mobile phone and mobile forensics world changed and what role our company played.
A breakthrough approach to Nokia smartphone extraction
The rapid increase of mobile phones, particularly smartphones, caused a demand for mobile forensic software.
Our first forensic tool was launched in 2004 and supported data extraction from Nokia feature phones and Nokia Symbian smartphones. At that time, phones did not contain much evidence to extract. There were no applications and sending SMS and MMS messages was the only capability. We made our first steps in forensics, and partnered with the digital investigators who pointed us to what they needed.
We introduced OxyAgent, the utility that worked as an intermediary between our software and Nokia Symbian smartphones, and allowed for data extraction.
At first, the method was criticized for not being 100% forensic. Today we understand that “purely” forensic methods do not exist. Oxygen Forensics, as well as other forensic software manufacturers, still use this approach for logical data extraction from mobile devices.
The start of the applications era
The initial iPhone was introduced in 2007, followed by the release of the HTC Dream phone by Android in 2008. This marked the beginning of a new era for smartphones, which became more sophisticated and capable of storing apps, geo coordinates, and volumes of other data. The year 2006 saw the launch of Facebook, followed by WhatsApp in 2009, and Instagram in 2010. These significant advancements brought about new challenges for mobile forensics software developers like us, as we had to extract and investigate a broader range of databases and data, playing hide-and-seek games with app developers.
The first steps in evidence analysis
With the introduction of Apple iOS and Android OS devices, we saw an increase of mobile app usage. This meant that more evidence was stored on mobile phones, and consequently, that meant that investigators needed more time to analyze it. During that time, the idea to create the first analytical section came to fruition.
Symbian phone timeline inspired us to introduce the Timeline section in the Oxygen Forensic Suite in 2010. This first analytical feature within forensic software was welcomed by our customers. Using the Timeline section, they could quickly analyze all types of events in one list while applying various filters. We still have the Timeline section in our software to this day.
The growth of mobile applications
The growth of mobile applications and the expansion of app ecosystems brought new challenges for digital forensic investigations. Mobile forensic techniques and tools had to adapt to extract data from various apps, including social media platforms, instant messaging services, and other third-party applications.
Analyzing app data became crucial in mobile forensic investigations, knowing this, we put lots of research into app database analysis and app support in our software and we are still leading in the quantity of supported apps, quality of data parsing, and timely app support updates.
10 years ago, we worked with Plist files and SQLite databases of simple structure and no encryption. As for today, we have to deal with app encryption while implementing support for vault storage and messengers, like WhatsApp, Signal, AWS Wickr, Notepad, Vault-AppHider, and many others.
The introduction of cloud forensics
In the 2010s, mobile devices began integrating cloud services for storage, synchronization, and backup purposes. The phone manufacturers realized that it would be impossible to store increasing amounts of user data locally on the phone and started exploring cloud storage solutions. This shift to the cloud was another change that our product developers predicted.
In October 2014, we came up with the idea of cloud data extraction, releasing our first Cloud Extractor. Like many innovative insights, at first, it was not welcomed, as our customers were not ready to use cloud data as evidence. It took many years for cloud data to gain legal recognition.
Nowadays we have a very challenging job maintaining all of the 102 supported cloud services, as cloud storage is getting more secure and their APIs change a lot.
The need for drone forensics
With drones flying all over, causing flight disruptions at airports and threatening national security and our privacy, we realized the need to supply law enforcement with the tool to extract and analyze data from all possible drone sources.
Within 2 years, we introduced all-in-one support for the most popular DJI and Parrot drones, allowing our users to do physical extraction of drones, access their data in the cloud, and extract drone apps and flight logs from mobile devices and computers. The current situation with drones is much more challenging due to the drone memory encryption and the vast variety of drones that are now available.
The need for data analysis speed and the proliferation of AI-based tools
As mobile devices evolved, they offered larger storage capacities, allowing users to store a vast amount of data. This presented challenges and opportunities for mobile forensics. Forensic tools had to be capable of efficiently handling and analyzing larger volumes of data, including photos, videos, documents, application data, and system files.
With that in mind, in 2019 we released a new generation of Oxygen Forensic® Detective versions that allowed data processing 3 times faster than before.
Moreover, in recent years, the digital forensics field has observed a trend toward utilizing AI-based tools. The greatest advantage of artificial intelligence is the elimination of manual analysis, resulting in a significant acceleration of the evidence review process. In response to this trend, we have incorporated several AI-based tools into our software that we provide to our customers free of charge. Our AI-based tools include facial categorization, image categorization, and OCR.
Dealing with device security
With the growing awareness of data privacy and security, mobile devices started implementing stronger encryption mechanisms and advanced security features like biometric authentication to protect user data. Investigators had to adapt to these security measures, finding ways to overcome them to access relevant data while ensuring the integrity of the evidence.
Overcoming device security requires lots of research and is always a cat and mouse game between device manufacturers and digital forensics companies.
In 2020, we implemented advanced screen-lock bypass and passcode brute force methods. The first one for Huawei devices with Kirin chipsets was warmly welcomed by our customers. Currently, we offer a great variety of advanced methods for Android devices based on Kirin, MTK, Qualcomm, Exynos, and Spreadtrum chipsets.
Remote data collection and analysis
The COVID pandemic has had a profound impact on various aspects of life, and digital forensics is no exception. Remote work is here to stay and there are definite advantages to it, including reduced costs. Today’s technologies allow many opportunities for remote work and effective collaboration.
This year we have launched 2 new products that reflect this trend – Oxygen Analytic Center and Oxygen Corporate Explorer.
Oxygen Analytic Center enables real-time, browser-based collaborative data review and analysis — any time, anywhere — so investigators and eDiscovery professionals can resolve cases faster and more efficiently.
Oxygen Corporate Explorer helps corporate users find critical digital evidence, using targeted, remote, and onsite data collection, task scheduling for automatic collection, and powerful search and analytic tools.
To recap, the evolution of mobile devices influenced mobile forensics by necessitating the development of new techniques, specialized tools, and expertise in various aspects of device architecture, operating systems, app analysis, encryption, cloud services, and security measures. Mobile forensic experts continually adapt their methodologies to extract, analyze, and preserve digital evidence from the latest mobile device technologies. The DFIR industry is developing rapidly and we are ready to meet the next challenge.