Take It One Step Further with App Activity Analysis

The amount of information acquired from an application can be overwhelming, not only for investigators but for device owners. Dozens of constantly-updating apps may be installed on the device, but how many of those apps have actually been used? And when?

These are questions that often arise during investigations, and we are here to help answer them.

Oxygen Forensic Detective v.13.3 introduces a new analytic tool specifically designed to give investigators a holistic view into an application’s activity. This feature is compatible with iOS, Android, and PC devices. The Application Activity tab is located within the Timeline module. There, investigators can find a wide scope of information regarding  an application’s activity, such as:

  • When and how long the app was used;
    • This is useful in cases when the device was accessed by someone other than the owner and app data was viewed and left unchanged. The choice of apps and the duration of usage may help establish a motive, hinting at sources that were of interest to the criminal.
  • Whether or not the app was running in the background;
    • An app running in the background at the timeframe of interest might record some potentially useful data, such as device location or even sound, depending on the exact app. There are apps that record video and sound while running in the background or even when the device is locked. If such an app is detected, the investigator can use Oxygen Forensic® Detective to learn when the app was installed, discovering what triggered this installation and whether it was downloaded by the device owner or a third party.
  • What was done within the app;
    • The information available depends on each particular app but still proves useful at determining what the app was used for, especially if it left no other traces, such as viewing a date on Google Calendar.

Investigators can use the source filters on the left panel to view data regarding the apps of interest. They can use checkboxes to select one or several apps, depending on the focus of the search.