| << go to main contents | < prev chapter | next chapter > |
Chapter 5: Oxygen Forensic Suite 2010 PRO
Oxygen Forensic Suite 2010 is mobile forensic software that goes beyond standard logical analysis of cell phones, smartphones and PDAs. Use of advanced proprietary protocols and phone APIs makes it possible to pull much more data than can be extracted by forensic tools utilizing standard logical protocols, especially for smartphones.
Oxygen Forensic Suite 2010 helps you to extract most of the information from a great majority of mobile devices for investigation purposes. This program has played a significant role in criminal and other investigations all over the world and is used by Law Enforcement units, Police Departments, army, customs and tax services and other government authorities.
Current software version provides access to the following sections: Phonebook, Calendar, Tasks, Messages, Event Log, File Browser and Extras (Life Blog, Phone Activity, Wi-Fi Connections, Skype and Web Cache analyzer). Note that the number of sections and list of extractable data fields depends on the device model.
You can examine:
- Common phone information
- Contact list (including mobile, wire line, fax numbers, postal addresses, e-mails, contact photos and other contact information)
- Missed/Outgoing/Incoming calls
- Caller Groups information
- Organizer data
- SMS messages (messages, log, folders, deleted messages with some restrictions)
- Multimedia Messages with attachments
- E-mail messages with attachments and folders
- GPRS, EDGE, CSD, HSCSD, Wi-Fi session log and traffic amount
- Photos and gallery images
- Video clips and films
- Voice records and audio clips
- All files from internal phone memory
- GPS and XMP coordinates stored in camera snapshots
- Web browsers bookmarks and cache files
- iPhone password-protected backups
- Skype information
- Wi-Fi connections
Oxygen Forensic Suite 2010 offers an easy and convenient management of all examined devices in one window: phone properties, case details and status, the person in charge of it, etc.
Mobile device information analysis can be done from the program directly or with the help of advanced export function. You can create reports in the most popular file formats (XLS, RTF, PDF, XML, CSV, TSV) and either print or send them to remote departments and experts.
The program has a powerful built-in search engine. You can easily find the necessary information in all the sections with few mouse clicks in Oxygen Forensic Suite 2010. What is important, the search results are saved between sessions and can be either exported or printed. Besides, a contextual filter in every section helps you to sort out the data the way you need it.
Oxygen Forensic Suite 2010 contains two viewers that can open database as well as .plist files.
Moreover, the software allows you to save extracted data to a file and then load it into the program on another computer. Thus you need to connect a phone and extract data only once and then send the extracted information outside, e.g. for analysis by remote experts.
Current version works with more than 1600 mobile devices from Nokia, Apple (iPhone 2G, 3G, 3GS), RIM (Blackberry), Google (based on Android OS), Samsung, Sony Ericsson, Motorola, Panasonic, LG, HTC, Asus, HP and other manufacturers.
Oxygen Forensic Suite 2010 has a strong support for Symbian OS and Windows Mobile 5/6 smartphones and communicators (ActiveSync is not required). Upcoming versions will have support for Android devices too. The list of supported models is rapidly growing. Oxygen Forensic Suite 2010 supports USB cable connection, Bluetooth (Microsoft, Widcomm, BlueSoleil) connection, infrared connection using IrDA stack. Support for different types of connection depends on the phone series and model.
The software works under 32-bit or 64-bit versions of Windows 7, Windows Vista, Windows XP, Windows Server 2003 and Windows 2000.
Oxygen Forensic Suite 2010 PRO was downloaded from Oxygen’s website, and minutes later I received an automated e-mail with a registration code, activation key, and contact information. I updated the registration code using the instructions provided, ran the Setup.exe file, and the software was installed and ready to go within minutes. Oxygen Forensic Suite does not require a dongle, but the activation key (which was attached to the automated e-mail) had to be entered prior to use. The version used at the time of testing was v. 2.7.0.232
The acquisition of the iPhone was simple and straight-forward. After selecting the “Connect new device” link, I was prompted to choose a connection type. I decided to connect via Cable (rather than Bluetooth or Infrared). I did have some minor issues getting the software to “see” the device. After several unsuccessful connection attempts, the error message conveniently provided a link which allowed me to e-mail the error to Oxygen technical support. I sent the e-mail at the very end of my workday, and a response was waiting for me the next morning. The solution was to install the latest version of iTunes. I then was able to connect the device, but I had to first start the software, then connect the iPhone into the computer.
When prompted to select the data types to be extracted from the device, I chose the option to do a full file structure reading and acquire all data from the device.
The entire acquisition took approximately 10 minutes. When complete, I had the option to open device and analyze or create a report. I elected to immediately analyze the device, and later create the report.
The standard acquisition resulted in the following categories along the left-hand side: Device Info, Phonebook, Calendar, Notes, Messages, Event Log, File Browser, and Extras. The following shows the data of each of these categories.
The Device Info section includes model number, software revision, serial number, and whether or not the device has been jail broken. On the left-hand side, there is also “device extended information” which provides more details than many of the other tools. Wi-fi and bluetooth MAC addresses are given along with sim status and other information.
Also included in this section is information on the acquisition, namely extraction time and hash algorithm.
The Phonebook contains contact info, e-mail address, address, notes, and MD5 Hash value.
The following images display the results of Calendar Events and Notes created. While the tool did not display the one note that was deleted from the phone, this note was later found in the “notes.idx” file (located in the “Extras” section discussed below).
The Messages section includes all SMS and MMS messages which were sent or received, the phone number of both parties, a timestamp, and MD5 Hash value.
The Event Log contains all call logs including the phone number, call duration, time stamp, and MD5 Hash value. Separate tabs are also provided if you wish to look only at answered, received, or missed calls.
File Browser is the next section, and this is where images, songs, videos, and other documents and files can be found. GPS coordinates are provided for each image (if available). An “applications” tab is also included in this section, however it was empty and did not contain any of the applications downloaded on the iPhone used for testing. Having said that, a full directory structure is provided, allowing an examiner to look at each and every file on the device and from there, determine the significance of that file. Within this directory was the “Applications” folder containing each of the applications on the device.
Oxygen Forensic Suite also provides a Search functionality. You can search for either text or contact activity. The search for text function simply finds all occurrences of the specified text in all phones, or just those that are selected. The “Search for contact” feature allows you to enter only part of any contact data – name, phone number or other fields. If the program finds a contact satisfying the search criteria, it analyzes all phone numbers, e-mails and other fields of this contact and starts searching for any of this information through all sections of specified mobile devices. By double-clicking on the entry, you can switch to the corresponding section of the relevant phone for more detailed analysis. All search results can then be saved, printed or exported and reused later.
The final section is Extras, which includes information on any Wi-Fi connections, Internet history cache files, Skype information (if applicable), and an “Activity” link which allows the examiner to sort all phone activity according to date, remote party, or contact. The Wi-Fi connection information extracted from the test device contained a lot of important information. Geo location data was provided for this particular SSID as well as the last time the device joined automatically, and the last time a user initiated the join. This is vital information which could be used to determine where a person was at a certain point in time.
The following are the results from the Oxygen Forensic Suite 2010 PRO:
Oxygen Forensic Suite provided excellent results. The acquisition is quick and easy, and the reporting tool categorizes the data allowing the user to analyze the information in an organized manner. This product excelled in a few areas by providing above average results on GPS and Wi-fi data within the reporting tool.
The following ranking establishes Oxygen’s overall rating of 3.5 on the four criteria established at the beginning of this white paper.
Table 1.1. Oxygen Rankings
| Area | Weight | Rank |
| Installation | 0.1 | 5.0 |
| Acquisition | 0.1 | 4.0 |
| Reporting | 0.1 | 4.0 |
| Accuracy | 0.7 | 3.1 |
| TOTAL | 3.5 |
| << go to main contents | < prev chapter | next chapter > |
