Users completely screened
The Oxygen Forensic Detective’s features include overriding the screen lock on various Android devices and the ability to decrypt encrypted backups, images and data. In addition, users of the software gain instant access to more than 60 cloud services and can access data from many commonly used apps.
In practice, the software is used for IT forensics to pull images of the complete mobile devices. The data analysis then takes place on the basis of these images. Alternatively, it is also possible to use existing backup copies of the devices for this purpose. Other functions include an SQLite viewer for analyzing databases, tools for analyzing timelines, a data recovery function, and powerful search functions for quickly finding the information sought in the data sources. In addition, a file browser is also available.
In the test, we installed the latest version 11 of Oxygen Forensic Detective at the time of testing on a Windows machine running the 64-bit version of Windows 10 (1803). We then took a close look at the software’s provided forensic tools in various ways. To familiarize ourselves with the functionality of the solution, the manufacturer provided us with two backup images of devices running Android and iOS.
We used the software to examine these images in detail, find out what they contained and get to know the main features. We then created an image of an iOS device present in our test lab and checked whether the software really displayed everything that could be found out about the installation.
Importing the iOS backup
After installing the solution on our computer, the first step was to import the iOS image and then familiarize ourselves with the software’s features. To do this, we selected the “Import Backup File” command and selected our iOS image. The “File Extractor” window then opened, with the file type “Oxygen Backup” already preselected as the source. When we clicked on “Next”, the software read the backup.
After importing the image of the iOS phone, we first went to the Supported Applications page to get an overview of the apps whose data Forensic Detective can process. We found an impressive list of 4734 Android, 3786 iOS, 16 Blackberry, and 60 Windows Phone apps at the time of testing.
In the next step, we took the data of the “WhatsApp” messenger and looked at the messages exchanged by the demo user “Amy Rivers”, who was supposed to own the demo phone. In order for the forensic software to extract the data from this app under iOS, the iPhone must be unlocked. If this is the case, the responsible employees are then able to view WhatsApp data from several different areas.
The “Application Files” include the files belonging to the application, such as the SQLite files, the pictures and thumbnails, and the like.
The most interesting is probably the “User Data” section. This not only provides information about the contacts that the affected user has, but also allows the responsible staff to read through the individual communications themselves. In this context, we noticed that our test user Amy obviously has a drug problem and is addicted to cocaine.
Apart from that, the user data also reveals the calls made via WhatsApp and the information shared, such as the whereabouts at certain times, photos, and so on.
To view data that has already been deleted from the smartphone, it makes sense to use cloud data. If users switch to “Cloud Accounts”, they can access the configured cloud services like WhatsApp backups, Dropbox or Facebook. We took a closer look at a WhatsApp backup in the test. We selected the corresponding entry in the overview and started the Oxygen Forensic Cloud Extractor.
Here, we could first view the read credentials and then select the service we wanted to view. Then the system checked if the credentials for each service were valid, which took some time, and then gave us the option to enter new credentials or continue with the investigation. Since the WhatsApp backup already had valid credentials, we moved on to the next step at this point. After that, the tool contacted the cloud service and extracted the data to the local system, where we could then access it using the method described above.
In the next step of the test, we took a closer look at the apps for Facebook, Twitter, and Instagram. Here, it is the case that only relatively few user data can be read from the apps, for example, the Instagram accounts that Amy followed, the Facebook cookies, or even the Twitter search history. This information is nowhere near as interesting as the data from the WhatsApp application, but since the phone was connected to the corresponding services and the image therefore also included the access data for the cloud service, we were able to use the cloud data from the social media services in the test via the method mentioned above with the WhatsApp backup and gain further insights into the demo user. Oxygen Forensic Detective can thus also be used to connect multiple data sources.
Next, we looked at the Android image that the manufacturer had also provided us with. The import was the same as with the iPhone backup and the data was found in the tree structure of the forensic tool as expected. This time it was the high-screen smartphone of Jay Jazzy, who is also suspected of drug use.
There we also first took a closer look at the apps. The work with the data from the Android phone was similar to the iPhone analysis.
We also analyzed the Google Location History as part of the investigation of the Android image. The associated data is not located on smartphones, but in the Google Cloud. Since the Google Token is available after the phone is scanned, the responsible employees can not only read out the location history but all Google services. In the test, we managed to get and view a detailed movement profile of the test user Jay Jazzy. Furthermore, our investigation revealed that Jay is the one who gets Amy her drugs.
Reading out a new device
Now that we had familiarized ourselves with the tools of the Forensic Detective, we moved on to reading out a smartphone of our own. For this purpose, we used an iPhone 6 running iOS 12.1.1. To do this, we first installed iTunes on our test computer to provide the drivers needed to access the device. If you want to read Android or other devices, the “Drivers Pack” from Oxygen Forensics must be installed on the respective computer instead.
After installing iTunes, we first connected the iPhone to the test system to check if the connection worked. After that was cleared, we tried to read the locked iPhone in the next step. As expected, this did not work. At this point, however, it should be mentioned that there is also a workaround for the lockdown function for iPhones. The manufacturer provides more information about this in a whitepaper.
However, after unlocking the iPhone, we were able to connect to the device via the “Connect Device / Auto Device Connection” function and extract the data it contained within a few minutes. In doing so, we got a collection of data that matched the demo backups mentioned above and could be processed in exactly the same way.
By the way, during the extraction process, the software always tells the users exactly what it is doing. For example, it detected that the iPhone backup on our system was encrypted and tried to crack the password used for it. Also, on this occasion, we were given the option to enter the password to speed up the process.
To evaluate the data, the tool not only provides the aforementioned tools such as the image and SQLite viewer and the search function but also helps the responsible persons in other ways. For example, there is a so-called timeline, which chronologically combines information from different sources, for example from the Dropbox and Facebook apps, and thus provides an overview of which actions the user has performed and in what order.
Also of interest: The “Social Graph” is described at the beginning. This shows a zoomable graphical overview of the existing contacts and the connections between them. The tool uses information from different sources, such as the phone book, the call list, messages, and app databases.
Oxygen Forensic Detective surprised us with the extremely large amount of information available about mobile device data. In the test, in order not to go beyond the scope of the article, we could only go into a few application examples to demonstrate the solution’s range of functions.
However, the amount of data obtained can be significantly expanded. In this context, it should only be noted that applications like Tinder can be completely readout with the software, that it is possible to find out the travel activities of users via apps like Booking.com, and that the forensics solution is also capable of using the search history of browsers as a data source.
Above all, the combination of the data stored directly on the devices with the cloud data that can be imported, since access tokens or credentials are known after access to the mobile devices, ensures that that responsible receive practically all the information about the users that can be collected in this way at all.
This is by no means clear to everyone, and even we had only insufficiently addressed this issue before this test. The analysis tools of the forensics solution then additionally ensure that the software automatically prepares essential core information in a clear manner and quickly makes it available to the responsible employees.