forensics tutorial 13 – mobile forensics with oxygen...

Forensics Tutorial 13 – Mobile Forensics with Oxygen Forensic Suite


Explanation SectionMobile Forensics – DefinitionMobile forensics is a sub category of digital forensics that relates to recovery and analysis of digital evidence or data from a mobile device under forensically sound conditions. In the present day, the phrase mobile device can refer to a wide spread of mobile devices, such as smart phones, tablets, GPS devices, and PDA devices. Essentially, mobile device can refer to any digital device that has both internal memory and communication ability.

The use of phones in crime have been widely recognized for some years, but the forensic study of mobile devices is a relatively new field, beginning in the early 2000s. Since the rapid expansion of the smartphone and tablet market, mobile forensic examination has become consistently more pivotal to criminal investigations, which has increased the necessity for specialized mobile programs and software. Since the majority of digital forensic investigative software was not initially created for mobile devices, it has been crucial to create new forensics tools specifically formatted to handle mobile investigations.

Mobile devices in the current day have come to hold more personal data than even personal computers. Mobile devices contain personal information such as contacts, photos, calendars and notes, SMS and MMS messages, and downloaded documents or information. Smartphones and tablets may additionally contain video, email, web browsing information, and social networking messages and contacts.

About Oxygen Forensic SuiteOxygen Forensic Suite is a mobile forensic software that allows for extensive analysis of cell phones, smartphones and tablets. Oxygen Forensic Suite allows for the use of advanced tools to extract much more data than usually extracted by logical forensic tools, especially for smartphones.

The forensic suite allows for connection of mobile devices either through USB cable or via Bluetooth. The supported phone types include Symbian OS, Windows Phone, Blackberry, Apple iOS, Android OS, Nokia, and Bada OS. It total, Oxygen Forensic Suite supports over 7700 different mobile devices. The suite permits for the gathering of the following information from mobile devices:

Phonebook and contacts Organizer and calendar events Text messages (SMS and MMS) Calls and events (events include deleted SMS messages, Wi-Fi traffic, etc.) File system and multimedia (including photos, videos, downloaded documents, etc.) Extras (including app information, social media details, and geolocational data)

Oxygen Forensic Suite offers a free trial version that functions for 6 months. Since the program is free, there are multiple features that are not available, but users are able to capture and extract data, analyze that data, and create reports from data. However, it does not allow for social networking analysis, a data timeline, web connections and locational data, and custom and preinstalled applications.

1 | P a g e


In This TutorialIn this tutorial, we will be examining data from an Android smartphone (Samsung Galaxy SIII) and a Windows smartphone (HTC 8X). After detecting the device, the tutorial will cover choosing data to extract from the phone and going through the extraction process. Once the extraction process has been completed, the tutorial will walk through the steps of analyzing the data and using the tools available within Oxygen Forensic Suite in order to create a mobile forensics case.

Tutorial SectionLEARNING OBJECTIVES:

Download and install Oxygen Forensic Suite Insert a mobile device and use the Oxygen Data Extraction Wizard to gather data View and analyze the data within Oxygen Forensic Suite Create and view reports within Oxygen Forensic Suite

Part 1 – Installing Oxygen Forensic Suite1. Oxygen Forensic Suite has a free version of the program that is available to users for 6 months from

the time it is installed. Navigate to the Oxygen Forensic Suite Download Page. This same page can be reached by going to the Oxygen Forensic Suite website and navigating to Downloads>>Freeware.

2 | P a g e

http://www.oxygen-forensic.com/en/

http://www.oxygen-forensic.com/en/download/freeware


2. In order to receive a download link and an activation code, complete the required information with a valid email address. An email with a download link, sales code, and activation code will be sent to this email address. Click on the download link to receive an executable file for installation.

3. Install Oxygen Forensic Suite. Follow the prompts to install the forensic suite. This will install both the Oxygen Data Extraction Wizard and Oxygen Forensic Suite 2014. The Oxygen Data Extraction Wizard extracts and gathers data from the mobile devices, while Oxygen Forensic Suite is used for the analysis of gathered data. Once the program has installed, launch Oxygen Forensic Suite.

Part 2 – Using the Oxygen Data Extraction Wizard1. Before the data on the mobile device can be analyzed, it is necessary that the data be extracted and

captured. In this process, the data (both the main file capture as well as each individual piece of data) will be hashed to ensure that it maintains its integrity during the investigative process.

Connect the device from which data is to be captured via USB. In this case, both the Samsung Galaxy S III and the Windows phone were connected via the USB charger cables that came with the devices upon purchase. Note that Bluetooth can also be used, but is not being used in this tutorial. The device should appear in the File Viewer.

3 | P a g e


2. In Oxygen Forensic Suite, click on the button in the upper left-hand part of the screen that says ‘Connect new device’. The Oxygen Data Extractor will open a new window in order to allow connection to a new device.

3. It is possible to connect to a device either manually or automatically. Using the Auto device connection generally results in better location of the device connected by USB. Click Auto device connection. After a few moments, the Oxygen Data Extractor should detect the device. Click Next to continue the data extraction process.

4 | P a g e


4. The next window will ask for some particulars about the case. Complete the fields for the device alias (how you want to identify the device), the case and evidence numbers, the inspector, and information about the owner of the device (the individual being investigated). Also select the hash type. In this case, we are using MD5. All of the data files will receive an MD5 hash value. If desired, add notes about the device. Click Next.

5 | P a g e


5. The next window will ask for the selection of the extraction mode. This indicates how you will be allowed to select data to be extracted. In this case, we are using the Recommended Mode. This particular window will only appear for Android devices. Click Next.

6 | P a g e


6. The next window will ask for additional information pertaining to the data extraction mode. The available boxes are already checked. In this particular case, Logical extraction (Data extraction via the Oxy agent utility) is checked.

The window indicates the data extraction process: Logical extraction>>Parse user data>>OFB backup. Once the logical extraction is completed, the user data will be parsed. Once the data has been parsed, an Oxygen Forensic Suite-compatible backup will be created so that the original data of the mobile device is not altered in any way. Click Next.

7 | P a g e


7. The next window will ask for data sections to be extracted from the mobile device. Note that this window will appear slightly different for every device. The window in the below screen capture is for an Android phone device. Select the data to extract. In this case, we have selected the calendar, event log, file structure and its associated data (photos, video, documents, and other files), messages and the phonebook (contacts).

Since we have selected all file types found on the smartphone, this data extraction will take a rather large amount of time. This time depends on the amount of data on the mobile device. Click Next.

8 | P a g e


8. The next window will verify all of the data that has been entered. This is the last step before the data extraction begins. Verify that all the data is correct, then click Extract.

9 | P a g e


9. The extraction will begin. If you are selecting all available data to extract, it may take up to an hour or more for the data to be extracted. If there is less data on the device, the data extraction process may take less time. While the data is being extracted, do not alter or interact with the mobile device in any manner.

After the data has been extracted, the data will be parsed, and the hash values will be assigned to the mobile device data.

10 | P a g e


11 | P a g e


10. Once the data has been extracted, parsed, and hashed, the Oxygen Forensic Extractor will open a new window stating that the extraction operation has been completed.

There will be several options for the data. It is possible to: Save to archive (save the extracted data to .ofb archive) Open device (open device and start analyzing) Export and Print (print or export full device data report)

We will be both saving to an archive and exporting a report before we examine the device. Click Save to archive.

12 | P a g e


11. When saving the extracted to an archive, the Oxygen Forensic Extractor will create a hash of the archive file to verify the integrity of the extracted data.

13 | P a g e


12. You will then be taken back to the Oxygen Forensic Extractor page with the remaining options to open and analyze the device or export or print a report. Click on Export and Print. A new window will open to select the export details for the report. Select a target folder in which to place the report. It is also possible to select whether to export individual data files; in this case, we have not chosen to do this. Click Next.

14 | P a g e


13. Once the report file has been saved (in PDF format), a new window will open to show the export result. This will confirm that the report was successfully exported to the appropriate location. Click Finish.

14. You will then be taken back to the Oxygen Forensic Extractor page with the remaining options to open and analyze the device. Click Open device in order to view and analyze the data on the mobile device.

Part 3 – View and Analyze Mobile Device Data1. After clicking Open device, the mobile device will be displayed within Oxygen Forensic Suite. General

information about the device such as the investigator and device owner information will be displayed. Additionally, the options available for analysis will be shown at the bottom of the window under the heading ‘Common Sections’.

Note that all of the analysis options that have a red ‘Unregistered’ next to them are unavailable with the free version of Oxygen Forensic Suite. However, it is possible to view SMS messages, the event

15 | P a g e


log, phone book, organizer, and the file browser. It is also possible to conduct searches of the data and create reports. Click Messages to view texts.

2. All messages sent and received will appear. The message information shows from whom or to whom the message was sent/received, the folder on the phone on which the message is stored, the remote party ID, the message timestamp, the text of the message, and the MD5 hash value of the text message. On the far right of the screen, it is also possible to view the available message folders: SMS Inbox and Outbox and MMS Inbox and Outbox.

*Please note that in this example any sensitive data has been hidden.

16 | P a g e


3. Click back to the main device page near the top left of the screen ‘All Devices’. Click ‘Event Log’ to view all calls placed on the phone. On the resulting Event Log page, it is possible to see the type of event (Voice), the timestamp of the event, the incoming or outgoing number, the name or number of remote party, the duration of the call, if the call was received and conversation took place, and the MD5 hash of the event entry.

17 | P a g e


4. Click back to the main device page near the top left of the screen ‘All Devices’. Click ‘Phonebook’ in order to view the contacts that have been saved on the phone. For each contact, it is possible to see the contact photo if one is available, the contact name or contact entry, Internet/email address for the contact, the mobile number of the contact, the address of the contact, caller groups, the data source, the last time the person was contacted, and the MD5 hash for the contact entry.

18 | P a g e


5. Click back to the main device page near the top left of the screen ‘All Devices’. Click ‘File Browser’ to see available folders and files stored on the phone’s SD card. From this location, it is possible to view photos, videos, saved emails, and documents that have been saved to the phone’s SD card.

Navigate to one of these files that contains data. In this case, we are viewing the contents of ‘Download’. There are various documents in this folder. The information available about the downloaded documents include the path of the data, the name, the file size, the type of file, the modified date, the file extension, and the MD5 hash of the individual data.

Oxygen Forensic Suite also contains its own hex editor. This will appear near the bottom of the program window. If for some reason the data has been altered or bit-shifted, it is possible to view the hex data for the file to check for alterations.

19 | P a g e


6. Note that it is possible to flag pieces of evidence by clicking the flags in the far left column, and to add evidence notes to individual pieces of evidence. Since we are using a free version of Oxygen Forensic Suite, the flagging of evidence does not serve a function. However, in the full version of the software, these flags would appear in the category of Key Evidence, available on the main device page.

20 | P a g e


7. It is possible to create a report from a piece of evidence. In order to do this, select a desired piece of data; make sure that it is highlighted. Click the Downward-facing arrow to the right of the ‘Export’ button in the upper left of the window. Click ‘Export to File’. The report will be created.

8. In order to view reports that have been generated, navigate back to the main page and click ‘Reports’. The available reports will be shown, along with the path of where the PDF report has been saved. To view the report, open the PDF that has been saved.

21 | P a g e


9. The Oxygen Forensic Suite reports are formatted with basic information concerning the case, such as the investigator and device owner information. In the body of the report, the seen evidence will be shown, along with any evidence notes that were added in the course of the investigation analysis.

22 | P a g e


ConclusionMobile forensic investigation has become continuously important since the early 2000s. Since then, many companies have begun to create specialized programs to allow for mobile forensic investigation. In terms of free programs, Oxygen Forensic Suite is one of the best and most comprehensive programs offered. There are other free platforms created for mobile forensic investigation, such as the Santoku Linux distro, but these are not as robust as programs created especially for mobile forensics software.

Other paid mobile forensics software include EnCase, which allows for comprehensive mobile forensics investigations, and MPE+ from AccessData, which is similar in allowing for comprehensive mobile forensics investigations.

Mobile forensics can provide pivotal evidence in the scope of investigations. Phones and tablets provide contact information, text messages, call logs and voicemail messages, application data, media such as photos and video, and downloaded data and Internet usage information. All of this evidence can be used in creating a forensics case, and in locating potentially criminal activities and those involved in them. Since the world continues to move toward mobile devices, this would most likely continue to be a pivotal source of information in criminal cases.

23 | P a g e


Try ThisConnect a mobile device such as a smartphone or tablet and go through the data extraction process to gather data from the connected mobile device. Once data has been captured, add some evidence notes and create several reports. Look for data that could be considered evidence. How could this data be useful in the course of an investigation?

24 | P a g e

forensics tutorial 13 – mobile forensics with oxygen...

Documents