Você está na página 1de 62

OXYGEN OXYGEN FORENSIC SUITE

FORENSICS GETTING STARTED

2000-2015 Oxygen Forensics | http://www.oxygen-forensic.com


Table of contents

General information....................................................................................................................................................................................................................... 3

Installation ..................................................................................................................................................................................................................................... 4

Extracting information from mobile device ................................................................................................................................................................................... 9

Activation ................................................................................................................................................................................................................................. 9

Internet license ......................................................................................................................................................................................................................... 9

USB dongle license ................................................................................................................................................................................................................. 10

Using Oxygen Forensic Extractor ........................................................................................................................................................................................... 10

Data extraction from backups and device images .................................................................................................................................................................. 14

Analyzing extracted information in Oxygen Forensic Suite ......................................................................................................................................................... 15

Analytical features of Oxygen Forensic Suite .............................................................................................................................................................................. 20

Timeline .................................................................................................................................................................................................................................. 20

Aggregated Contacts .............................................................................................................................................................................................................. 21

Links and Stats ........................................................................................................................................................................................................................ 22

Social Graph ............................................................................................................................................................................................................................ 23

Web Connections and Location Services ................................................................................................................................................................................ 24

Dictionaries ............................................................................................................................................................................................................................. 25

Passwords ............................................................................................................................................................................................................................... 26

Applications ............................................................................................................................................................................................................................ 26

Social Networks ...................................................................................................................................................................................................................... 27

Messengers ............................................................................................................................................................................................................................ 28

Productivity ............................................................................................................................................................................................................................ 29

Web Browsers ........................................................................................................................................................................................................................ 31

Navigation .............................................................................................................................................................................................................................. 32

Travel ...................................................................................................................................................................................................................................... 33

Fitness .................................................................................................................................................................................................................................... 34

Multimedia ............................................................................................................................................................................................................................. 35

Finance ................................................................................................................................................................................................................................... 36

Spyware .................................................................................................................................................................................................................................. 36

Geo event positioning (LifeBlog) ............................................................................................................................................................................................. 38

Reports......................................................................................................................................................................................................................................... 39

Advanced search functions .......................................................................................................................................................................................................... 39

Key Evidence ................................................................................................................................................................................................................................ 41

Exporting and Printing forensic reports ....................................................................................................................................................................................... 42

Android Rooting ........................................................................................................................................................................................................................... 43

Viewers ........................................................................................................................................................................................................................................ 44

SQLite Database Viewer ......................................................................................................................................................................................................... 44

Plist Viewer ............................................................................................................................................................................................................................. 45

Nokia PM Viewer .................................................................................................................................................................................................................... 45

Blackberry IPD Viewer ............................................................................................................................................................................................................ 46

Appendix ...................................................................................................................................................................................................................................... 47

Oxygen Forensic Suite How to connect Android devices ..................................................................................................................................................... 47

Oxygen Forensic Suite - How to connect Apple devices ........................................................................................................................................................ 50

Oxygen Forensic Suite - How to connect Windows Mobile devices ...................................................................................................................................... 51

Oxygen Forensic Suite How to connect Symbian OS smartphones ..................................................................................................................................... 56

Copyrights and contacts ............................................................................................................................................................................................................... 62

2
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
General information

Oxygen Forensic Suite is mobile forensic software for data acquisition from phones,
smartphones and other mobile devices. This program has played a significant role in criminal and other
investigations all over the world and is used by Law Enforcement units, Police Departments, army, customs
and tax services and other government authorities.

With Oxygen Forensic Suite you can examine:

Common device information


Contacts with all the fields and contact photos
Missed/Outgoing/Incoming calls
Organizer data (meetings, appointments, memos, anniversaries, tasks, notes, etc.)
SMS, MMS, iMessages, E-mails with attachments
Device dictionary words
Photos, videos, audio files and voice records
Geo coordinates stored in camera snapshots and applications
Wi-Fi connections
Device logs
Passwords to the device owner accounts and WiFi hot spots
625+ applications user data from Android OS, BB 10, iOS, Windows Phone devices
Deleted data (contacts, messages, calls, photos, etc.)
Timeline - all the events including geographical coordinates from one or several devices
Aggregated Contacts - contacts taken from various sources, including applications
Communication Statistics of one or several device owners
Social interactions of one or several device owners shown on the diagram or graph
Key Evidence - a convenient way of putting all the important data from all the sections of
one or several devices in one list for further analysis or export

Mobile device information analysis can be done from the program directly or with the help of
advanced export function. You can create reports in the most popular file formats (XLS, RTF, PDF, XML,
CSV, TSV, etc.) and either print or send them to remote departments and experts.

The program has a powerful built-in search engine. You can easily find the necessary
information in all the sections with few mouse clicks in Oxygen Forensic Suite. What is important, the
search results are saved between sessions and can be either exported or printed. Besides, a contextual
filter in every section helps you to sort out the data the way you need it.

Moreover, the software allows to save extracted data to a file and then load it into the program
on another computer. Thus you need to connect a phone and extract data only once and then send the
extracted information outside, e.g. for analysis by remote experts.

The current version supports 10,350+ mobile devices running different OS: Android, Bada,
Blackberry, iOS, MTK chipset (Chinese devices), Symbian, Windows Mobile 5/6, Windows Phone, etc.

Oxygen Forensic Suite allows to import various backup types (iTunes, Android, BB, BB10 and
IPD) as well as iOS and Android images made in other forensic tools. The program is also capable of
acquiring user data from My Windows Phone cloud and iCloud (login and password required).

Oxygen Forensic Suite supports USB cable connection and Bluetooth (Microsoft, Widcomm)
connection. The software works under 32-bit or 64-bit versions of Windows 8, Windows 7, Windows Vista.

3
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Installation
Oxygen Forensic Suite is distributed in two licensing systems of the program an Internet
license with hardware binding and a license with USB dongle.

Select the language to use during the installation:

Run OxyForensic_Setup.exe installation package and follow the Setup wizard:

On the next screen you must carefully read and accept the License agreement, if you agree:

4
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Then you can read about the program:

Select the folder to install Oxygen Forensic Suite:

5
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Choose the folder for program shortcuts:

You can specify the wizard to enter registration key (if you are using Internet license), create
Desktop and Quick Launch icons:

6
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Check all settings and press Next button to start installation:

Enter the key you received from us (Internet license only):

7
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
When installation is completed, you can choose to look through release notes, view XML
specification, download driver pack, and launch Oxygen Forensic Suite:

8
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Extracting information from mobile device
Activation
To use Oxygen Forensic Suite you need to activate the license. The activation process differs
according to the license type.

Internet license
To start working with Oxygen Forensic Suite you must have an Internet connection and activate
the program. Press Yes to start the activation:

Send your activation request via e-mail, Web or save it to file:

Enter the key as soon as you receive it and restart Oxygen Forensic Suite.

9
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
USB dongle license
Oxygen Forensic Suite USB dongle license must be used with a USB dongle that is bundled
with your Oxygen Forensic Suite package. For this license, no Internet connection is required. After
Oxygen Forensic Suite installation please insert a USB dongle into the USB port, wait till the driver
initialization and start the main program.
Please note that USB dongle should be inserted the whole time during your work with Oxygen
Forensic Suite.

Using Oxygen Forensic Extractor


To be able to work with a phone you must make sure it is supported in current version of the
software and all corresponding drivers are installed. Refer to the Oxygen Forensic Suite help file to learn
what must be done in case of a particular device model.

To extract information you must first connect the device to the program. If you use a cable
connection, attach the cable to the device. For Bluetooth connection, activate it in the device and make
sure it is visible and accessible.

Press Connect new device button and Oxygen Forensic Extractor will start. Select Auto
device connection to detect one device connected via cable automatically or Manual device selection to
connect several device one by one or connect via Bluetooth. The list of available connection types depends
on the mobile device capabilities and hardware installed on your computer.

To perform physical data extraction from MediaTek Android OS devices choose the third option
MTK Android device connection and follow the instructions carefully.

Oxygen Forensic Extractor will start searching for the device:

10
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
If you want to extract data from Symbian OS smartphones, Windows Mobile 5/6 and Android
(via logical data extraction method) devices, Oxygen Forensic Suite will load small agent application into
the phone. Please select an option suitable for you:

11
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
OxyAgent does not modify any personal data in the phone and provides facility to read much
more information than it is possible with standard protocols like SyncML, OBEX or AT.

Once the connection is established, the program will display the phone information:

Next screen prompts to enter information about the device, its owner and the case it was
assigned to. If the device is locked with the known password you can enter it here.

You can also choose parsing applications databases and collecting information for analytical
sections such as Aggregated contacts, Links and Stats, Social Graph, Timeline, etc or you do it later in
Oxygen Forensic Suite if you need to save time while data extraction.

12
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Select the information to be read by Oxygen Forensic Extractor. Please be informed that the
list of available sections depends on the mobile device capabilities.

13
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
When all data is extracted, you can choose either to open the device for viewing and analyzing
data or to run Export and Print wizard if you need to get fast report about the device. Note that you can
run Export or Print Wizard anytime when working with device information.

Data extraction from backups and device images

Oxygen Forensic Suite supports not only live data extraction but import of various backups
made in official sync software and device images generated by other forensic programs.

The supported backup types are as follows: Android ADB, iTunes, Blackberry (including the
latest BB10). The integrated Passware tool allows to find passwords to encrypted backups. The list of
supported device images is very large, including UFED, XRY, Elcomsoft images as well as various JTAG
dumps (Android, Windows Phone), Chip-off (BlackBerry 10) images and many more. The software also
extracts cloud data from Windows Phone and iCloud accounts provided that the credentials are known.

Press Import backup file button on the main toolbar to import and parse a backup:

14
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Analyzing extracted information in Oxygen Forensic Suite
The Devices section lists all the devices connected and seized previously as well as actions
available for them.

You can view Device information in a separate window:

This section will also include summarized information about all the device owner accounts in various
social networks, messengers and other services.

15
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
The Phonebook section contains contact list with personal pictures, custom field labels and
speed dials:

The Calendar section displays all meetings, birthdays, reminders and other events:

16
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
The Tasks section displays all the tasks with priority marks and their date/time:

The Notes section allows viewing notes with their date/time:

SMS, MMS, E-mail, iMessages and messages of other types are shown in Messages section:

17
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Previously deleted messages from Apple iOS and Android OS devices are also shown in the
Messages section and are highlighted with a blue color and marked by a basket icon. They are
automatically recovered from SQLite databases.

File Browser section gives you an access to the entire mobile device file system, including
photos, videos, voice records and other files. Deleted files recovery is also available but highly depends on
the device platform (supported for Android physical dumps, WP JTAG images, BlackBerry Chip-off, etc):

18
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Incoming, outgoing, missed, Facetime calls history, SMS and MMS sent and received GPRS and
Wi-Fi sessions all this information is available in Event Log section:

Deleted calls from Apple iOS and Android OS devices are also shown in the Event Log
section, are highlighted with a blue color and marked by the recycle bin icon

19
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Analytical features of Oxygen Forensic Suite

The Oxygen Forensic Suite version contains a set of unique sections: Aggregated Contacts,
Applications, Dictionaries, Links and Stats, Social Graph, Timeline, Web Connections and Location
Services, etc. They are supported by Analyst version only.

Timeline

Timeline section organizes all calls, messages, calendar events, application activities, web
connections history, etc. in a chronological way so it is easy to analyze the device usage history without
any need to switch between different sections. Timeline section is supported for one or several mobile
devices so you can easily analyze the group activity in a single graphical view. The data can be sorted,
filtered and grouped by dates, usage activity, contacts or geo data.

The GEO Data tab allows experts to obtain geo location information from the device, locating
places where the suspect used the mobile device. With the help of Maps and Routes button investigators
can build routes to track the device owners movements within specified time frame.

Oxygen Forensic Suite obtains geo location information from multiple sources, including
phones cellular points, Wi-Fi points, application data and EXIF information stored in photos. The source
of geo coordinates is displayed in the new GEO Data tab. Raw coordinates are available in a separate
column, while an exact map pinpointing the location can be displayed in a separate window. The tool can
export geo location information to Google Earth via a KML file to view locations offline.

The section also offers several analytical charts that allow to determine the users activity
within specified time period, with which contacts he was most active and in what applications.

20
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Aggregated Contacts
Oxygen Forensic Suite with its Aggregated Contacts section allows forensic specialists to
analyze contacts from multiple sources such as the Phonebook, Messages, Event Log, Skype, WhatsApp,
Facebook and other apps. It also shows cross device contacts from several devices and contacts in groups
created in various applications. By enabling aggregated contacts analysis, Oxygen Forensic Suite greatly
simplifies investigators work and allows discovering relations and dependencies that could otherwise
escape the eye.

21
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Links and Stats
The Links and Stats section provides a convenient tool to explore social connections between
device owners and their contacts by analyzing calls, text messages and messengers activities.
Table view offers in-depth analysis of the device users communication including all contacts,
phone numbers and remote parties along with communication duration and produces a concise
summary of the forensically important data.

Diagram view with a graphical chart presents a quick overlook of communication circles,
allowing forensic experts to determine and analyze suspects communications at a glance.

22
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Moreover experts can determine common contacts and communication activity between
detected groups of suspects.

Social Graph
Social Graph allows investigators to review social connections between the owner of a
mobile device and his contacts, as well as to investigate connections between multiple device owners.
The section is highly flexible, and can be configured to either view communication statistics and build
communication circles of the most frequently contacted contacts for a single device owner, or analyze
links and connections between multiple device owners.
By using Social Graph, investigators have an opportunity to quickly determine common
contacts discovered in multiple devices, analyze their interactions and review how they link and connect
to each other in a single glance. The graph is highly customizable, allowing to include or exclude
individual contacts or groups, view communications in a particular app thus to concentrate on what is
essential.

23
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Web Connections and Location Services
Web Connections and Location Services section shows all web connections in one list and
allows examining hot spots on the map. In this list forensic experts can find out when and where the
suspect used Internet access and detect his location. The section consists of three bookmarks.
The first bookmark permits users to inspect all Wi-Fi connections. Oxygen Forensic Suite
extracts an approximate geo location of the place where Wi-Fi connection was used. Mini Google Maps
are generated and shown according to SSID, BSSID and RSSI information extracted from the mobile
device.

24
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
The other bookmark allows examining information about Locations. This section presents the
information about all the network activity of the device (Cell, Wi-Fi and GPS). The section is supported for
Apple iOS (jailbroken) and Android OS (rooted) devices.

Dictionaries
The Dictionaries section shows all the words ever entered in device messages, notes and
calendar. These are not words from the device system dictionary, they are from unique user dictionary
that is created by device owner when using it.

25
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Passwords

Oxygen Forensic Suite extracts information from the "keychain" file which stores sensitive and
forensically useful information. The keychain grants access to securely stored data such as passwords to
email accounts, Web sites and certain third-party software, as well as other private, financial and sensitive
data. Moreover, non-encrypted passwords are also extracted and shown on the first Applications tab.

Passwords can be retrieved from Apple iOS and Android OS devices.

Applications

The Applications section shows detailed information about system and user applications
installed in Apple iOS, Android, BlackBerry 10 and Windows Phone devices. Hundreds of popular
applications like Twitter, Facebook, Instagram, WhatsApp, YouTube, Flickr, LinkedIn, Viber, Skype and
many others have a special User Data tab. This tab contains aggregated data of the application prepared
for convenient analysis (passwords, logins, all the messages and contacts, geo locations, visited places
with coordinates and maps, deleted data, etc.)

Besides User Data tab Application viewer offers:


Application information tab shows the whole application registry from which data is parsed
Application files tab presents all the files (.plist, .db, .png, etc.) associated with the app

For your convenience applications are divided into several groups on program Desktop.

26
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Social Networks

The Social Networks section includes sub-sections with data extracted from popular social
networking applications: Facebook, Instagram, Twitter, Google +, LinkedIn, MeetMe, Tumblr, etc.

Facebook
The Facebook section allows examining the device owners friends list together with messages,
photos, search history, geo location and other important information.

Twitter
The Twitter section gives an opportunity to investigate the device owners tweets, private
messages, saved lists as well as photos, search history and other important information.

27
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Messengers
The Messengers section includes sub-sections with data extracted from the most popular
messengers: Ebuddy, Facebook Messenger, Hangouts, ICQ, Kik, Line, Skype, Textie, Touch, WeChat,
Whatsapp, Viber, etc.

Skype
The mobile device owner can store a lot of important information inside Skype. The user can chat,
call, send SMS messages and transfer files without using regular mobile device functions but with the help
of Skype. Oxygen Forensic Suite extracts all the Skype accounts that were ever entered on the device:

28
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
WhatsApp

WhatsApp Messenger allows viewing the contact list, messages, shared data and other
information. Deleted messages can be found with several mouse clicks in the messenger SQLite
database right in WhatsApp section.

Productivity

Oxygen Forensic Suite supports mobile productivity applications for both Android and Apple iOS
platforms Evernote, Dropbox, Google Translate, Google Mail, iBooks, Remember The Milk, Springpad,
Yahoo Mail, etc. Productivity group offers at-a-glance access to emails, tasks, notes, account settings,
shared photos and documents, and so on.

Evernote

Evernote section allows viewing all the notes created, shared and synced by the device owner.
Each note is created with the geo coordinate of the place where the device owner is located and this
information is available in Oxygen Forensic Suite. There is an opportunity to analyze deleted notes as
well.

29
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Remember The Milk

Remember The Milk section allows viewing all the tasks created by the device owner on the
mobile device or synced from PC.

30
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Web Browsers

Web Browsers section allows the user to extract and examine cache files such as a list of
Internet sites and downloaded files of the most popular mobile web browsers (preinstalled as well as 3rd
party ones) including, but not limited to, Safari, Default Android Web Browser, Dolphin, Google Chrome,
FireFox, Opera, SkyFire, etc.

Safari

Safari section shows the whole history of browsing as well as bookmarks and web cache.

Default Android web browser


Default Android web browser section shows the web history as well as bookmarks and web
cache. Passwords entered in various web forms are also extracted by Oxygen Forensic Suite.

31
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Navigation
Navigation section includes sub-sections with data extracted from the most popular navigation
apps: Apple Maps, Google Maps, Yandex Maps, Here Maps, etc.

Apple Maps
Apple Maps section stores all the bookmarks and route history created by the Apple iOS device
owner.

Google Maps
Google Maps section stores all the search and route history created by the device owner.
32
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Travel

Travel section includes sub-sections with data extracted from the most popular travel apps:
Aeroflot, Booking.com, TripIt, SkyScanner, etc.

Booking.com
Booking.com section shows all the device owners hotel bookings worldwide as well as searches
and hotels added to favorites.

TripIt
33
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
TripIt section shows all the trip plans created and shared by the device owner. It allows to analyze
the trip details, like flight, accommodation, activities, etc.

Fitness
Fitness section includes sub-sections with data extracted from the most popular health & fitness
apps: Endomondo, Nike+ Running, RunKeeper, Runtastic. These applications store the users sport
activities and a lot of geo coordinates left by them. Analysis of the users locations can be of great
forensic value to the mobile device examiners.

RunKeeper

34
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
RunKeeper section shows all the device owners sport activities, their locations and friends with
whom he shares his sport achievements.

Runtastic
Runtastic section shows all the device owners sport activities and their locations.

Multimedia
Multimedia section includes sub-sections with data extracted from the most popular multimedia
apps: Hide It Pro, YouTube, etc.

Hide It Pro

35
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Hide It Pro section shows the media files (images and video) that were hidden by the device
owner. To see them on the device the password is required. Oxygen Forensic Suite grants access to
this hidden data bypassing the password.

Finance

Finance section includes sub-sections with data extracted from the most popular finance apps,
like Paypal and Qiwi Visa Wallet.

Paypal
Paypal section shows all the device owners payment transactions made in Paypal account.

Spyware

Oxygen Forensic Suite can detect spyware apps installed on Android devices and jailbroken iOS
devices, discover and process their log and configuration files. The very presence of spyware on the phone
can mean the phone owners activities were monitored, and the phone owner has been watched for a
certain period of time, with some third-party being well aware of the persons traveling and communication
activities.

Spyware products collect, record and transfer essential information about routine activities of the
phone owner. Information retrieved from log files created by spyware applications may include supplication
configuration data, the list of running services, application user name, sometimes accompanied with a
unique code allowing detecting the app, Cell ID used at the time of data transmission, and GPS logs
accompanied with geo coordinates and a timestamp. By analyzing spyware logs, forensic specialists may
gain access to additional information that could be used at the time of investigation.

At this time, Oxygen Forensic Suite recognizes three common spyware modules including
MobiStealth, Mobile Spy, FlexiSPY, etc.

36
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
By analyzing spyware activities, Oxygen Forensic Suite reveals access to even more information
about user activities, often allowing to recover chunks of data that could be otherwise inaccessible.

37
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Geo event positioning (LifeBlog)

Many of Nokia smartphones have preinstalled the Nokia LifeBlog application. This application
also can be downloaded from Nokia site and installed manually into many other smartphones based on
Nokia S60 3rd Edition platform. LifeBlog stores a lot of information that can be very interesting for forensic
investigations:

List of photos made with phone camera with their date/time


List of sent/received SMS messages with their date/time and cellular network
coordinates (LAC, MCC, MNC and Cell ID) where SMS was sent or received (depends
on LifeBlog version and data availability)
List of text notes entered with their date/time
Geographical position of the event on the map (using mini Google Maps)

38
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Reports
Reports section shows all the reports created by Oxygen Forensic Suite. Each report can be
opened or saved directly to a new location in Reports section. The history of deleted reports is also
preserved there. If any report was changed on the inspectors PC the hash for this report will become
red indicating that the original data probably was modified.

Advanced search functions

Its a common situation for you to need to find some text, person or phone number in the extracted mobile
device information. Oxygen Forensic Suite has an advanced search engine.

Global Search allows discovering user data in every section of the device. Tool offers searching
for text, phone numbers, emails, geo coordinates, IP addresses, MAC addresses, Credit Card numbers.
Regular expressions library is available for more custom search.
Experts can search data in a single device, all devices of the case or all acquired devices. They
can choose the sections where to search the query, apply boolean terms or chose any of predefined
patterns.
Keyword list manager allows creating custom set of terms and perform search for all these terms
at once. For example, these can be the lists of names or the set of offensive words and phrases.
Global Search tool saves all results and offers printing and preparing reports for any number of
searches.

39
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
40
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Key Evidence

The Key Evidence section offers clean, uncluttered view of evidence marked as essential by
investigators. Forensic specialists can mark certain items belonging to various sections as being essential
evidence, then reviewing them all at once regardless of their original location. Key Evidence is an
aggregated view that can display selected items from all sections available in Oxygen Forensic Suite. The
section offers the ability to review relevant information at a single glance, concentrating ones efforts on
what really matters and filtering out distracting, unimportant data.

41
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Exporting and Printing forensic reports

Oxygen Forensic Suite allows an examiner to print reports containing all the extracted mobile
device information. You can also select only specific section(s) as well:

Forensic reports can also be exported to a number of file formats PDF, Microsoft Excel, Rich
Text Format, etc.

42
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Android Rooting
Rooting a device based on Android OS reveals the complete set of user data to the investigator.
Generally this procedure needs certain knowledge, but Oxygen Forensic Suite product can do this for
you automatically.

This rooting procedure is integrated in Oxygen Forensic Extractor and is a part of data
extraction via physical dump method.

The important benefit of the proprietary rooting method is that the root access will be revoked
immediately after rebooting the device. This method makes rooting and further extraction completely
forensic and safe.

Android Rooting add-on grants an access to:

Full file system, stored both on internal memory and memory card
Application saved data including logins, passwords, history, cache and much more
Geo-location information for tracking suspect position in the past
Deleted data in database tables

The procedure is available for the majority of Android devices in Oxygen Forensic Suite (Analyst).

43
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Viewers
Oxygen Forensic Suite contains four viewers that can open database as well as .plist and backup
files. Viewers are available in an Analyst license of Oxygen Forensic Suite only.

SQLite Database Viewer

The SQLite Database Viewer allows analyzing database files from Apple, Android, BlackBerry 10
devices in SQLite format. These files contain information about messages, notes, calls, applications,
etc. The main Viewer window presents tables and the information they contain:

Displaying deleted data for SQLite databases:

44
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
The Viewer allows to search data through all the database, perform SQL queries and convert values
into readable format with built-in converter. SQLite database data reports are also available.

Plist Viewer

The Plist Viewer allows analyzing .plist files from Apple devices. These files contain information
about Wi-Fi access points, speed dials, the last cellular operator, Apple Store settings, Bluetooth settings,
global applications settings, etc.:

Nokia PM Viewer

The Nokia PM Viewer permits to view .pm files made by Nokia firmware updaters from Nokia
phones.

45
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Blackberry IPD Viewer

The Blackberry IPD Viewer permits to explore IPD file tables made by BlackBerry Desktop

Manager.

46
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Appendix
Oxygen Forensic Suite How to connect Android devices

Hardware and software you need for connection

Original USB cable


Oxygen Forensic Suite installed on your PC
Cable drivers from phone manufacturer
Flash card compatible with the specific device (used as temporary storage when extracting
data)

OxyAgent application usage notice

Oxygen Forensic Suite offers 3 methods of data acquisition: Android backup, Physical dump via
device rooting and logical extraction. In case of logical extraction OxyAgent application is installed in the
device.

Oxygen Forensic Suite installs and uninstalls OxyAgent automatically, so you dont need to
perform any special actions about it.

OxyAgent is a small forensically designed application that allows you to extract the maximum
amount of data from Android devices. It does not change any personal information inside the device.

Where to find cable drivers

First of all, before connecting the mobile phone to PC you must install Android cable drivers. You
can use official drivers from the disc supplied by manufacturer or download the drivers package from
Oxygen Forensics site: http://www.oxygen-forensic.com/download/drivers/OFS2_Drivers_Pack.zip

If the drivers above do not allow you to connect a device you can look for cable drivers on the
developers official site: http://developer.android.com/sdk/oem-usb.html

How to check if cable drivers are installed correctly

After drivers installation is finished you need to check if they are installed correctly. Attach a cable
to the device and go to Start/Control panel/System/Hardware/Device Manager menu on PC. In ADB
Interface there should be the name of the Android device you have connected. In our case it is
Motorola Milestone:

If you do not see it the drivers were not installed correctly.

What options to select in the device

After you installed the drivers you need to perform the following steps before starting our
software:
47
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
You need to select USB Debugging mode in Settings/Applications/Development menu of the
Android device. This mode enables ADB server in the device that is used during connection:

It is very important to select the correct USB mode in the device when you attach a cable to it.
For the most Android devices it should be None. Do not select Memory card management,
Motorola phone tools or Windows media sync modes. With these modes Android devices will
not be connected to Oxygen Forensic Suite:

Make sure that a flash card is inserted in the device. It should have at least 1Mb free space.
During data extraction our OxyAgent application uses it to store temporary files that are
removed when extraction is finished.

Please note: no other files that were previously saved on a flash card are deleted or modified. To
be on the safe side, you can also use your own flash card for data extraction.

How to connect Android device in Oxygen Forensic Suite

If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button on the tools panel. Oxygen Forensic Extractor will be started. Please,
choose Auto device connection mode and wait till the device is automatically connected:

48
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Press Next button to finish connection process and start data extraction.

Please note: OxyAgent is automatically uninstalled from the device after logical data extraction is over. If connection
was broken or due to some errors the program was suddenly closed please make sure that OxyAgent is uninstalled in
Settings/Applications device menu.

Troubleshooting

In case you have connection problems with Android devices we recommend you to check how
ADB (Android Debug Bridge utility supplied by manufacturer) is functioning. Please do the following:
Connect your Android device via cable
Go to Oxygen Software/Oxygen Forensic Suite/SystemFiles folder, create a .txt file with the
contents, like on the screenshot:

Name it device.bat file and launch it. ADB.exe will be started in the same folder. If ADB utility
functions well you will see your Android in the list of devices attached. It will have no real name but
some figures:

If the list of devices is empty, it means that ADB utility does not work and there will be no
connection in Oxygen Forensic Suite. Unless you make ADB utility work correctly there is no way to
extract data using our software.

If the connection problem persists do not hesitate to contact us at support@oxygen-forensic.com.


We are always glad to help you.

49
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Oxygen Forensic Suite - How to connect Apple devices

Hardware and software you need for connection

Original USB cable


Oxygen Forensic Suite installed on your PC
Apple iTunes installed on your PC.

Connection types support for Apple devices

Oxygen Forensic Suite supports only cable connection for Apple devices.

Where to find Apple iTunes

You can install Apple iTunes software from the manufacturer official site www.apple.com or
download the driver package from Oxygen Forensics site:
http://www.oxygen-forensic.com/download/drivers/OFS2_Drivers_Pack.zip

How to install Apple iTunes from Oxygen Drivers Pack

To install Apple iTunes start Oxygen_Connectivity_Driver_Setup.exe from the Drivers Pack and
follow the installation steps.

What options to check on PC

Make sure that you at least once started Apple iTunes after installation and accepted the
license agreement there. Before connection to our software Apple iTunes must be closed.

Check if the firmware version in Settings/General/About menu in Apple device is supported by


our software. As a rule, we add support for a new Apple firmware version a bit later than it is
released.

Check if Apple iTunes version is supported by Oxygen Forensic Suite. Please note that we
support Apple iTunes v.9.x.x and higher.

We highly recommend not using any USB hubs and connecting Apple devices directly to PC.

Before connection to our software please attach a cable to the device and wait till the cable
drivers are found.

How to connect Apple devices in Oxygen Forensic Suite

If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button on the toolbar. Oxygen Forensic Extractor will be started. Please choose
Auto device connection mode for automatic detection of your Apple device via cable and wait till the
device is found:

50
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
After connection is established Oxygen Forensic Extractor will proceed to extract data.

Oxygen Forensic Suite - How to connect Windows Mobile devices

Hardware and software you need for connection

Compatible USB cable or Bluetooth adapter


Oxygen Forensic Suite installed on your PC
Microsoft ActiveSync or Mobile Device Center (preinstalled on Windows Vista, Windows 7 and
Windows 8 OS) for cable connection or Bluetooth drivers for Bluetooth connection

Connection types support for Windows Mobile devices

Both cable and Bluetooth connection are supported by Windows Mobile devices.
Please note that not all Windows Mobile devices have a Bluetooth module.
Devices that have non Microsoft Bluetooth stack cannot be connected to Oxygen Forensic Suite.

OxyAgent application usage notice

OxyAgent application must be installed into Windows Mobile devices to extract data. Oxygen
Forensic Suite installs OxyAgent automatically, so you just need to follow Oxygen Forensic Extractor
instructions.

OxyAgent is a small forensically designed application that allows you to extract the maximum
amount of data from Windows Mobile devices. It does not change any personal information inside the
device.

Where to find drivers

Cable drivers
You can install Microsoft ActiveSync software from the disc supplied by manufacturer, look for it on
the manufacturer official site or download the driver package from Oxygen Forensics site:
http://www.oxygen-forensic.com/download/drivers/OFS2_Drivers_Pack.zip

51
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
If you have Windows Vista, Windows 7 or Windows 8 you should have Mobile Device Center
preinstalled.

Bluetooth drivers
You can use the drivers from the disc supplied by manufacturer or look for them on the
manufacturer official site.
We highly recommend you to use Microsoft or Widcomm Bluetooth drivers.
Please note that Microsoft Bluetooth drivers are preinstalled in Windows OS starting from XP
Service Pack 2.

How to install Microsoft ActiveSync from our driver package

To install Microsoft ActiveSync please run ActiveSync.msi file from the Driver package and follow
the instructions step by step.

What options to check on PC

Before you connect any device to Oxygen Forensic Suite using a USB cable please make sure that
it is connected to Microsoft ActiveSync or Mobile Device Center.

How to connect Windows Mobile device via Bluetooth

If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button on the toolbar. Oxygen Forensic Extractor will be started.
Choose Manual device selection mode and find your device in the list:

Then select Bluetooth drivers. You will be offered to search for available Bluetooth devices. Select
your device in the list and press Next button.
After that choose Upload and install OxyAgent into the phone option. You will need a flash
card to copy OxyAgent to the device. Insert it in a card-reader or PC card slot, select it in Removable
drives menu and press Upload button:
Please note: You can change the phone owners flash card to the flash card which is used for forensic
investigations. This operation will prevent changes in the device memory. If the original phone owners
card is used only free clusters can be lost (which potentially can contain previously deleted data) but no
existing information will be modified.
52
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
After OxyAgent is copied you need to find it in Program Files/OxyAgent folder in the device, open
it and select Start option in File menu and press Next button in Oxygen Forensic Extractor:

The following Bluetooth icon will appear. As soon as the device gets connected it becomes green:

Please note: in case of Bluetooth connection Oxygen Forensic Suite does not uninstall OxyAgent
automatically. You can go to Program Files/OxyAgent folder in the device and remove the application
manually.

Oxygen Forensic Extractor will inform you that Windows Mobile device is found. Press Next button
to finish connection process:

53
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
How to connect Windows Mobile device via USB

If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button on the toolbar.
Oxygen Forensic Extractor will be started. Please choose Auto device connection option there.
The device will be automatically found and connected:

Please note: while using USB connection Oxygen Forensic Suite uninstalls the Agent
automatically.

54
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
If Windows Mobile device does not connect via USB

Sometimes Windows Mobile devices do not allow installing and starting uncertified applications,
like OxyAgent. Unlocking procedure solves this problem. Unlocking is changing some values in the device
registry.

There are two mains steps of unlocking:

1st Step

Connect your device to ActiveSync or Mobile Device Center via USB cable.
Start UnlockWM.bat in Oxygen Forensic Suite/SystemFiles folder on PC.
Your device should be unlocked.

If this step does not help you may start WhatsNow.bat file in the same folder on PC. A special
file RapiConfigOut with the device registry information will be created. You can send this file to us for
analysis and we will try to fix the problem.

2nd Step

You can take a special application regedit and unlock the device with its help. This application is
free and can be started without any installation. It can be found in Oxygen Forensic Suite/SystemFiles
folder on PC.

Please, note that the application from our program folder is certified only for HTC devices. To
install it to another device you should find the relevant version in the Internet.

The unlock process should be carried out this way:

Connect your device to ActiveSync or Windows Mobile Center.


Copy regedit.exe to any device folder and start it from device File Manager. Edit the following key
names in the registry:

HKEY_LOCAL_MACHINE->Security->Policies->Policies->00001001

value data 2 should be 1

HKEY_LOCAL_MACHINE->Security->Policies->Policies->00001005

value data 16 should be 40

HKEY_LOCAL_MACHINE->Security->Policies->Policies->00001017

value data 128 should be 144

We also recommend you to edit the following key name or create it if it does not exist:

HKEY_LOCAL_MACHINE->Security->Policies->Policies->0000101b

value data should be 1 (DWORD type).

Restart the device. It should be unlocked.

55
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Oxygen Forensic Suite How to connect Symbian OS smartphones

Hardware and software you need for connection

Original USB cable or Bluetooth adapter


Oxygen Forensic Suite installed on your PC
Cable drivers from phone manufacturer or Bluetooth drivers (Microsoft or Widcomm
recommended)

Connection types support for Symbian OS devices

Cable connection is supported by smartphones based on the following platforms:


o Nokia S60 starting from the 2nd Edition (except Nokia 6600 that has no official
cable connection)
o Samsung S60
o Sony Ericsson UIQ3
Bluetooth connection is supported by all Symbian OS smartphones

OxyAgent application usage notice

OxyAgent application must be installed into Symbian OS device to extract data. Oxygen
Forensic Suite installs OxyAgent automatically, so you just need to follow wizard instructions.

OxyAgent is a small forensically designed application that allows you to extract the maximum
amount of data from Symbian OS smartphones. It does not change any personal information inside the
smartphone. For more information about OxyAgent approach please refer to this document.

Where to find drivers

Cable drivers
You can use official cable drivers from the disc supplied by manufacturer, look for drivers on the
manufacturer official site or download the driver package from Oxygen Forensic Suite site:
http://www.oxygen-forensic.com/download/drivers/OFS2_Drivers_Pack.zip

Bluetooth drivers
You can use the drivers from the disc supplied by manufacturer or look for them on the
manufacturer official site.
We highly recommend you to use Microsoft or Widcomm Bluetooth drivers.
Please note that Microsoft Bluetooth drivers are preinstalled in Windows OS starting from XP
Service Pack 2.

How to install cable drivers from our driver package

For Nokia S60 smartphones run Nokia_Connectivity_Cable_Driver.msi file from Nokia folder
and follow the instructions of the Installation Wizard.
For Samsung S60 smartphones execute Samsung_USB_Driver_Installer.exe file from Samsung
folder and follow the instructions of the Installation Wizard.
For Sony Ericsson UIQ3 smartphones run Sony_Ericsson_Smartphones_PC_Suite.exe file from
Sony Ericsson folder and follow the instructions of the Installation Wizard.

56
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
What options to select in the device

It is very important to select the correct USB mode in the smartphone when you attach a cable
to it. For Nokia and Samsung S60 smartphones it must be PC Suite. Do not select Data
transfer, Image Print or Media Player modes. With these modes smartphones will not be
connected to Oxygen Forensic Suite. Please note that Nokia PC Suite and Samsung Studio
programs are not needed for connection.

If you need to set the phone date back to preserve Event Log records you have to install self-
signed OxyAgent in the device from Oxygen Forensic Suite/Agent/SymbianOldCert folder.

During installation the S60 phone may say that the certificate is not correct so you need to go
to Tools Settings App Manager menu in the smartphone and allow all applications
installation by turning off certificate check.

During installation the UIQ3 phone may say that the certificate is not correct so you need to
go to Control panel Install - Securitymenu in the smartphone and disable Enable
revocation checkoption.

What options to check on PC

Before you connect any smartphone to Oxygen Forensic Suite please make sure that no
other software (like Nokia PC Suite, Samsung Studio, Sony Ericsson Suite, other forensic
programs etc.) is connected to the device at this time. Otherwise Oxygen Forensic Suite will
not be able to establish connection.

How to connect Nokia and Samsung S60 smartphones in Oxygen Forensic Suite

If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button on the toolbar. Oxygen Forensic Extractor will be started. Please choose
Auto device connection for automatic detection of the device via cable and wait till you are offered to
install OxyAgent:

57
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
In Oxygen Forensic Extractor choose Upload and install OxyAgent into the device option and
press Next button. It will copy OxyAgent to the phone. Symbian OS does not install applications
automatically so the smartphone will offer you to upload OxyAgent manually:

OxyAgent can be installed either to phone memory or flash card. Please note that installation
process leaves traces in App Manager log including its timestamp.
After OxyAgent is installed please find it in Applications folder in the smartphone. In some S60
phones OxyAgent can be found in another folder where all applications appear after installation.
Start OxyAgent choosing the needed connection method in the menu: USB or Bluetooth
exchange:

58
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Then select OxyAgent is started and ready to connect the phone option in Oxygen Forensic
Extractor and press Next button:

After that the device should be found:

59
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Please note: OxyAgent uninstalling leaves traces in App Manager log including its timestamp.
Symbian OS does not uninstall OxyAgent automatically so you need to uninstall the Agent manually
immediately after you detached the smartphone from the PC or finished working with Oxygen Forensic
Suite.

How to connect Motorola or Sony Ericsson UIQ3 smartphones in Oxygen Forensic Suite
If all the previous instructions are strictly followed launch Oxygen Forensic Suite and press
Connect new device button. Oxygen Forensic Extractor will be started. If OxyAgent has not been
loaded into the smartphone before, you need to choose Bluetooth connection.
Select the phone model in the list and press Next button:

60
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
After that choose a Bluetooth stack you are using, enable Bluetooth in the phone and press Next
button. Oxygen Forensic Extractor will search for available Bluetooth devices. As soon as your device is
found select it and press Next button.
After that you will be offered to upload OxyAgent.
In Oxygen Forensic Extractor choose Upload and install OxyAgent into the phone option and
press Upload button on the next screen. You will receive an incoming Beamed message in the
smartphone, open it and install OxyAgent manually:

OxyAgent can be installed either to phone memory or flash card. Please note that installation
process leaves traces in App Manager log including its timestamp.
After OxyAgent is installed please find it in Applications folder and start it choosing the
supported connection method in the menu.
Then select OxyAgent is started and ready to connect the phone option in Oxygen Forensic
Extractor and press Next button. The smartphone should be found.

OxyAgent uninstalling leaves traces in App Manager log including its timestamp. Symbian
Please note:
OS does not uninstall OxyAgent automatically so you need to uninstall the Agent manually immediately
after you detached the smartphone from the PC or finished working with Oxygen Forensic Suite.

61
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com
Copyrights and contacts

Oxygen Forensic Suite and OxyAgent are the trademarks and properties of Oxygen Forensics
company.

Windows Vista, Windows 7, Windows 8, Windows Mobile and Windows Phone are registered
trademarks of Microsoft Corporation.

All other trademarks are owned by their respective companies.

The official website is http://www.oxygen-forensic.com


H

Contacts:

Phone: +1 (877) 9-OXYGEN


E-mail: support@oxygen-forensic.com

62
2000-2015 Oxygen Forensics http://www.oxygen-forensic.com