Oxygen Forensic Suite 2010 is mobile forensic software that goes beyond standard logical
analysis of cell phones, smartphones and PDAs. Use of advanced proprietary protocols and phone APIs
makes it possible to pull much more data than can be extracted by forensic tools utilizing standard
logical protocols, especially for smartphones.
Oxygen Forensic Suite 2010 helps you to extract most of the information from a great
majority of mobile devices for investigation purposes. This program has played a significant role in
criminal and other investigations all over the world and is used by Law Enforcement units, Police
Departments, army, customs and tax services and other government authorities.
Current software version provides access to the following sections: Phonebook, Calendar,
Tasks, Messages, Event Log, File Browser and Extras (Life Blog and Web Cache analyzer). Note that the
number of sections and list of extractable data fields depends on the device model.
You can examine:
Common phone information and SIM-card data (contacts and messages)
Contact list (including mobile, wire line, fax numbers, postal addresses, e-mails,
contact photos and other contact information)
Caller Groups information
Organizer data (calendar meetings, appointments, memos, call reminders,
anniversaries and birthdays, to-do tasks)
Text notes (in version 1)
SMS messages (messages, log, folders, deleted messages with some restrictions)
Multimedia Messages with attachments
E-mail messages with attachments and folders
GPRS, EDGE, CSD, HSCSD, Wi-Fi session log and traffic amount
Photos and gallery images
Video clips and films
Voice records and audio clips
All files from internal phone memory and flash card including installed applications
and their data
FM Radio Stations database - as a part of File Browser
LifeBlog activity: track of all main events in chronological order with geographical
GPS and XMP coordinates stored in camera snapshots
Web browsers bookmarks and cache files
iPhone password-protected backups
Oxygen Forensic Suite 2010 offers an easy and convenient management of all examined
devices in one window: phone properties, case details and status, the person in charge of it, etc.
Mobile device information analysis can be done from the program directly or with the help of
advanced export function. You can create reports in the most popular file formats (XLS, RTF, PDF) and
either print or send them to remote departments and experts.
The program has a powerful built-in search engine. You can easily find the necessary
information in all the sections with few mouse clicks in Oxygen Forensic Suite 2010. What is important,
the search results are saved between sessions. Besides, a contextual filter in every section helps you to
sort out the data the way you need it.
Moreover, the software allows you to save extracted data to a file and then load it into the
program on another computer. Thus you need to connect a phone and extract data only once and then
send the extracted information outside, e.g. for analysis by remote experts.
Current version works with more than 1500 mobile devices from Nokia, Apple
(iPhone 2G, 3G, 3GS), RIM (Blackberry), Google (based on Android OS), Samsung, Sony
Ericsson, Motorola, Panasonic, LG, HTC, Asus, HP and other manufacturers. Oxygen Forensic
Suite 2010 has a strong support for Symbian OS and Windows Mobile 5/6 smartphones and
communicators (ActiveSync is not required). Upcoming versions will have support for
Android devices too. The list of supported models is rapidly growing. To get the latest
Oxygen Forensic Suite 2010 version supporting your mobile device visit
Oxygen Forensic Suite 2010 supports USB cable connection, Bluetooth (Microsoft, Widcomm,
BlueSoleil) connection, infrared connection using IrDA stack. Support for different types of connection
depends on the phone series and model; check Oxygen Forensic Suite 2010 help file.
The software works under 32-bit or 64-bit versions of Windows 7, Windows Vista, Windows
XP, Windows Server 2003 and Windows 2000.
Oxygen Forensic Suite 2010 is distributed in two new licensing systems of the program – an
Internet license with hardware binding and a license with USB dongle.
Run OxyForensic_Setup.exe installation package and follow the Setup wizard:
On the next screen you must carefully read and accept the License agreement, if you agree:
Then you can read the release notes:
Select the folder to install Oxygen Forensic Suite 2010:
Choose the folder for program shortcuts:
You can specify the wizard to enter registration key (if you are using Internet license), create
Desktop and Quick Launch icons:
Check all settings and press “Next” button to start installation:
Enter the key you received from us (Internet license only):
When installation completes, you can choose to look through release notes, run presentation,
view Getting Started Guide and launch Oxygen Forensic Suite 2010:
To use Oxygen Forensic Suite 2010 you need to activate the license. The activation process
differs according to the license type.
To start working with Oxygen Forensic Suite 2010 you must have an Internet connection and
activate the program. Press “Yes” to start the activation:
Send your activation request via e-mail, WEB or save it to file:
Enter the key as soon as you receive it and restart Oxygen Forensic Suite 2010.
Oxygen Forensic Suite 2010 USB dongle license must be used with a USB dongle that is
bundled with your Oxygen Forensic Suite 2010 package. For this license no Internet connection is
required. After Oxygen Forensic Suite 2010 installation please insert a USB dongle into the USB port,
wait till the drivers’ initialization and start the main program.
Please note that USB dongle should be inserted all the time during your researches with
Oxygen Forensic Suite 2010.
To be able to work with a phone you must make sure it is supported in current version of the
software and all corresponding drivers and software modules are installed. Refer to the Oxygen Forensic
Suite 2010 help file to learn what must be done in case of concrete phone model.
To extract information from cell phone, smartphone, PDA or any other mobile device, you
must first connect it to the program. If you use cable connection, attach the phone to the cable. For
Bluetooth or infrared connection, activate it in the phone and make sure the phone is visible and
Press Connect new phone button and Oxygen Connection Wizard will start. Select the desired
connection type – USB cable, Serial cable, Bluetooth or Infrared. The list of available connection types
depends on the mobile device capabilities and hardware installed to your computer.
Important: Different mobile devices may require different connection procedures. For more
information please refer to Oxygen Forensic Suite 2010 help file. This document describes connection
process for Symbian Series 60 phone.
Oxygen Connection Wizard will start searching for the phone:
If you want to extract data from Symbian OS smartphones, Windows Mobile 5/6, Blackberry
and Android devices, Oxygen Forensic Suite 2010 needs to load small agent application to the phone.
This application does not modify any personal data in the phone and provides facility to read much more
information than it is possible with standard protocols like SyncML, OBEX or AT. Please select an option
suitable for you:
Press “Upload” button to load OxyAgent application into the device:
When the application is loaded, go to Tools/Application Manager, find OxyAgent application
and install it. Do not be afraid of that operation. Mobile devices have separate storage for applications
and data, so OxyAgent installation will not modify any personal information in phone.
Start OxyAgent application in the phone and select the desired connection type. After that
press “Connect” button in Oxygen Connection Wizard. Once connection is established, the program will
display phone information:
You can close Oxygen Connection Wizard by pressing “Finish” button:
Now you are ready to begin extracting data from the connected phone. When Oxygen
Forensic Suite 2010 finds the phone, it will start Data Extraction Wizard automatically:
You can enter a device information, notes and case data:
Enter the device owner numbers if your know any:
Select the information to be read by Data Extraction Wizard. Note that specific files and
directories can be read later if needed. Please also be informed that the list of available sections
depends on the mobile device capabilities.
Check all the needed settings and press “Extract” button to start data extraction:
When all data is extracted, you can choose either to open the device for viewing and
analyzing data or to run Export and Print wizard if you need to get fast report about the device seized.
Note that you can run Export or Print Wizard anytime when working with device information.
“Desktop” section lists all the devices having connected and seized previously as well as
actions available for them.
Backup Extraction Wizard will help you to import data and place the device into data base for
the convenient work with its information.
You can load Oxygen backups and iPhone password-protected backups (with a known
password) with a specially created Backup Extraction Wizard by pressing Load from archive button:
Select backup type you would like to restore:
Browse for a backup file on your PC:
You can enter a device information, notes and case data:
Check the setting before restore procedure:
When backup data is extracted, you can choose either to open the device for viewing and
analyzing data or to run Export and Print wizard if you need to get fast report about the device.
You can open device from the Desktop list for data viewing by double-click on its name.
Device sections with extracted data are listed in action panel group on the left. “Phonebook”
section contains contact list (including SIM-card contacts) with personal pictures, custom field labels and
speed dials. It also allows to filter contacts by caller group:
“Calendar” section displays all meetings, birthdays, reminders and other events:
“Tasks” section displays all the tasks with priority marks and their date/time:
SMS (even deleted from message folders in the phone), MMS, E-mail, Beamed and messages
of other types are shown in “Messages” section:
Important: At the moment of writing this document Oxygen Forensic Suite 2010 is the only
forensic tool able to access SMS, MMS and E-mail messages stored in custom folders for Symbian OS
Previously deleted messages are also shown in the “Messages” section and are highlighted
with a different color and marked by a “basket” icon.
Note that reading deleted messages information feature has several restrictions:
Available for Symbian OS smartphones only (except UIQ2 models)
The message must not be older than the number of days specified by “Log duration”
parameter in system Log application
Only part of message text will be read (up to 64 characters).
Important: Many forensic tools providing logical data access declare “Reading deleted SMS”
feature but few of them notify customers that it works only for SMS messages which had been stored on
SIM card. Oxygen Forensic Suite 2010 does not include this feature intentionally because the
overwhelming majority of modern phones do not store any personal information on SIM card.
“File Browser” section gives you an access to the entire mobile device file system, including
photos, videos, voice records and other files:
Incoming, outgoing, missed calls history, SMS and MMS sent and received, GPRS and Wi-Fi
sessions – all this information is available in “Event Log” section:
Current Oxygen Forensic Suite 2010 version contains new Extras section which consists of
five parts: LifeBlog, Web browsers cache analyzer, Phone activity, Wi-Fi Connections and Skype. These
add-on sections are available in the PRO license only.
Many of Nokia smartphones have preinstalled Nokia LifeBlog application. This application also
can be downloaded from Nokia site and installed manually into many other smartphones based on Nokia
S60 3rd Edition platform. The primary purpose of Nokia LifeBlog is to organize digital photo album and
notes to publish them on blogs. But we at Oxygen Software discovered that LifeBlog stores a lot of
information that can be very interesting for forensic investigations:
List of photos made with phone camera with their date/time
List of sent/received SMS messages with their date/time and cellular network
coordinates (LAC, MCC, MNC and CellID) where SMS was send or received (depends
on LifeBlog version and data availability)
List of text notes entered with their date/time
Geographical position of the event on map (using mini Google Maps):
Oxygen Forensic Suite 2010 extracts an approximate geographical positioning of the place
where the photo was made. Mini Google Maps are generated and shown according to these coordinates
right in the program. Feature is available for Apple iPhone, iPod Touch, Symbian Series 60, Windows
Mobile and Sony Ericsson mobile devices and photos with GPS coordinates.
Web browsers cache analyzer allows to extract and examine cache files such as a list of
Internet sites and downloaded files of mobile web browsers (preinstalled as well as 3rd party ones).
Phone Activity add-on for Oxygen Forensic Suite 2010 organizes all calls, messages, calendar
events and other activities in chronological way, so it is easy to follow the conversation history without
any need to switch between different sections.
All data can be sorted, filtered and grouped by dates, people or phone numbers.
Skype becomes very popular nowadays due to its cheap or even free calls. This application
also can be downloaded for free and installed manually into smartphones. The mobile device owner can
store a lot of important information inside Skype. He can chat, call, send SMS messages and transfer
files without using regular mobile device functions but with the help of Skype.
Information that can be very interesting for forensic investigations:
List of Skype accounts stored in the mobile device
Chat messages with chat history
List of sent/received SMS messages with their date/time
List of calls with their date/time
List of contacts
At the moment this feature is available for Apple iPhone and Windows Mobile devices.
Wi-Fi Connections section shows all Wi-Fi connections in one list and allows to examine Wi-Fi
hot spots on the map. According to this list forensic experts can find out when and where the suspect
used Wi-Fi internet access (public or even private) and detect his location:
Oxygen Forensic Suite 2010 extracts an approximate geographical positioning of the place
where Wi-Fi connection was used. Its accuracy is shown in meters. Mini Google Maps are generated and
shown according to SSID, BSSID and RSSI information extracted from the mobile device.
At the moment this feature is available for Apple devices.
Besides the exclusive information shown in Extras section the approach used in Oxygen
Forensic Suite 2010 offers several significant advantages over other logical forensic tools:
Support for Symbian OS smartphones, Window Mobile and BlackBerry devices. The
amount of useful data, extracted from these devices, considerably exceeds the
capabilities of other products.
User-friendly interface for data analysis. The data is grouped according to its classes.
A convenient search and sorting engine and content filtering are implemented.
Data extraction from custom SMS folders. Besides standard SMS folders, smartphones
permit to create custom SMS folders. For example, for messages of a particular type
or for a certain contact. In such folders the most interesting information is usually
stored. Only "Oxygen Forensic Suite 2010" has an access to the messages in custom
Extraction of information about deleted SMS messages. Even if a message was
deleted from a Symbian OS smartphone, the information about it can be extracted!
Many other programs can also show deleted messages but on a SIM card only. It is
very misleading because the majority of phones and smartphones do not store
messages on their SIM cards, using phone memory instead of it
Direct access to the data. Access to Windows Mobile devices is possible without
ActiveSync/Vista Mobile Center that may change the data in the examined phone.
Access to Event Log in Symbian OS smartphones includes the information about
GPRS, EDGE, CSD, HSCSD and Wi-Fi activity (besides the standard information about
Access to Event Log in Windows Mobile devices.
Extraction of contact field labels from Symbian OS smartphones, including the ones
changed by the user.
Extraction of the fields of the same type with the same attribute from Symbian OS
smartphones. The data is fully shown if its types and modifiers coincide with the fields
Extended information about contacts. The program extracts the information about
caller groups and speed dials that can point to the communication frequency between
the phone owner and specified contacts.
Extraction of the last modification date of contacts and calendar events.
Extraction of the message Service Center Time Stamp. This feature is available for all
Symbian OS smartphones.
Easy device connection. Data extraction is performed via standard cables and
adapters. No other expensive equipment is needed.
Unique Forensic protocol for access to smartphones, created especially for safe
extraction of maximum information. Standard protocols (AT, OBEX, SyncML), used by
other software, are developed for data synchronization and may change the data of
the examined device.
Data extraction from exclusive devices, like Vertu and Mobiado.
Most of the information above is not accessible via standard communication protocols used
by other logical forensic tools - SyncML, OBEX or AT command sets. Besides their limitations these
protocols have another big disadvantage – all of them had been developed for information
synchronization purposes, that runs counter to forensic requirements.
Oxygen Forensic Suite 2010 uses advanced proprietary protocol developed specially for
forensic information extraction and analysis. To implement this protocol at the device’s side we put a
small OxyAgent application there. This approach has several benefits:
Using our own communication protocol we can be sure that all the personal
information is untouched into device
Agent application runs inside a phone and in phone OS, therefore it can access much
more data than available with generic protocols
Oxygen Forensic Suite 2010 does not use ActiveSync application to get information
from Windows Mobile 5/6 devices, so there is no risk that device information can be
changed if ActiveSync decides to run synchronization process.
It’s a common situation when you need to find some text, person or phone number in the
extracted mobile device(s) information. Oxygen Forensic Suite 2010 has two kinds of advanced search
feature: search for text and search for contact activity.
To use these features you should go to “Desktop” section and switch from Devices to Search
Search for text function is rather simple, it finds all occurrences of the specified text in all or
Search for contact feature implements really smart functionality. You can enter only part of
any contact data – name, phone number or other fields. If the program finds a contact satisfying search
criteria, it analyzes all phone numbers, e-mails and other fields of this contact and starts searching for
any of this information through all sections of specified mobile devices. Phone number formatting and
prefix are not regarded in the search.
The screenshot above demonstrates the result of contact search function with only one
criteria – part of phone number. As you can see, the result contains contact entries in two different
phones, call log and messages sent and received by this contact. If there are any calendar events
associated with this contact – birthdays, meetings and so on, they will also be displayed.
By double-click on entry you can switch to the corresponding section of the relevant phone
for more detailed analysis. All search results are saved and can be reused later.
Oxygen Forensic Suite 2010 allows an examiner to print reports containing all the extracted
mobile device information. You can select only specific section(s) as well.
This is an example of how Event Log report section looks like:
Forensic reports can also be exported to a number of file formats – Adobe PDF, Microsoft
Excel, Rich Text Format etc.
Oxygen Forensic Suite, Oxygen Forensic Suite 2010 and OxyAgent are the trademarks and
properties of Oxygen Software LLC.
Symbian and Symbian OS are the registered trademarks of Symbian Ltd.
Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Mobile are
registered trademarks of Microsoft Corporation.
All other trademarks are owned by their respective companies.
Oxygen Forensic Suite 2010 official website is http://www.oxygen-forensic.com
Telephone (USA, toll-free): +1 877 9-OXYGEN
Telephone (UK): +44 (0) 20 8133 8450
Hardware and software you need for connection
Original USB cable
Oxygen Forensic Suite 2010 installed on your PC
Cable drivers from phone manufacturer (recommended, but not strictly required)
Flash card compatible with the specific device (used as temporary storage when extracting
OxyAgent application usage notice
OxyAgent application must be installed into Android device to extract data. Oxygen Forensic Suite
2010 installs and uninstalls OxyAgent automatically, so you don’t need to perform any special actions
OxyAgent is a small forensically designed application that allows you to extract the maximum
amount of data from Android devices. It does not change any personal information inside the device.
Please be informed that this moment there is no other way to extract data from Android devices
except the physical analysis.
Where to find cable drivers
First of all, before connecting the mobile phone to PC you must install Android cable drivers. You
can use official drivers from the disc supplied by manufacturer, look for drivers on the manufacturer
official site or download the drivers package from Oxygen Forensic Suite site:
Android driver folder taken from the link above consists of two parts:
Manufacturer folder contains official Motorola and HTC drivers for Motorola CLIQ, DEXT,
Droid, Heron, Milestone, Sholes and HTC Click, Dream, Hero, Magic, Tattoo devices.
General folder has drivers for all other Android devices (for example, Google Nexus, T-
Mobile G3, T-Mobile Pulse).
We advise you to use General folder drivers when you have connection problems with official
drivers or they are not available at all.
If your Android device has no official drivers and drivers from General folder do not work you can
contact us at email@example.com and we will send you patched drivers for your phone model.
How to install cable drivers
To install the drivers from General driver folder please follow these instructions:
Connect Android device via cable to PC. New Hardware Wizard will be started. Choose Install
from a list or specific location option and after that Don’t search. I will choose the
driver to install:
Select Show all devices, press Next button and then press Have disk to continue:
Then press Browse, select General driver folder on your PC and open android_winusb.inf file
there. As a result you will get the following window. Press Next to install the driver:
To install the drivers from Manufacturer driver folder you should either run
Motorola_Consumer_Driver_Installation_MotoConnect.msi file for Motorola Android devices or follow the
instructions above for HTC Android devices.
How to check if cable drivers are installed correctly
After drivers installation is finished you need to check if they are installed correctly. Attach a cable
to the device and go to Start/Control panel/System/Hardware/Device Manager menu on PC. In ADB
Interface there should be the name of the Android device you have connected. In our case it is
If you do not see it the drivers were not installed correctly.
What options to select in the device
After you installed the drivers you need to perform the following steps before starting our
You need to select ‘USB Debugging’ mode in Settings/Applications/Development menu of the
Android device. This mode enables ADB server in the device that is used during connection:
It is very important to select the correct USB mode in the device when you attach a cable to it.
For the most Android devices it should be ‘None’. Do not select ‘Memory card management’,
‘Motorola phone tools’ or ‘Windows media sync’ modes. With these modes Android devices will
not be connected to Oxygen Forensic Suite 2010:
Make sure that a flash card is inserted in the device. It should have at least 1Mb free space.
During data extraction our OxyAgent application uses it to store temporary files that are
removed when extraction is finished.
Please note: no other files that were previously saved on a flash card are deleted or modified. To
be on the safe side, you can also use your own flash card for data extraction.
How to connect Android device in Oxygen Forensic Suite 2010
If all the previous instructions are strictly followed launch Oxygen Forensic Suite 2010 and select
Connect new device option on Common tasks sidebar. Oxygen Connection Wizard will be started.
Please, choose ‘Connect via cable’ there and wait till the device is found and you are offered to install
Accept OxyAgent installation. After it installs and starts you will see the following window
informing you that the device is connected:
Press Next button to finish connection process. After that Device Extraction Wizard will start
automatically and you can proceed to extract data from the device.
Please note: OxyAgent is automatically uninstalled from the device after data extraction is over.
If connection was broken or due to some errors the program was suddenly closed please make sure
that OxyAgent is uninstalled in Settings/Applications device menu.
In case you have connection problems with Android devices we recommend you to check how
ADB (Android Debug Bridge utility supplied by manufacturer) is functioning. Please do the following:
Connect your Android device via cable
Go to Oxygen Software/Oxygen Forensic Suite 2010/SystemFiles folder, create a .txt file with
the contents, like on the screenshot:
Name it device.bat file and launch it. ADB.exe will be started in the same folder. If ADB utility
functions well you will see your Android in the list of devices attached. It will have no real name but
If the list of devices is empty, it means that ADB utility does not work and there will be no
connection in Oxygen Forensic Suite 2010. Unless you make ADB utility work correctly there is no way to
extract data using our software.
If the connection problem persists do not hesitate to contact us at support@oxygen-
forensic.com. We are always glad to help you.