Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oxygen Forensic Suite 2 - Getting Started


Published on

  • Be the first to comment

  • Be the first to like this

Oxygen Forensic Suite 2 - Getting Started

  1. 1. Oxygen Forensic Suite 2010 is mobile forensic software that goes beyond standard logical analysis of cell phones, smartphones and PDAs. Use of advanced proprietary protocols and phone APIs makes it possible to pull much more data than can be extracted by forensic tools utilizing standard logical protocols, especially for smartphones. Oxygen Forensic Suite 2010 helps you to extract most of the information from a great majority of mobile devices for investigation purposes. This program has played a significant role in criminal and other investigations all over the world and is used by Law Enforcement units, Police Departments, army, customs and tax services and other government authorities. Current software version provides access to the following sections: Phonebook, Calendar, Tasks, Messages, Event Log, File Browser and Extras (Life Blog and Web Cache analyzer). Note that the number of sections and list of extractable data fields depends on the device model. You can examine: Common phone information and SIM-card data (contacts and messages) Contact list (including mobile, wire line, fax numbers, postal addresses, e-mails, contact photos and other contact information) Missed/Outgoing/Incoming calls Caller Groups information Organizer data (calendar meetings, appointments, memos, call reminders, anniversaries and birthdays, to-do tasks) Text notes (in version 1) SMS messages (messages, log, folders, deleted messages with some restrictions) Multimedia Messages with attachments E-mail messages with attachments and folders GPRS, EDGE, CSD, HSCSD, Wi-Fi session log and traffic amount Photos and gallery images Video clips and films Voice records and audio clips All files from internal phone memory and flash card including installed applications and their data FM Radio Stations database - as a part of File Browser LifeBlog activity: track of all main events in chronological order with geographical coordinates GPS and XMP coordinates stored in camera snapshots Web browsers bookmarks and cache files iPhone password-protected backups Skype information Wi-Fi connections Oxygen Forensic Suite 2010 offers an easy and convenient management of all examined devices in one window: phone properties, case details and status, the person in charge of it, etc.
  2. 2. Mobile device information analysis can be done from the program directly or with the help of advanced export function. You can create reports in the most popular file formats (XLS, RTF, PDF) and either print or send them to remote departments and experts. The program has a powerful built-in search engine. You can easily find the necessary information in all the sections with few mouse clicks in Oxygen Forensic Suite 2010. What is important, the search results are saved between sessions. Besides, a contextual filter in every section helps you to sort out the data the way you need it. Moreover, the software allows you to save extracted data to a file and then load it into the program on another computer. Thus you need to connect a phone and extract data only once and then send the extracted information outside, e.g. for analysis by remote experts. Current version works with more than 1500 mobile devices from Nokia, Apple (iPhone 2G, 3G, 3GS), RIM (Blackberry), Google (based on Android OS), Samsung, Sony Ericsson, Motorola, Panasonic, LG, HTC, Asus, HP and other manufacturers. Oxygen Forensic Suite 2010 has a strong support for Symbian OS and Windows Mobile 5/6 smartphones and communicators (ActiveSync is not required). Upcoming versions will have support for Android devices too. The list of supported models is rapidly growing. To get the latest Oxygen Forensic Suite 2010 version supporting your mobile device visit . H H Oxygen Forensic Suite 2010 supports USB cable connection, Bluetooth (Microsoft, Widcomm, BlueSoleil) connection, infrared connection using IrDA stack. Support for different types of connection depends on the phone series and model; check Oxygen Forensic Suite 2010 help file. The software works under 32-bit or 64-bit versions of Windows 7, Windows Vista, Windows XP, Windows Server 2003 and Windows 2000.
  3. 3. Oxygen Forensic Suite 2010 is distributed in two new licensing systems of the program – an Internet license with hardware binding and a license with USB dongle. Run OxyForensic_Setup.exe installation package and follow the Setup wizard: On the next screen you must carefully read and accept the License agreement, if you agree: Then you can read the release notes:
  4. 4. Select the folder to install Oxygen Forensic Suite 2010: Choose the folder for program shortcuts: You can specify the wizard to enter registration key (if you are using Internet license), create Desktop and Quick Launch icons:
  5. 5. Check all settings and press “Next” button to start installation: Enter the key you received from us (Internet license only): When installation completes, you can choose to look through release notes, run presentation, view Getting Started Guide and launch Oxygen Forensic Suite 2010:
  6. 6. To use Oxygen Forensic Suite 2010 you need to activate the license. The activation process differs according to the license type. To start working with Oxygen Forensic Suite 2010 you must have an Internet connection and activate the program. Press “Yes” to start the activation: Send your activation request via e-mail, WEB or save it to file: Enter the key as soon as you receive it and restart Oxygen Forensic Suite 2010.
  7. 7. Oxygen Forensic Suite 2010 USB dongle license must be used with a USB dongle that is bundled with your Oxygen Forensic Suite 2010 package. For this license no Internet connection is required. After Oxygen Forensic Suite 2010 installation please insert a USB dongle into the USB port, wait till the drivers’ initialization and start the main program. Please note that USB dongle should be inserted all the time during your researches with Oxygen Forensic Suite 2010. To be able to work with a phone you must make sure it is supported in current version of the software and all corresponding drivers and software modules are installed. Refer to the Oxygen Forensic Suite 2010 help file to learn what must be done in case of concrete phone model. To extract information from cell phone, smartphone, PDA or any other mobile device, you must first connect it to the program. If you use cable connection, attach the phone to the cable. For Bluetooth or infrared connection, activate it in the phone and make sure the phone is visible and accessible. Press Connect new phone button and Oxygen Connection Wizard will start. Select the desired connection type – USB cable, Serial cable, Bluetooth or Infrared. The list of available connection types depends on the mobile device capabilities and hardware installed to your computer. Important: Different mobile devices may require different connection procedures. For more information please refer to Oxygen Forensic Suite 2010 help file. This document describes connection process for Symbian Series 60 phone. Oxygen Connection Wizard will start searching for the phone:
  8. 8. If you want to extract data from Symbian OS smartphones, Windows Mobile 5/6, Blackberry and Android devices, Oxygen Forensic Suite 2010 needs to load small agent application to the phone. This application does not modify any personal data in the phone and provides facility to read much more information than it is possible with standard protocols like SyncML, OBEX or AT. Please select an option suitable for you: Press “Upload” button to load OxyAgent application into the device:
  9. 9. When the application is loaded, go to Tools/Application Manager, find OxyAgent application and install it. Do not be afraid of that operation. Mobile devices have separate storage for applications and data, so OxyAgent installation will not modify any personal information in phone. Start OxyAgent application in the phone and select the desired connection type. After that press “Connect” button in Oxygen Connection Wizard. Once connection is established, the program will display phone information:
  10. 10. You can close Oxygen Connection Wizard by pressing “Finish” button:
  11. 11. Now you are ready to begin extracting data from the connected phone. When Oxygen Forensic Suite 2010 finds the phone, it will start Data Extraction Wizard automatically: You can enter a device information, notes and case data: Enter the device owner numbers if your know any:
  12. 12. Select the information to be read by Data Extraction Wizard. Note that specific files and directories can be read later if needed. Please also be informed that the list of available sections depends on the mobile device capabilities. Check all the needed settings and press “Extract” button to start data extraction:
  13. 13. When all data is extracted, you can choose either to open the device for viewing and analyzing data or to run Export and Print wizard if you need to get fast report about the device seized. Note that you can run Export or Print Wizard anytime when working with device information.
  14. 14. “Desktop” section lists all the devices having connected and seized previously as well as actions available for them. Backup Extraction Wizard will help you to import data and place the device into data base for the convenient work with its information. You can load Oxygen backups and iPhone password-protected backups (with a known password) with a specially created Backup Extraction Wizard by pressing Load from archive button:
  15. 15. Select backup type you would like to restore: Browse for a backup file on your PC:
  16. 16. You can enter a device information, notes and case data: Check the setting before restore procedure:
  17. 17. When backup data is extracted, you can choose either to open the device for viewing and analyzing data or to run Export and Print wizard if you need to get fast report about the device.
  18. 18. You can open device from the Desktop list for data viewing by double-click on its name. Device sections with extracted data are listed in action panel group on the left. “Phonebook” section contains contact list (including SIM-card contacts) with personal pictures, custom field labels and speed dials. It also allows to filter contacts by caller group:
  19. 19. “Calendar” section displays all meetings, birthdays, reminders and other events: “Tasks” section displays all the tasks with priority marks and their date/time:
  20. 20. SMS (even deleted from message folders in the phone), MMS, E-mail, Beamed and messages of other types are shown in “Messages” section: Important: At the moment of writing this document Oxygen Forensic Suite 2010 is the only forensic tool able to access SMS, MMS and E-mail messages stored in custom folders for Symbian OS smartphones. Previously deleted messages are also shown in the “Messages” section and are highlighted with a different color and marked by a “basket” icon. Note that reading deleted messages information feature has several restrictions: Available for Symbian OS smartphones only (except UIQ2 models) The message must not be older than the number of days specified by “Log duration” parameter in system Log application Only part of message text will be read (up to 64 characters). Important: Many forensic tools providing logical data access declare “Reading deleted SMS” feature but few of them notify customers that it works only for SMS messages which had been stored on SIM card. Oxygen Forensic Suite 2010 does not include this feature intentionally because the overwhelming majority of modern phones do not store any personal information on SIM card. “File Browser” section gives you an access to the entire mobile device file system, including photos, videos, voice records and other files:
  21. 21. Incoming, outgoing, missed calls history, SMS and MMS sent and received, GPRS and Wi-Fi sessions – all this information is available in “Event Log” section:
  22. 22. Current Oxygen Forensic Suite 2010 version contains new Extras section which consists of five parts: LifeBlog, Web browsers cache analyzer, Phone activity, Wi-Fi Connections and Skype. These add-on sections are available in the PRO license only. Many of Nokia smartphones have preinstalled Nokia LifeBlog application. This application also can be downloaded from Nokia site and installed manually into many other smartphones based on Nokia S60 3rd Edition platform. The primary purpose of Nokia LifeBlog is to organize digital photo album and notes to publish them on blogs. But we at Oxygen Software discovered that LifeBlog stores a lot of information that can be very interesting for forensic investigations: List of photos made with phone camera with their date/time List of sent/received SMS messages with their date/time and cellular network coordinates (LAC, MCC, MNC and CellID) where SMS was send or received (depends on LifeBlog version and data availability) List of text notes entered with their date/time Geographical position of the event on map (using mini Google Maps):
  23. 23. Oxygen Forensic Suite 2010 extracts an approximate geographical positioning of the place where the photo was made. Mini Google Maps are generated and shown according to these coordinates right in the program. Feature is available for Apple iPhone, iPod Touch, Symbian Series 60, Windows Mobile and Sony Ericsson mobile devices and photos with GPS coordinates. Web browsers cache analyzer allows to extract and examine cache files such as a list of Internet sites and downloaded files of mobile web browsers (preinstalled as well as 3rd party ones).
  24. 24. Phone Activity add-on for Oxygen Forensic Suite 2010 organizes all calls, messages, calendar events and other activities in chronological way, so it is easy to follow the conversation history without any need to switch between different sections. All data can be sorted, filtered and grouped by dates, people or phone numbers.
  25. 25. Skype becomes very popular nowadays due to its cheap or even free calls. This application also can be downloaded for free and installed manually into smartphones. The mobile device owner can store a lot of important information inside Skype. He can chat, call, send SMS messages and transfer files without using regular mobile device functions but with the help of Skype. Information that can be very interesting for forensic investigations: List of Skype accounts stored in the mobile device Chat messages with chat history List of sent/received SMS messages with their date/time List of calls with their date/time List of contacts At the moment this feature is available for Apple iPhone and Windows Mobile devices. Wi-Fi Connections section shows all Wi-Fi connections in one list and allows to examine Wi-Fi hot spots on the map. According to this list forensic experts can find out when and where the suspect used Wi-Fi internet access (public or even private) and detect his location:
  26. 26. Oxygen Forensic Suite 2010 extracts an approximate geographical positioning of the place where Wi-Fi connection was used. Its accuracy is shown in meters. Mini Google Maps are generated and shown according to SSID, BSSID and RSSI information extracted from the mobile device. At the moment this feature is available for Apple devices. Besides the exclusive information shown in Extras section the approach used in Oxygen Forensic Suite 2010 offers several significant advantages over other logical forensic tools: Support for Symbian OS smartphones, Window Mobile and BlackBerry devices. The amount of useful data, extracted from these devices, considerably exceeds the capabilities of other products. User-friendly interface for data analysis. The data is grouped according to its classes. A convenient search and sorting engine and content filtering are implemented. Data extraction from custom SMS folders. Besides standard SMS folders, smartphones permit to create custom SMS folders. For example, for messages of a particular type or for a certain contact. In such folders the most interesting information is usually stored. Only "Oxygen Forensic Suite 2010" has an access to the messages in custom SMS folders. Extraction of information about deleted SMS messages. Even if a message was deleted from a Symbian OS smartphone, the information about it can be extracted! Many other programs can also show deleted messages but on a SIM card only. It is very misleading because the majority of phones and smartphones do not store messages on their SIM cards, using phone memory instead of it Direct access to the data. Access to Windows Mobile devices is possible without ActiveSync/Vista Mobile Center that may change the data in the examined phone. Access to Event Log in Symbian OS smartphones includes the information about GPRS, EDGE, CSD, HSCSD and Wi-Fi activity (besides the standard information about calls).
  27. 27. Access to Event Log in Windows Mobile devices. Extraction of contact field labels from Symbian OS smartphones, including the ones changed by the user. Extraction of the fields of the same type with the same attribute from Symbian OS smartphones. The data is fully shown if its types and modifiers coincide with the fields extracted before. Extended information about contacts. The program extracts the information about caller groups and speed dials that can point to the communication frequency between the phone owner and specified contacts. Extraction of the last modification date of contacts and calendar events. Extraction of the message Service Center Time Stamp. This feature is available for all Symbian OS smartphones. Easy device connection. Data extraction is performed via standard cables and adapters. No other expensive equipment is needed. Unique Forensic protocol for access to smartphones, created especially for safe extraction of maximum information. Standard protocols (AT, OBEX, SyncML), used by other software, are developed for data synchronization and may change the data of the examined device. Data extraction from exclusive devices, like Vertu and Mobiado. Most of the information above is not accessible via standard communication protocols used by other logical forensic tools - SyncML, OBEX or AT command sets. Besides their limitations these protocols have another big disadvantage – all of them had been developed for information synchronization purposes, that runs counter to forensic requirements. Oxygen Forensic Suite 2010 uses advanced proprietary protocol developed specially for forensic information extraction and analysis. To implement this protocol at the device’s side we put a small OxyAgent application there. This approach has several benefits: Using our own communication protocol we can be sure that all the personal information is untouched into device Agent application runs inside a phone and in phone OS, therefore it can access much more data than available with generic protocols Oxygen Forensic Suite 2010 does not use ActiveSync application to get information from Windows Mobile 5/6 devices, so there is no risk that device information can be changed if ActiveSync decides to run synchronization process.
  28. 28. It’s a common situation when you need to find some text, person or phone number in the extracted mobile device(s) information. Oxygen Forensic Suite 2010 has two kinds of advanced search feature: search for text and search for contact activity. To use these features you should go to “Desktop” section and switch from Devices to Search data tab: Search for text function is rather simple, it finds all occurrences of the specified text in all or selected phones. Search for contact feature implements really smart functionality. You can enter only part of any contact data – name, phone number or other fields. If the program finds a contact satisfying search criteria, it analyzes all phone numbers, e-mails and other fields of this contact and starts searching for any of this information through all sections of specified mobile devices. Phone number formatting and prefix are not regarded in the search. The screenshot above demonstrates the result of contact search function with only one criteria – part of phone number. As you can see, the result contains contact entries in two different phones, call log and messages sent and received by this contact. If there are any calendar events associated with this contact – birthdays, meetings and so on, they will also be displayed. By double-click on entry you can switch to the corresponding section of the relevant phone for more detailed analysis. All search results are saved and can be reused later.
  29. 29. Oxygen Forensic Suite 2010 allows an examiner to print reports containing all the extracted mobile device information. You can select only specific section(s) as well. This is an example of how Event Log report section looks like: Forensic reports can also be exported to a number of file formats – Adobe PDF, Microsoft Excel, Rich Text Format etc.
  30. 30. Oxygen Forensic Suite, Oxygen Forensic Suite 2010 and OxyAgent are the trademarks and properties of Oxygen Software LLC. Symbian and Symbian OS are the registered trademarks of Symbian Ltd. Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Mobile are registered trademarks of Microsoft Corporation. All other trademarks are owned by their respective companies. Oxygen Forensic Suite 2010 official website is H Contacts: Telephone (USA, toll-free): +1 877 9-OXYGEN Telephone (UK): +44 (0) 20 8133 8450 E-mail:
  31. 31. Hardware and software you need for connection Original USB cable Oxygen Forensic Suite 2010 installed on your PC Cable drivers from phone manufacturer (recommended, but not strictly required) Flash card compatible with the specific device (used as temporary storage when extracting data) OxyAgent application usage notice OxyAgent application must be installed into Android device to extract data. Oxygen Forensic Suite 2010 installs and uninstalls OxyAgent automatically, so you don’t need to perform any special actions about it. OxyAgent is a small forensically designed application that allows you to extract the maximum amount of data from Android devices. It does not change any personal information inside the device. Please be informed that this moment there is no other way to extract data from Android devices except the physical analysis. Where to find cable drivers First of all, before connecting the mobile phone to PC you must install Android cable drivers. You can use official drivers from the disc supplied by manufacturer, look for drivers on the manufacturer official site or download the drivers package from Oxygen Forensic Suite site: Android driver folder taken from the link above consists of two parts: Manufacturer folder contains official Motorola and HTC drivers for Motorola CLIQ, DEXT, Droid, Heron, Milestone, Sholes and HTC Click, Dream, Hero, Magic, Tattoo devices. General folder has drivers for all other Android devices (for example, Google Nexus, T- Mobile G3, T-Mobile Pulse). We advise you to use General folder drivers when you have connection problems with official drivers or they are not available at all. If your Android device has no official drivers and drivers from General folder do not work you can contact us at and we will send you patched drivers for your phone model. How to install cable drivers To install the drivers from General driver folder please follow these instructions: Connect Android device via cable to PC. New Hardware Wizard will be started. Choose Install from a list or specific location option and after that Don’t search. I will choose the driver to install:
  32. 32. Select Show all devices, press Next button and then press Have disk to continue: Then press Browse, select General driver folder on your PC and open android_winusb.inf file there. As a result you will get the following window. Press Next to install the driver:
  33. 33. To install the drivers from Manufacturer driver folder you should either run Motorola_Consumer_Driver_Installation_MotoConnect.msi file for Motorola Android devices or follow the instructions above for HTC Android devices. How to check if cable drivers are installed correctly After drivers installation is finished you need to check if they are installed correctly. Attach a cable to the device and go to Start/Control panel/System/Hardware/Device Manager menu on PC. In ADB Interface there should be the name of the Android device you have connected. In our case it is Motorola Milestone: If you do not see it the drivers were not installed correctly. What options to select in the device After you installed the drivers you need to perform the following steps before starting our software: You need to select ‘USB Debugging’ mode in Settings/Applications/Development menu of the Android device. This mode enables ADB server in the device that is used during connection:
  34. 34. It is very important to select the correct USB mode in the device when you attach a cable to it. For the most Android devices it should be ‘None’. Do not select ‘Memory card management’, ‘Motorola phone tools’ or ‘Windows media sync’ modes. With these modes Android devices will not be connected to Oxygen Forensic Suite 2010: Make sure that a flash card is inserted in the device. It should have at least 1Mb free space. During data extraction our OxyAgent application uses it to store temporary files that are removed when extraction is finished. Please note: no other files that were previously saved on a flash card are deleted or modified. To be on the safe side, you can also use your own flash card for data extraction. How to connect Android device in Oxygen Forensic Suite 2010 If all the previous instructions are strictly followed launch Oxygen Forensic Suite 2010 and select Connect new device option on Common tasks sidebar. Oxygen Connection Wizard will be started. Please, choose ‘Connect via cable’ there and wait till the device is found and you are offered to install OxyAgent:
  35. 35. Accept OxyAgent installation. After it installs and starts you will see the following window informing you that the device is connected: Press Next button to finish connection process. After that Device Extraction Wizard will start automatically and you can proceed to extract data from the device.
  36. 36. Please note: OxyAgent is automatically uninstalled from the device after data extraction is over. If connection was broken or due to some errors the program was suddenly closed please make sure that OxyAgent is uninstalled in Settings/Applications device menu. Troubleshooting In case you have connection problems with Android devices we recommend you to check how ADB (Android Debug Bridge utility supplied by manufacturer) is functioning. Please do the following: Connect your Android device via cable Go to Oxygen Software/Oxygen Forensic Suite 2010/SystemFiles folder, create a .txt file with the contents, like on the screenshot: Name it device.bat file and launch it. ADB.exe will be started in the same folder. If ADB utility functions well you will see your Android in the list of devices attached. It will have no real name but some figures: If the list of devices is empty, it means that ADB utility does not work and there will be no connection in Oxygen Forensic Suite 2010. Unless you make ADB utility work correctly there is no way to extract data using our software. If the connection problem persists do not hesitate to contact us at support@oxygen- We are always glad to help you.