Modern devices store gigabytes of data that when extracted cannot be analyzed manually. So investigators need tools that will allow them to quickly process and analyze acquired evidence. We, at Oxygen Forensics, were the first in the mobile forensics market to realize this essential requirement and incorporate data analytics into our software. Ten years ago when we introduced Timeline, our first analytical section and today offer a wide range of powerful analytical tools at no additional cost to the user. Let’s go through all of them.
Our Timeline section provides a view of all device events in a single list – chats within apps, calls, web activity, web connections, photos, videos, calendar events, and more. Events can be viewed for one device or a group of devices, allowing easy identiﬁcation of common group activities. Sort and ﬁlter by date, time, activity frequency, contact, remote party, or other data points to focus only on the most relevant data. The Geolocations tab contains the full list of geo coordinates from all the sources that include photos, videos, apps, drone ﬂight logs, and more. In addition, the Activity matrix located in the bottom panel helps to detect when the device was most used.
2. Social Graph
The built-in Social Graph provides a convenient platform to explore social connections between a device owner and their contacts or between several devices. Using the Social Graph investigators can identify the device owners closest contacts in one click. Click on any contact to open a card containing detailed information about the selected contact and all communications across device sources. The Social Graph interface is dynamic and agile. Investigators can drag and drop to move, hide, or merge contacts while producing a crystal clear view of device and case connections. It is also possible to deﬁne the shortest path between selected contacts (by default up to 5 intermediaries). That allows investigators to visually see that device owner did not speak directly to someone, but spoke to a contact, who spoke to another, and then spoke to the identiﬁed target.
3. Image Categorization
Oxygen Forensic® Detective provides the ability to categorize images from twelve different classes that includes pornography, extremism, drugs, alcohol, and weapons. Our image categorization is available when importing device data and also on already imported extractions. Investigators can select all or selected categories while also having the ability to ﬁne-tune the positive “hit” settings. After running the image analysis, the number of matching images for each supported category is tagged and shown in Key Evidence and the Files sections. Investigators can review the tagged data and manually exclude any false positives.
Oxygen Forensic® Detective offers the ability for investigators to categorize human faces. The facial recognition is available in the Faces section. The unique features include: industry leading accuracy (as measured by NIST), detailed face analytics (gender, race, emotion, and more), immediate categorization and matching (5 faces/second), and support for massive volumes of data. Using the built-in facial recognition investigators will save valuable time when looking through thousands of photos or videos in mobile, cloud, or drone extractions.
Oxygen Forensic® Detective acquires geo-coordinates from all possible sources including mobile devices, drones, cloud storages, media cards, and imported images. Once analyzed, the data can be viewed within our Oxygen Forensic® Maps, either online or ofﬂine. The Maps module includes the ability to:
- Identify a device’s frequently visited places
- Pinpoint common locations of several devices
- Visualize a device’s movements within speciﬁed period of time
- Play an animated route showing the direction of travel
6. Data Search
Oxygen Forensic® Detective allows investigators the option to search across a single device, all devices in a case, or all devices in a database. Investigators can access texts, phone numbers, email addresses, geo-coordinates, IP addresses, MAC addresses, credit card numbers, and ﬁle hashes including Project VIC. A Regular Expression library is available for custom search functions, and the investigators can create a set of keywords for a data search. Moreover, there are 3 ways how a search can be done: in parsed data, in files, and in file content such as SQLite databases.
7. Key Evidence
The Key Evidence section displays all records that have been bookmarked in other sections by the investigator. This section is where all entries identiﬁed as relevant to a case are found, making data analysis easier and saving valuable time. Investigators can bookmark important evidence in a single device, or several devices, and export it later to one data report. More importantly, Oxygen Forensic® Detective also offers a number of predeﬁned tags, including: Nudity, Weapon, Guns, Important, and several others. Investigators can also create and set their own tags and export entries to data reports by simply selecting the relevant tags.
8. App Analytics
We are aware of how important app data is for today’s digital investigations. Not only do we update our industry leading app parsers with each release, but also deliver to investigators a powerful view for parsed app data. For each app, investigators have built-in analytics that include Chats view, Timeline, and Social Graph. The Chats View gives investigators the ability to read extracted conversations in the convenient message bubble view, as well as export to one of our reporting formats. The Timeline and Social Graph view enable investigators to immediately apply our powerful analytics to an identiﬁed group conversation. With one click of the Maps button, investigators can visualize extracted geo-coordinates.
9. SQLite Viewer
The built-in Oxygen Forensic® SQLite Viewer is a powerful 64-bit tool for examining SQLite ﬁles. With this tool, investigators can open any SQLite database, recover deleted records, convert values to a readable format, build visual and non-visual SQL queries, save them for further use, run a search, and ﬁnally export the selected entries to customized data reports.
10. Device Statistics
Oxygen Forensic® Detective offers investigators a new Device Statistics section that shows detailed statistics about the extraction, such as Top 10 applications with the greatest number of communications, Top 10 groups, Top 10 contacts, Last contacted, Key Evidence with tags, and notes. This would be a great place to get a head start on a mobile forensic investigation.
Have never tried our software? Contact us for a fully-featured demo license that includes not only extraction capabilities but all the above-mentioned analytics!