From the days in law enforcement, my work in the private sector, and now within the corporate machine analytics are often a means to the end. In the infancy stage of my mobile forensic career it was all about taking the data, albeit only 2.9 MB of storage, and putting a report together of the 25 contacts, images, videos, and text messages. If multiple devices were at the scene the laborious task of digging through the data to find common contacts, text messages, images, dates and times, and more. Often, in the first courses I taught we used FTK to take in multiple devices and again do some magic in piecing together the event. Quite honestly that was the only way to do some sort of collective analysis. I remember speaking at a Microsoft event in 2009 on the importance of painting a collective digital picture; it really did not make the splash at that time unfortunately. Mobile devices to the forensic community were regarded as a small digital device with limited storage and even less significance to a case. I can tell you today this is certainly not the case; a mobile device’s contents is often pivotal to each and every investigation. And one thing is for sure, these devices and their peripheral storage points hold more investigative material than ever.
Storage capacity and multiple points or end points of storage
This simple concept is something that investigators will continue to deal with for years to come. Knowing the shear limits of investigative time, investigators with today’s data coming from multiple sources must work smarter and use analytics from aggregated sources. Take for example a single case that has multiple devices. The devices belong to different owners and each owner states they do not know one another, but from the initial investigation you believe this is not the case. By using Oxygen Forensic Detective, with built-in analytics, the examiner is able to quickly determine common location data amount multiple devices (Figure 1).
Not only is location information critical to any type of investigation where there are multiple devices, but what about contacts? Pouring over massive amount of contacts over multiple devices to determine common contacts, or outliers can be extremely time consuming. If not for the powerful data aggregation tools built into Oxygen Forensics, Inc. products an investigators time will often be spent pouring over numbers/names/addresses/usernames to determine who is who, and often who knows who. Using the social graph and aggregated contacts can take the identification of common contacts and outliers down to minutes, sometimes seconds (Figure 2).
With the increasingly frustrating backlogs of investigations, the addition of work to the already backbreaking work is not the answer. With the addition of cloud artifacts, and IoT devices an investigators job in digging through the proverbial haystack will compound. However, by having built in analytical tools in a single product will allow today’s investigators to work smarter. Adding powerful search functions, the aggregation of all types of artifacts, multiple simultaneous extractions, and industry leading app parsing/decoding support, Oxygen Forensic Detective should be a part of your toolbag.