In digital investigations, the abundance of data often equals a lack of time to navigate into the weeds. In today’s investigations time is often critical and finding the needle in the proverbial haystack can prove daunting. Navigating the enormous amount of data quickly and efficiently has always been our goal and development objective. To prove this point, look at our 12.3 release where we added a statistic section to our main dashboard. This area gave our users a quick overview of data–a sort of top ten. Showing favor for this feature we wanted to make this feature even bigger. So, in 12.4 we designed an even more comprehensive Statistic section that is an overview of the entire extraction and it’s data to quickly identify sections of interest to the investigator.
The Statistics section consists of several widgets, all of which are neatly displayed on the screen. The widgets are divided into two categories–data on the device and investigator interaction. Data on the device is displayed in the first widgets and shows the data present within the extraction in charts or tables (Activity Chart, Activity Matrix, Last Contacted, Data Types, Top 10 Applications, Contacts, or Groups). The second group of widgets, or investigator interactions widgets, display the investigator’s interactions with the evidence: assigning tags, marking data as Key Evidence, adding and editing notes, running hash set searches, as well as using Project VIC tags.
THE WIDGETS THAT ARE BUILT AUTOMATICALLY PRESENT DATA WITHIN THE EXTRACTION:
This new analytical feature in Oxygen Forensic® Detective displays user activity by set timeframes (years, months, etc).
Every event type corresponds to a specific color of the chart column: Calls are shown in green, Messages are marked with yellow, and other events are shown in red. The entire chart scale is divided into equal time intervals: 1 year, 1 month, 1 hour, 1 minute, or 1 second. The intervals can be easily set by the investigator just to the right of the label: Group by. For each time interval, a column filled with the color corresponding to the event type is displayed. If there are multiple event types, a column for each event type will be displayed.
The height of the chart column depends, nonlinearly, on the number of events that occurred within the selected time interval and which type corresponds to the column type. If there were no events during a certain time interval, this interval is not displayed on the chart.
Hovering over the selected interval under the column, the chart will indicate the number of timeline events for this time interval. Likewise, hovering over the column of interest, the number of events of a certain type in the selected time interval is displayed.
Another added feature emerges when hovering over the chart column, a hint showing the last 3 events of the chosen type within selected interval, emerges.
Users can click on the column of interest to switch to the desired time range. The grid switches to the latest (newest) event corresponding to the selected type and time interval.
This feature helps detect when the device was most used, sorting that information by hours and weekdays. To learn more about it, read the recent blog post about it: https://blog.oxygen-forensic.com/activity-matrix-we-know-how-active-you-are/
10 Most Recent Communications
The Last Contacted widget is formed automatically based on data within the extraction. The list of the 10 latest communications is shown with the appropriate app icon, contact name, and timestamp displayed for each communication. Block settings are located within Settings button. Click to open a context menu, filtered by type of communication (Call or Message).
Top 10 Applications
This widget is also formed automatically based on data gathered from the extraction. The percentage of communications within the most used applications is shown in a pie chart, with the explication available to the right. There, the number of communicative events, their percentage from all communications within those 10 apps, the application name, and icon are displayed. Block settings are located within the Settings button. Click to open a context menu with chart view settings and to filter by type of communication (Call or Message).
Top-10 Active Contacts
This chart and its information is compiled and calculated automatically based on data within the extraction. The percentage of communications with the most contacted people is shown in a linear or pie chart, with the contact numbers on the right. This includes the number of communicative events, contact names, applications icons, and their percentage relative to the other 10 most actively contacted chats are displayed. Block settings are located within Settings button. Click to open a context menu with chart view settings and to filter by type of communication (Call or Message).
Top 10 Groups
This widget is based on the data present within the extraction. The 10 most used groups are displayed in a pie chart, sorted by the percentage of communication events within them. The explication to the chart, as always, is on the right. There, users can see the color associated with the group, number of communication events within it, its percentage compared to the other top-10 groups, icon of the application where the group chat is, and group chat name. Block settings are located within Settings button. Click to open a context menu with chart view settings and to filter by type of communication (Call or Message).
This widget is also formed based on the data from the extraction. In it, the number of files of each type for the extraction is displayed. Full information about the files of each category could be opened by clicking on a data type of interest.
THE WIDGETS THAT ARE FORMED BASED ON INVESTIGATOR’S INTERACTIONS WITH THE EVIDENCE:
This section gets filled as a digital investigator identifies and marks data as evidence. Any data which could be important to the investigation, could be marked as Key Evidence to become easily accessible, reviewable, and exported. It is also possible to remove the Key Evidence tag from any event or data.
Tags are yet another analytical feature that changes over the course of investigating the data. Any Oxygen Forensic® Detective user can apply already pre-installed tags, as well as create their own. The tag color can also be changed. Some tags can be added automatically upon running our built in Image Categorization feature. After the Image categorization analysis, the number of matching images for each supported visual threat category is marked with the corresponding tag. Investigators can review the tagged data and manually exclude any false positives.
The Notes section gets filled as the investigator navigates through the evidence, adding notes to the extractions, as well as evidence. All notes can be edited or deleted later. All the notes, added to the evidence, are grouped by the evidence type within the widget.
Hash Sets Search Results
This widget is formed from the investigator’s activity. In it, the results of the completed hash set searches are displayed. If the search for a particular hash set was not performed previously, investigators can launch a hash set search directly from the statistics section.
In this block, the data marked with Project VIC tags (if enabled) are shown for quicker access and identification. Click on any of the tags to instantly view data associated with it.
And That’s Not All!
Any of the widgets can be hidden and then displayed again depending on the investigators desired layout. If any widget is hidden, the corresponding icon is displayed in the left panel, highlighting the hidden block.
Now that you know more about our new Statistics section, we hope you’ll find it useful! Share your thoughts and feedback with us!