Review: Oxygen Forensic Suite 2011 Training

Home \ Resources \ Reviews \ Review: Oxygen Forensic Suite 2011 Training

Forensic Examination of Smartphones and Cell Phones with Oxygen Forensic Suite 2011

London, 24-25 May, 2011

Course run by Oleg Fedorov and Oleg Davydov

I don’t think it’s possible (or useful) to separate product-based training from the product itself, so this review will unashamedly cover both. Oxygen Forensic Suite 2011, unlike the other major mobile device forensic applications, primarily focuses on the extraction of data from smartphones, although it does in fact support data extraction from over 2,000 different hand sets including Nokia, iPhone, Sony Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate, Vertu and so on. Windows Phone 7 is the main omission at present but this will be brought on board at some stage. For me a sign of a good software especially in the very fast moving world of mobile devices is the frequency of updates from the software developers, and Oxygen certainly don’t lack in this department. Of late, whenever a new iteration of iPhone firmware is released Oxygen release an update just days after which is able to deal with it. Most impressive.

common sections available to extract data from on iPhone

Figure 1: common sections available to extract data from on iPhone

If you have to carry out an exhaustive examination of a mobile device then you’ll need a method which has access to the complete physical area of storage, which Oxygen cannot do at present. Oxygen instead concentrates on logical exams. For the examiner logical access is generally more straightforward, using data transfer methods supported by the phone and connections via USB cable or Bluetooth to access the device, while physical access tends to me more complex and costly involving hex dumps and/or chip-off techniques. Most corporate forensic investigations will often be best served by logical exams as are many law-enforcement cases, dependent on their criteria.

Since 2002 Oxygen have been querying and extracting data from mobile phones by uploading and installing a small (around 100KB) agent on the device in question, a technique that has since been adopted by the developers of other major mobile forensic applications. This agent installation technique has now become widely accepted despite it involving the risk of overwriting a small amount of existing data. What makes a technique ‘forensically acceptable’ varies by jurisdiction but generally if an examiner understands and can explain the consequences of their actions, its repeatable and that a record of the actions are kept then its certainly on its way to being accepted as forensically sound.

looking at messages from a Nokia N95

Figure 2: looking at messages from a Nokia N95

The course was led by Oleg Fedorov, the CEO and founder of Oxygen Forensic Suite, and Oleg Davydov, co-founder and CTO. The two Olegs, who had travelled over from Moscow for the course, were affable and excellent communicators who took it turns to present each section of the syllabus. The course started off by covering installation of the application (which doesn’t take long at all) and then went a little into the history of mobile devices, SIM cards and logical protocols; AT+, Nokia FBUS, OBEX and SyncML, and subsequently moved onto some general good practice methodology for handling mobiles. Personally I’d have liked a little bit more in this area, but there was already a lot to pack in to two days.

listing and display of geo-location data

Figure 3: listing and display of geo-location data

Following on from the background information which was covered within the first morning, the course moved on to look at the main smartphone operating systems in some depth; Symbian, iOS, Blackberry and Android. The Symbian section was longer than the rest as this was where the class was taught general techniques in using Oxygen Forensic Suite 2011 to import a device into the application, navigate through all the options and to familiarise themselves with the layout of the software. One criticism that I’d raise at this point is that while the help menu is pretty good there are a few things which are missing. As we were being told of various features and what the different coloured entries represented, I cross-checked for the same information in the help file but on a few it wasn’t there. Consequently I was kept busy scribbling down in my notepad while keeping one eye on the tutors, lest I miss anything. With a bit of time, the help file could be made more comprehensive and useful, but I’d add that this issue certainly wouldn’t preclude my recommendation of the software.

Each mobile OS that was covered included pointers, tips and tricks in order to maximise the amount of data that could be extracted and interpreted. This included such things as how to deal with the 30 day time limit on Nokia log files, how to crack the password on protected iOS backups, extracting deleted data from iOS devices, the dangers of rooting particular versions of Android, and the super-tough security available on the Blackberry.

This was a thoroughly interesting and enjoyable two day course. There was a lot to fit in over its short duration, and there was certainly enough to whet my appetite for more. An advanced course would be most welcome though I don’t believe this is available as yet. A single two day course is going to make no one an expert in mobile phone forensics, but this was a very good introduction to a really nice piece of software.

For more information about Oxygen Forensic Suite 2011 go to http://www.oxygen-forensic.com/en/

Sitemap

Company

Services

Resources

Reviews

Copyright © 2011 Forensic Control Limited. Registered office: 6 Walkerscroft Mead, London, SE21 8LJ. Web design by Brandspankin'  Forensic Control logo