Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oxygen Forensic Detective

Published byAlexina Bailey Modified over 6 years ago

Similar presentations

Presentation on theme: "Oxygen Forensic Detective"— Presentation transcript:

1 Oxygen Forensic Detective

2 Glenn K. Bard Public Agency Training Council tech Chief Technical Officer
PA State Trooper – Retired NCMEC – Project ALERT CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE 2 Glenn K. Bard 2 2

3 PATCtech Glenn Bard, CTO Scott Lucas, Instructor and Examiner Steve Dempsey, Instructor Kathy Enriquez, Instructor Brian Sprinkle, Case Manager – examiner Stefani Lucas, Marketing Director James Alsup, Director

4 Note: While this PPT will contain a lot of useful information concerning Oxygen, this webinar was designed to be mostly a live presentation. Many of the functions, as well as special tips that I personally find useful, will be done during the live hands on portion. Also, please understand there may be more than one way to complete a task. We are going to show you the methods that we have found to be helpful and useful.

5 Oxygen Forensic Detective
License options Dongle Enterprise Versions Analyst Detective

6

7 Oxygen Forensics Kit

8 Oxygen Forensic Detective
Very powerful tool that has many benefits: Database and Plist viewer Rooting of Android devices Spyware detection Simultaneous acquisitions and exams Complete Timeline Analyze app data Backup analysis

9 Oxygen Forensic Detective
Benefits continued Currently supports devices ( ) Creates OFB files so that the original device can be locked in evidence after acquisition Cases can be created of more than one device. And archived the same way Customizable Reports Numerous report options (Excel, HTML, PDF)

10 Reports

11 Oxygen Forensic Detective
Benefits continued Passwords Social Media Web browsers Texting apps Geo information Full file browser Communication analysis Keyword searching

12 Oxygen Forensic Detective
Benefits continued Oxygen Detective has a few extra functions: Oxygen Cloud Extractor Call Data Viewer and Call Data Expert Oxygen Maps Locked Device acquisition (Not all devices) Data Scout We will see a few of them a little later.

13 Oxygen Forensic Detective
Now, let’s make a images. You can do it 2 ways, one from inside the Oxygen utility itself, and one from the Oxygen Extraction Wizard.

14 First up: iOS

15 To start the process

16

17

18

19

20

21

22

23

24

25 Oxygen How about a locked iOS device?
If you can find the Lockdown Plist you can use that file with Oxygen to bypass the passcode. Let’s take a look:

26 Lockdown Plist The Lockdown Plist is created on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required. Let’s take a look:

27 Lockdown Plist They will be located at the following locations:
Windows XP C:\Documents and Settings\All Users\Application Data\Apple\Lockdown Windows Vista / 7 / 8 /10 C:\ProgramData\Apple\Lockdown Mac C:\Library\Lockdown

28 Lockdown folder

29 Lockdown Plist The Plist will be named after the UDID of the device.
UDID – Universal Device Identifier This is the same number that iTunes will display and the backup folder is named after. UDID = SHA1(serial + IMEI + wifiMac + bluetoothMac) Let’s take a look:

30

31 Lockdown Plist How the procedure works is to copy the Lockdown Plist off of the bad guys computer system and then import it into the forensic machine. If you don’t know which one to copy, then copy them all.

32 Lockdown Plist NOTE: To get the Lockdown plist off of a bad guys computer we will NEVER turn it on. It must be done forensically. A qualified examiner must copy it off using tools such as Encase, FTK or P2 Commander. Never turn the bad guys machine one and navigate to that file.

33 Lockdown Plist Also, there is more than one way to do this, some tools have this functionality built into them. However, we can force it to work ourselves with just a little bit of knowledge. The method I am going to teach you is extremely reliable and does not rely upon the software to correctly identify the device. Additionally if you do it this way, it will help you do other extractions with other tools as well.

34 Oxygen detected the locked iOS device

35 Oxygen detected the locked iOS device

36 Oxygen detected the locked iOS device

37 Oxygen detected the locked iOS device

38 Oxygen detected the locked iOS device
All I had to do was then follow the rest of the process.

39 When it didn’t detect properly:

40 As you can see it detected a device, but did not prompt me for the lockdown plist. This could be due to issues with iTunes, settings, etc. So I am going to teach you the method to fix it despite that. What we do first is acquire the lockdown plist from the bad guys digital items:

41 If you don’t know which, take them all:

42 Lockdown plist And what you do next is copy them into the lockdown folder on your forensic machine. Keep in mind, that folder is a hidden folder, so you need to change your computer to show hidden files and folders:

43 Show hidden files, folders and drives:

44 Clear out your lockdown folder:

45 Paste the bad guys in:

46 Important Make sure and unplug the iOS device from the forensic machine, and then plug it back in after you paste the plists into the lockdown folder. And then search for a new device again:

47 And then:

48 Lockdown Plist Keep in mind, this method will defeat both simple and complex passcodes, on even the newest devices and versions of the OS. However; if the phone has been turned off, the Lockdown plist will not work until the passcode has been typed in at least once after being turned back on. So when seizing an iOS device, do not shut it off, and do the exam as fast as possible.

49 Now: Android OS

50 A few hints Make sure the device is in USB Debugging.
On newer Androids, find the build number, tap it 7 times. This will enable Developer Options. The USB Debugging button will be in there. If you did not get the file system it is probably because you only got an ADB, and not a full image.

51

52

53

54

55

56 Advanced – select all that you can

57

58 Default

59 Either way:

60 One hint: Don’t walk away, watch the phone. You may have to hit some buttons, or even see somethings happening:

61 One hint:

62 Passcode bypass For more advanced level passcode bypass come back to our Android and iOS passcode bypass webinars.

63 Oxygen Forensic Detective
One thing that is fantastic, is that while Oxygen is creating the image, you can still use it to examine a previously imaged phone. After I started the image, I was then able to just minimize that screen, and still use Oxygen.

64

65

66 Oxygen Forensic Detective
Let’s check out the recent additions.

67 Extractor for Clouds

68 Extractor for Clouds

69 Extractor for Clouds

70 Extractor for Clouds

71 Extractor for Clouds

72 Extractor for Clouds

73 Extractor for Clouds

74 Extractor for Clouds

75 Extractor for Clouds

76 Extractor for Clouds

77 Extractor for Clouds

78 Extractor for Clouds

79 Call Data Import

80 Call Data Import

81 Call Data Import

82 Call Data Import

83 Call Data Import

84 Call Data Import Save this so you can import into the Call Data Expert

85 Call Data Viewer

86 Call Data Viewer This is the file that you created
with the Call Data Import

87 Call Data Viewer

88 Call Data Viewer

89 Oxygen Forensic Maps

90 Oxygen Forensic Maps

91 Oxygen Forensic Maps

92 One more great ability

93 Oxygen Forensic Detective
Now let’s go into detail. Patctech.com

94 Follow PATCtech! Updates & PATCtech Research Public Safety News
Forensic Digital Evidence Investigators (LinkedIn Group) Updates & PATCtech Research Public Safety News Training Opportunities

Download ppt "Oxygen Forensic Detective"

Similar presentations

EBooks and Audiobooks. This class will give you an overview of eBooks and electronic Audiobooks available from the Library. We will also explain the basic.

EBooks and Audiobooks. This class will give you an overview of eBooks and electronic Audiobooks available from the Library. We will also explain the basic.
Computer & Network Forensics

Computer & Network Forensics
Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Chromium OS is an open-source project that aims to build an operating system that provides a fast, simple, and more secure computing experience for people.

Chromium OS is an open-source project that aims to build an operating system that provides a fast, simple, and more secure computing experience for people.
Get the best performance out of your PC By Matthew Pinch.

Get the best performance out of your PC By Matthew Pinch.
Survey of PC and Network Operating Systems

Survey of PC and Network Operating Systems
Tutorial 1 Getting Started with Adobe Dreamweaver CS3

Tutorial 1 Getting Started with Adobe Dreamweaver CS3
Geo CE-XM ch 4 Edited 10/14/05 1 The XM is the newest of the rovers, and unlike other units, it comes with software installed on the unit as well as using.

Geo CE-XM ch 4 Edited 10/14/05 1 The XM is the newest of the rovers, and unlike other units, it comes with software installed on the unit as well as using.
Microsoft ® Office SharePoint ® Server 2007 Training SharePoint document libraries II: All about checkout Bellwood-Antis School District presents:

Microsoft ® Office SharePoint ® Server 2007 Training SharePoint document libraries II: All about checkout Bellwood-Antis School District presents:
Booting Ubuntu Linux Live CSCI 130 – Fall 2008 Action Lab Dr. W. Jones.

Booting Ubuntu Linux Live CSCI 130 – Fall 2008 Action Lab Dr. W. Jones.
Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.

Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.
As you look at an iMac you will notice that there are no buttons on the front of the machine as shown in figure 1.

As you look at an iMac you will notice that there are no buttons on the front of the machine as shown in figure 1.
Introduction to Windows 10 Windsor Senior Computer Users Group October 12, 2015.

Introduction to Windows 10 Windsor Senior Computer Users Group October 12, 2015.
MySQL Getting Started BCIS 3680 Enterprise Programming.

MySQL Getting Started BCIS 3680 Enterprise Programming.
Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.

Internet Safety and Productivity Tips Presented by ITS Kerri Sorenson and Sean Hernandez December 11, 8:30-9:00 am.
Matthew Glenn AP2 Techno for Tanzania This presentation will cover the different utilities on a computer.

Matthew Glenn AP2 Techno for Tanzania This presentation will cover the different utilities on a computer.
Introduction to Computer Technology A Beginners Project.

Introduction to Computer Technology A Beginners Project.
Transfer Music from iPhone to Computer From:

Transfer Music from iPhone to Computer From:

Similar presentations

Ads by Google