Chennai Safe City

Cyber Forensics Lab- Handouts

Oxygen Forensic
Oxygen Forensic® Extractor is standalone software for data extraction from mobile devices. The
Extractor allows you to connect a wide range of Apple iOS and Android devices, import various device
backups to recover valuable digital evidence quickly and efficiently. Once data is extracted, users can
elect to save it to an OFB backup to be later imported into our powerful Oxygen Forensic® Detective,
purchased separately, or exported immediately to one of our report formats, like PDF, HTML, XML,
etc.

Three Main feature of oxygen forensic are

1. Extraction of Data from the devices

2. Analysis of the extracted data
3. Exporting/ Reporting of the collected data

Data extraction
1.Mobile devices

Android - Logical data extraction

OxyAgent is a small forensically designed application designed by Oxygen Forensics that allows
extracting data from a device. OxyAgent is typically used to acquire user data and media files when
physical data extraction is not supported. Requirements:

• The device should be unlocked;

• The device should be operated on Android 4.x or higher;

• It should be possible to insert a SD card or an OTG-adapter into the device;

• It should be possible to run third party apps on the device. Installing OxyAgent

1. Run Oxygen Forensic® Extractor from the Oxygen Forensic® Detective home screen.

2. Select the Android OxyAgent extraction of interest from the list of available Android data extraction
types;

3. Follow the instructions on the screen.

 Chennai Safe City
Cyber Forensics Lab- Handouts

Android OxyAgent extraction

In this case, you will have to connect the Android device to your PC via USB cable. Follow all the steps
appearing on the screen and grant all the necessary permissions to extract the data. As soon as data
is extracted from the device, OxyAgent will be deleted from it.

Physical data extraction

Android physical via ADB

Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with
a device. The ADB command facilitates a variety of device actions, such as installing and debugging
apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.
Exploiting it, you can perform a physical extraction from an Android device or extract its backup.
Oxygen Forensic® Extractor allows temporary rooting of unlocked Android devices running Android
OS 4.0-10.0.

2. Apple

With Oxygen Forensic® Extractor, you can get the iTunes backup of the iOS device that is under
investigation. This is the most common way to extract data from Apple iOS devices. All device data
excluding system files and cache will be included in the backup. To get it,

1. Switch on the device;

2. Unlock it;

3. Connect it to the PC;

4. Run Oxygen Forensic® extractor and select iTunes backup from the list of available options; 5. Follow
the instructions appearing on the screen and click Next;
 Chennai Safe City
Cyber Forensics Lab- Handouts

6. As soon as data is extracted, the software will try to guess the password to decrypt the backup. If
you know the password, you can enter it right away by clicking on Stop! I know the password.

7. The decrypted iTunes backup data will be available in Oxygen Forensic® Detective

Full logical data extraction

Starting with Oxygen Forensic® Detective version 12.5, you can run full logical data extraction
of filesystem and keychain from an Apple iOS device, using our own exploit based on checkm8.
Checkm8 is an exploit (program exploiting OS or hardware vulnerabilities) aimed at getting access to
the execution of its own software code at the earliest stage of iOS device loading.

The main peculiarity of it is that the vulnerability, on which checkm8 is based, cannot be fixed by the
software (by software update) as it is incorporated in code from read-only memory, which cannot be
rewritten, at the stage of manufacturing a device chip. This means that all iOS devices prone to this
vulnerability will always remain vulnerable, regardless of the iOS version.

Exploiting this vulnerability, we can do a semi tethered jailbreak of an Apple iOS device,
extracting all the device data (entering the screen lock password) or data which is not dependent on
the password input (BFU/ Before First Unlock). Supported devices and OS versions:

• iPhone 6, iPhone 6 plus, iPad Mini 4 operated on iOS 12.4.4-12.5.3

• iPad 5g, iPhone 6s, iPhone 6s Plus, iPhone SE operated on iOS 12.4-14.7 beta

• iPad 6g, iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, iPhone X operated on iOS 13.0 -
14.7 beta
 Chennai Safe City
Cyber Forensics Lab- Handouts

To start the extraction, run Oxygen Forensic® Extractor and select iOS Advanced extraction. Allow the
app to make changes to your device. From an opened iOS Advanced extraction window, select
whether you want to extract data from a device exploiting checkm8 vulnerability or whether you want
to extract data from an already jailbroken device via SSH. Then, follow the instructions appearing on
the screen. After data extraction is complete, the device will be added to Oxygen Forensic® Detective.

DATA ANALYSIS
Once data from all the sources and devices of interest is extracted and imported into Oxygen
Forensic® Detective, comes the time to analyze it! And that’s where our software comes forward,
offering multiple robust features.

The extraction home screen consists of general information about the data source at the top,
followed by panel with Statistics widgets, and information about extraction, owner and the device, as
well as a field for adding notes. Scroll down to overview the general sections, in which data from the
device is sorted by its type. The categories in this section depend on the data types present within
extraction. The exceptions are Reports and Snapshots – those two get filled as you browse through
data, take snapshots of Social Graph or Maps, create reports. The general sections are followed by the
Analytics panel. Analytical sections available from the extraction home screen, are:

1. Key Evidence
 Chennai Safe City
Cyber Forensics Lab- Handouts

This section gets filled as you get through evidence, marking the important bits. In it, all data
marked as Key Evidence, data with tags and notes is displayed. Also, data categorized by our Image
Categorization tool is shown here.

2. OCR - Optical Character Recognition. -Run it to automatically transcribe text from images
3. Search -Use it to search data. - Use keywords and multiple filters to enhance your
experience.
4. Social Graph - Open it to view all social interactions on a graph, investigate the
connections, as well as read their messages
5. Statistics - Use this section to overview the extraction data, as well as your own notes
6. Faces - Facial recognition - Run it to determine faces present in the extraction media.
7. Timeline - Open Timeline to view all extraction data sorted in chronological order. Use
multiple filters to limit the timeframe or data sources.
 Chennai Safe City
Cyber Forensics Lab- Handouts

Tagging and Key Evidence

When working with data, mark the important bits of it as Key Evidence by pressing on a star in the grid
next to the entry of interest or from the Details sidebar. For more detailed marking of the data, use
Tags. Oxygen Forensic® Detective offers a number of predefined tags, including: Nudity, Weapon,
Guns, Important, and several others. You can also create and set your own tags and export entries to
data reports by simply selecting the relevant tags. You can sort Timeline or any other section to view
only tagged data or entries marked as Key Evidence. To view all entries identified as relevant to a case,
go to the Key Evidence section. There, all data marked with Key Evidence or with the tags will be
displayed, making data analysis easier and saving valuable time. You can bookmark important
evidence in a single device, or several devices, and export it later to one data report.

Data Export to reports

You can export the evidence to XLSX, PDF, XML, HTML, JSON, RTF file or in Relativity format. Call the
Export window from the extraction home screen by clicking on the third button under the device
image. Click on the latter icon to export data in Relativity format. You can also open the Export window
from the toolbar of the section of interest. In this case, only data within this section will be included
in the report by default.