Difference between pages "Determining OS version from an evidence image" and "Oxygen Forensic Suite 2"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Purifying the article)
 
Line 1: Line 1:
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
+
{{underconstruction}}
  
==Windows==
+
===Brief===
  
===Windows 95/98/ME===
+
[http://www.oxygen-forensic.com/ Oxygen Forensic Suite 2] by [http://www.oxygen-software.com/ Oxygen Software] is a mobile forensic software for logical analysis of [[cell phones]], [[smartphone|smartphones]] and [[PDAs]]. The authors claim that using advanced data access protocols helps to extract much more data than usually.
  
===Windows NT===
+
===Regular data extraction===
 +
Oxygen Forensic Suite 2 is able to extract general data like:
 +
* device information (IMEI, SW and HW versions, operator, etc),
 +
* contacts (names, phones, notes)
 +
* calendar events,
 +
* messages (SMS),
 +
* calls log (incoming/outgoing/missed).
 +
* files (images, sounds, videos, documents, etc)
  
===Windows 2000/2003/XP/Vista===
+
===Unique data extraction===
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
+
Besides the general data usually extracted, Oxygen Forensic Suite 2 can extract a lot of unique information:
 +
* contacts (last date of contact modification, contacts photos, field labels, contact groups and speed dials)
 +
* calendar events (last date of event modification, all event dates, alarm status, recurrences)
 +
* messages (e-mails and MMS, messages from custom folders, message SMSC time stamp)
 +
* calls log (GPRS, EDGE, CSD, HSCSD and Wi-Fi session traffic and time, deleted SMS details)
 +
* files (file system from phone memory and flash card)
 +
* LifeBlog data (all main phone events like sms, photos, events '''with their geographical coordinates'''),
 +
'''Important!''' The list of supported features depends on a certain phone model.
  
During a forensic examination, information regarding the version of Windows can be found in a number of places.  For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.
+
===Device coverage===
 +
By the October, 2008 Oxygen Forensic Suite 2 supports '''1100 devices''': [[Nokia]], [[Vertu]], [[Sony Ericsson]], [[Samsung]], [[Motorola]], [[Blackberry]], [[Panasonic]], [[Siemens]], [[HTC]], [[HP]], [[E-Ten]], [[Gigabyte]], [[i-Mate]] and other mobile phones.  
 +
Oxygen Forensic Suite 2 has a strong support for [[symbian|Symbian OS]], [[symbian|Nokia S60]], Sony Ericsson UIQ, [[Microsoft Windows Mobile|Windows Mobile 5/6]] (without using ActiveSync!) and [[Blackberry]] [[smartphone|smartphones]] and [[communicator|communicators]] .
  
Determining the version of Windows from the Software Registry Hive file - navigate to the Microsoft\Windows NT\CurrentVersion key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
+
===Other===
 +
* The software access devices without using standard protocols like AT, OBEX or SyncML. The Agent installation is required to access smartphones and communicators.
 +
* The software is able to perform data search, to create and print reports.
 +
* The software has a full support of Unicode standard. So the multilanguage information is read and shown correctly.
  
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
+
===History===
 +
Oxygen Forensic Suite 2 is a third generation of forensic tools by Oxygen Software.
 +
* 2004, March. Oxygen Phone Manager II for Nokia phones (Forensic Edition) is released.
 +
* 2005, November. Oxygen Phone Manager II for Symbian OS smartphones is released.
 +
* 2007, June. Oxygen Phone Manager II (Forensic Edition) becomes a stand alone project with new name "Oxygen Forensic Suite"
 +
* 2008, May. Oxygen Forensic Suite 2 is released and presented at Mobile Forensics World 2008.
  
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home).
+
===Links===
 
+
* [http://www.oxygen-forensic.com/ Official web site]
==Unix/Linux==
+
* [http://www.oxygen-software.com/ Oxygen Software web site]
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
+
 
+
===Linux===
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
+
 
+
{| class="wikitable" border="1"
+
|-
+
!Distro!!Tag
+
|-
+
|Red Hat || /etc/redhat-release
+
|-
+
|Debian  || /etc/debian-version
+
|}
+
 
+
===Solaris===
+
 
+
===Free/Net/OpenBSD===
+
 
+
===AIX===
+
 
+
===HP/UX===
+
 
+
[[Category:Howtos]]
+

Revision as of 05:23, 30 October 2008

Template:Underconstruction

Brief

Oxygen Forensic Suite 2 by Oxygen Software is a mobile forensic software for logical analysis of cell phones, smartphones and PDAs. The authors claim that using advanced data access protocols helps to extract much more data than usually.

Regular data extraction

Oxygen Forensic Suite 2 is able to extract general data like:

  • device information (IMEI, SW and HW versions, operator, etc),
  • contacts (names, phones, notes)
  • calendar events,
  • messages (SMS),
  • calls log (incoming/outgoing/missed).
  • files (images, sounds, videos, documents, etc)

Unique data extraction

Besides the general data usually extracted, Oxygen Forensic Suite 2 can extract a lot of unique information:

  • contacts (last date of contact modification, contacts photos, field labels, contact groups and speed dials)
  • calendar events (last date of event modification, all event dates, alarm status, recurrences)
  • messages (e-mails and MMS, messages from custom folders, message SMSC time stamp)
  • calls log (GPRS, EDGE, CSD, HSCSD and Wi-Fi session traffic and time, deleted SMS details)
  • files (file system from phone memory and flash card)
  • LifeBlog data (all main phone events like sms, photos, events with their geographical coordinates),

Important! The list of supported features depends on a certain phone model.

Device coverage

By the October, 2008 Oxygen Forensic Suite 2 supports 1100 devices: Nokia, Vertu, Sony Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate and other mobile phones. Oxygen Forensic Suite 2 has a strong support for Symbian OS, Nokia S60, Sony Ericsson UIQ, Windows Mobile 5/6 (without using ActiveSync!) and Blackberry smartphones and communicators .

Other

  • The software access devices without using standard protocols like AT, OBEX or SyncML. The Agent installation is required to access smartphones and communicators.
  • The software is able to perform data search, to create and print reports.
  • The software has a full support of Unicode standard. So the multilanguage information is read and shown correctly.

History

Oxygen Forensic Suite 2 is a third generation of forensic tools by Oxygen Software.

  • 2004, March. Oxygen Phone Manager II for Nokia phones (Forensic Edition) is released.
  • 2005, November. Oxygen Phone Manager II for Symbian OS smartphones is released.
  • 2007, June. Oxygen Phone Manager II (Forensic Edition) becomes a stand alone project with new name "Oxygen Forensic Suite"
  • 2008, May. Oxygen Forensic Suite 2 is released and presented at Mobile Forensics World 2008.

Links