IOS acquisitions do not allow you to create a backup image on newer iOS devices. ROOTUsers%USERNAME%DesktopSamsung SCH-i535 Galaxy S3 SCH-i535 Galaxy S3 (990003244750) 09-03.zip%GUID%-%DATETIME%deviceimageadbbackup.ab AB file inside an OFBĪB files can be loaded directly into AXIOM as images without needing to open them up by following the same steps above as we did for the raw/BIN files.
These are compressed containers which can be opened to view the contents of the backup (opening the AB file is not necessary to load it into AXIOM, only shown here for those who are curious on how they are structured).
OXYGEN FORENSIC TOOL ANDROID
AB files are created which are standard Android backup images. Extract the files to your desktop or somewhere accessible, open AXIOM Process and choose Mobile, Android, Load Evidence, Image, and then choose the BIN file you wish to analyze.įor logical images or backups. Raw BIN files can be loaded into AXIOM once they’ve been extracted from the OFB/ZIP container.
OXYGEN FORENSIC TOOL ARCHIVE
ROOTUsers%USERNAME%DesktopSamsung SCH-i535 Galaxy S3 SCH-i535 Galaxy S3 (%GUID%) %DATETIME%.ofb Contents of OFB Archive Image typesįor physical images a raw/binary file gets created, these appear to be a single raw file (not segmented): If you’ve chosen to archive the data to an OFB file, then the same structure exists with the image within the OFB archive, but it gets saved to where you choose to save the archive. Inside this folder there are entries for each device acquired and inside those device folders is a folder called “DeviceImage” which is where the actual image is stored.
ROOTUsers%USERNAME%AppDataRoamingOxyForensicsPhonesīy renaming the OFB extension to ZIP, you can open up the compressed container to view the contents. The default storage path for these images are under This is necessary in order to conduct analysis with any other tool, otherwise you will only get files specifically created or known by Oxygen. Examiners who may want to analyze the data in other tools will want to check the box indicated below:ĭuring an acquisition, you will have an option to include the physical dump or backup with the extraction.
These OFB files are simply compressed archives that can be renamed to ZIP and viewed like any other compressed container.ĭepending on the extraction type, Oxygen does not create a forensic image of the evidence like most other tools, they will extract the files and data they need to be presented in their tool. These are not forensic images, they are case files much like how Cellebrite uses UFD files or how AXIOM stores its case data in a SQLite database with an MFDB extension. Oxygen allows you to archive extraction and case data into OFB files. You can read the intro blog here which will also link to others in the series.
OXYGEN FORENSIC TOOL SERIES
As a continuation of our blog series around using multiple tools to be successful in your forensic investigations, this post is going to look at loading images from Oxygen into AXIOM.
0 kommentar(er)
