6 Month Checkup at Oxygen Forensics

We’re halfway through the year, and it is time to recap what useful features we have introduced to the forensic community. Undoubtedly a challenging time; however, we released four significant updates with a tremendous amount of enhancements in all our main software modules. Let’s take a look at the innovative functions brought to our users in Oxygen Forensic® Detective in the last six months.

Mobile Data Extraction

This year we have significantly enhanced our support for Android and Apple iOS devices by introducing powerful and leading edge methods.  

First, we added the exclusive built-in ability to bypass screen locks, perform physical extractions, and decrypt physical dumps of the latest Huawei devices running Android OS 9-10 based on Kirin 980, 970, 710 and 710F chipsets. The functionality covers over 50 of the latest models, including Huawei Honor 20, Huawei Honor Magic 2 3D, Huawei Honor Note 10, and more. 

Image 1. Huawei dump method

Second, we’ve enhanced our software rooting capabilities. Now investigators can obtain root rights and perform physical extractions of unlocked Android devices utilizing Android OS 7 with the security patch level up to and including June 2018, as well as Android OS 8 and higher with the security patch level up to and including October 2019. Additionally, investigators can root and perform physical extractions of Mediatek arm64 Android devices with the security patch level up to and including March 1, 2020.

Next, we added screen lock bypass and physical extraction of Android devices based on the following chipsets: Spreadtrum SC9850, Spreadtrum SC9863, Spreadtrum SC7731E and Spreadtrum SC9832E. 

That is not all! Android logical extractions have been significantly enhanced. Now there is an option to acquire Android data via Wi-Fi! This comes in handy if the USB connection is broken, damaged, or just not working. Furthermore, the redesigned OxyAgent utility now allows investigators to make screenshots of Android data and view them together with the extracted data in the Oxygen Forensic® Detective interface. Finally, the updated OxyAgent utility allows users to perform selective extraction to collect only what the investigator may need, or require, for the investigation.. 

As for Apple iOS devices, we’ve added the ability to extract full file system and keychain from Apple iOS devices jailbroken with the checkra1n and Unc0ver jailbreaks. Also, with this feature, investigators can significantly save time by choosing only the most popular apps for extraction from jailbroken Apple iOS devices with our new selective extraction. 

In total, we have brought support for almost 4,000 new Android devices in the last six months. The total number of supported devices now exceeds 37,000! 

Cloud Data Extraction

This year we have added support for 6 new cloud services, including Slack, Skype, Amazon Photos, Airbnb, IMO and JioChat. 

Image 2. Amazon Photos from cloud 

We have updated authorization and extraction algorithms for already supported cloud services, including Wickr Me, FitBit, Huawei Cloud, Instagram, Google Mail, Line Google Backup, Outlook Calendar, Outlook People, OneDrive, WhatsApp QR method, WhatsApp cloud, and WhatsApp backup decryption method via phone number. 

With 83 supported cloud services, we continue to exceed any other forensic tool on the market. Both of our current competitors who sell a cloud solution as a paid add on are currently only supporting 50 cloud services. Look for an even larger gap as we grow our built in cloud solution in the coming months.

Computer artifacts

Over the last six months, our Oxygen Forensic KeyScout has gone through several considerable enhancements.

First, with Oxygen Forensic® KeyScout, investigators can now recover valuable insights into computer usage by collecting the following system files: Jump Lists, Shellbags, and USBSTOR files on Windows PCs, along with Quarantine Events and FSEvents files on macOS. 

Image 3. USBSTOR file contents

Second, we have added the ability import and parse E01 PC images that contain NTFS file systems. This evidence set will include user data and credentials from the most popular messengers, email clients, and web browsers.

Finally, our powerful and innovative Oxygen Forensic KeyScout can locate and decrypt a vast variety of computer artifacts and credentials for various pre-installed Apple apps on macOS, as well as Signal Messenger on both Windows and macOS. 

Backup import

Live data extraction aside, we support nearly 40 backups and images for import. 

Over the last 6 months, we have managed to implement support for Twitter, Snapchat, Instagram and Facebook Warrant Returns. 

In addition, we have added the ability to import .DAR archives of Apple iOS, Android, and KaiOS file systems, as well as E01 Android images. 

Finally, we have completely redesigned our Import Wizard making it possible to configure all the import settings BEFORE backup parsing, as well as search data by keywords, hash sets, regular expressions and other criteria during backup import.

Image 4. Import Wizard settings

Data parsing and analysis

This year we have already updated over 3,000 app versions, focusing our efforts on the secure apps decryption, such as Signal Messenger, Wickr Me, ChatSecure and Facebook secret chats. 

We have also added parsing for new apps to include Zoom Cloud Meetings, Microsoft Remote Desktop, Amazon Photos, Airbnb, SoundHound, Textra SMS, Google Tasks, Google Docs, Files by Google, Google Contacts, and many others. Our supported app versions now exceed 16,000!

We continue to test and develop new built-in analytical tools. One new view, our Statistics section, allows investigators to quickly gather actionable intelligence of a  user’s activity, as well as the investigator’s interactions with the evidence. 

Image 5. Statistics section

The second section introduced this year is the Reports section, which allows investigators to find all the generated reports in one location. 

Lastly, we’ve added the ability to open SQLite databases in the newly designed File Viewer by clicking on SQLite database. The database will be opened in a separate tab that will be saved between sessions, like all the other program tabs. Building a faster and more efficient viewer will now allow investigators to quickly view the larger databases in the shortest time possible by utilizing our powerful JetEngine back end.

Continue to check in and follow us on social media to keep up with the cutting edge and innovative features we have coming for mobile, cloud, and computer artifacts hunting! 

Want to try Oxygen Forensic Detective? Ask for a demo license here

Leave a Reply

Your email address will not be published. Required fields are marked *