Android Extraction Updates in Oxygen Forensic® Detective 14.2

Our device acquisition methods have progressed a lot over the past two years, especially within screen lock bypass techniques. Currently, our software supports advanced methods for the following groups of locked Android devices:

In addition to screen lock methods, we provide several mechanisms to allow investigators to access data from unlocked Android devices:

Not only did we introduce new mechanisms, we also improved the GUI for existing methods by speeding up extraction and optimizing the code.

Last year we released the new Oxygen Forensic® Device Extractor, which was designed to gradually replace our previous Oxygen Forensic® Extractor. While significant and impactful, many of the improvements presented were minor and may have gone unnoticed. Therefore, this blog article will be dedicated to highlighting the minor and major updates of Oxygen Forensic® Device Extractor included in Oxygen Forensic® Detective v.14.1 and 14.2.

Huawei Kirin Method

For certain Huawei devices based on Kirin chipsets (980, 990, and 990 5G), the encryption algorithm  changed after the SPL (Security Patch Level) update in May. Thus, we had to optimize our Huawei Kirin method so that it could support updated Huawei devices. Previously, the password brute force was performed on a dump. Now, the updated Huawei Kirin method brute forces the device while simultaneously extracting the hardware keys. Please note that this may slow down the password recovery process. Once the password is found, investigators can import a dump in Oxygen Forensic® Detective and it will be decrypted automatically. This new method works for Huawei devices with the SPL of May and June 2021. The newer SPLs are not supported yet.

Image 1. Huawei password brute force

MTK devices with the enabled DAA

We’ve also enhanced our support for screen-locked Android devices running on Mediatek chipsets. Now, devices with the enabled DAA authentication are supported. Oxygen Forensic® Detective temporally disables the DAA and allows investigators to extract hardware keys and decrypt data. Supported devices include Nokia 5.1 Plus, Motorola One Action, Xiaomi Redmi Note 8 Pro, and more. This functionality is available within the MTK Android method.

Image 2. Disabling DAA on MTK device

Full File System Extraction

We’ve added a new exploit to our “Android full file system” method. This exploit covers many unlocked Android devices based on various chipsets. Supported devices must have GPU Mali-G31, Mali-G51, Mali-G52, Mali-G71, Mali-G72, Mali-G76, Mali-G77, Mali-G78 (Bifrost, Valhall), the Linux kernel of 2.6.0-5.4 versions and run Android OS 7 – 11. The SPL (Security Patch Level) must be no older than May 2021. This exploit does not support Samsung and Huawei devices due to the additional layers of their security.

Redesigned Extraction Methods

We’ve also redesigned and implemented two methods in the new Device Extractor – Qualcomm EDL and iTunes backup.

The improvements of the Qualcomm EDL method include:

  • Support for Android devices running Android OS 8 and higher
  • A simplified extraction process. Now, unlike in the old method, device restart is not required.

The improvements of the iTunes backup method are:

  • Only iTunes (no other components) is required for connection. Versions from the official website and Microsoft Store are compatible. Previously, the iTunes version from the Microsoft Store caused connection problems.
  • During data extraction, investigators will have more detailed instructions to make the extraction more transparent.

Changes in the new Device Extractor

Besides the improved GUI, the new Device Extractor offers some useful features:

  • Ability to check supported devices and compatible methods. Investigators can also filter by OS, chipset, method, and vendor in the Methods tab.
  • In the Settings, investigators can select to calculate hashes for created extractions.
  • Thanks to the rewritten instructions and notifications, the extraction process is now much easier. Now, the entire connection and extraction process are displayed on one screen, so users can see the complete process from beginning to end.
Image 3. The extraction screen of the Android full file system method

Our new Device Extractor will only improve as our product evolves. Follow us on Twitter to keep up with our latest product updates, and if you have a suggestion on how to make our product better, submit a ticket!

Leave a Reply

Your email address will not be published. Required fields are marked *