Everything you need to know about Android extraction via OxyAgent

OxyAgent is a small forensically designed application developed by Oxygen Forensics that allows the extraction of data from any unlocked Android device. OxyAgent is typically used to acquire user data and media files when physical or full file system extraction is not available. However, it can also be used for fast and selective data extractions when only certain artifacts, like WhatsApp or calls, are trying to be acquired. Moreover, extraction via OxyAgent is not only fast but also requires minimal technical skills, unlike the advanced screen lock bypass methods we provide. We introduced OxyAgent in 2004 and it has changed a lot since then. Let’s have a look at all the functions of the latest OxyAgent – logical data extraction, manual data collection, screenshots, and screen recordings.

Logical data extraction via USB or Wi-Fi

Logical data extraction via OxyAgent can be performed on any unlocked device running Android OS 4-11. To perform it, open Oxygen Forensic® Extractor from the Oxygen Forensic® Detective Home screen and choose either “Android OxyAgent extraction” for extraction via USB cable or “Android OxyAgent extraction over Wi-Fi extraction” for extraction via Wi-Fi network.

To connect via USB cable, make sure that you’ve carefully followed the instructions:

Once a device is recognized via USB and OxyAgent is uploaded to the device, investigators can select which data to extract.

To connect over Wi-Fi, investigators will first need to install OxyAgent onto the device, run it, and copy the IP address from OxyAgent into Oxygen Forensic® Extractor.

Once a Wi-Fi connection is established, investigators will be offered the option to select artifacts and proceed with data extraction.

No matter which connection type is chosen, investigators can expect the following evidence: calendars, calls, messages, owner profile, contacts, Wi-Fi access points, Bluetooth paired devices, file structure, and app data from the external memory. Once data is extracted, investigators will be given the option to open it in Oxygen Forensic® Detective for analysis. Neither applications nor files from the internal memory will be extracted via OxyAgent because it has no rights to access the internal folders. To extract apps and files, use our physical and full file system extraction methods for Android devices. Find more information about extraction methods in this brochure.

Manual data extraction via OxyAgent

Manual data extraction can be used in several cases:

  • Damaged USB Port or WiFi security, access, or protocols.
  • Collect applications that are not supported by our logical extraction method
  • Make screenshots or screen recordings of device data

For all cases, OxyAgent will need to be installed on the device. Next, choose the “Android manual OxyAgent extraction” option in Oxygen Forensic® Extractor:

Use an OTG device or SD card to copy OxyAgent to a device, install it, and run it. Several options will appear on the OxyAgent welcome screen:

  1. Extract internal and external storage. OxyAgent will collect all the data from the folders to which it has access. Extraction will be identical to the extractions performed via USB or Wi-Fi. The only difference is that investigators select all the options within the running app on the target device, not in Oxygen Forensic® Extractor.
  2. Take screenshots and screen recordings. Using this option, investigators can take screenshots or screen record any data that is inaccessible by option 1. Screenshots can be done in manual or semi-automated mode. This feature was also discussed in a previous blog post.
  3. Extract third party application data. Use this option to manually collect data from WhatsApp, WhatsApp Business, Signal, Discord, Twitter, and Lineapps. Select an app, read the instructions, and choose the app artifacts for extraction. We will be adding new apps in the upcoming releases. More information on WhatsApp extractions via OxyAgent in this blog post.
  4. Extract data via Wi-Fi. Use this option to extract data using a Wi-Fi connection. OxyAgent will display the IP address that needs to be entered in Oxygen Forensic® Extractor.

No matter what data is manually collected, a destination folder is necessary. Once data is collected, investigators can import it in Oxygen Forensic® Detective, choosing the “OxyAgent extraction” option on the Home screen.

To learn more about our device extraction methods? Sign up for one of our Oxygen Forensic Device Extraction (XiB) courses. 

Leave a Reply

Your email address will not be published. Required fields are marked *