KeyScout Updates

KeyScout is a tool included in Oxygen Forensic® Detective that helps collect and provide data into computer artifacts. It offers insights into passwords, applications, and system artifacts. It is compatible with Windows, Linux, and macOS.

We update our software, Oxygen Forensic® Detective, 6+ times per year, KeyScout being one of our powerful tools that receive an update to ensure investigators are able to extract critical evidence.

 

 

Oxygen Forensic® Detective v.15.2

Enhanced Linux support in Oxygen Forensic® Detective

In Oxygen Forensic® Detective v.15.2 we have enhanced support for Linux devices by making data collection easier for our users and added support for the XFS file system that is frequently used in the newest Linux versions.

KeyScout can now extract from Linux-operated devices:

      • Cron tasks
      • SSH keys
      • Information about system accounts and groups

 

Learn More

 

Oxygen Forensic® Detective v.15.1

In Oxygen Forensic® Detective v.15.1 we updated the KeyScout interface and functionality:

 

Deсryption of passwords, cookies, and tokens of other user profiles

In the version 15.1 update of Oxygen Forensic® Detective, it is now possible to extract and decrypt credentials, tokens, and cookies belonging to another user during the analysis. To do this, open the “Passwords” tab in the “Search settings” and add another user’s password.

 

Screenshot of extracting and decrypting credentials with KeyScout

 

If another user’s password has not been entered, KeyScout will detect the presence of another user and some of the services they are logged in, but the passwords and tokens themselves will not be extracted.

The following can be detected, extracted, and decrypted:

      • Passwords, tokens, and cookies from popular web browsers: Google Chrome, Opera, Microsoft Edge;
      • WhatsApp Desktop tokens;
      • Windows Credentials and Windows Vault.

 

Screenshot of credentials for accounts that KeyScout found

Overview and select partitions to analyze

Previously, the search was performed through all system partitions at once. In this release of Oxygen Forensic® Detective, we made data extraction via KeyScout more convenient. An investigator,armed with our product can now optimize the search process according to their actual needs.

Upon starting a new search and selecting the target device, “Drives and partitions” section will appear on the left sidebar. Open it to overview all detected partitions. In this section, investigators can manually select the relevant partitions and exclude from search the partitions of no interest.

 

Screenshot of the “new search” section of KeyScoutScreenshot of viewing the drives and partitions of the “live system”

Extended information about current search and saving progress

To improve the investigators’ experience, we have added a “Search summary” tab on the left sidebar that appears after starting a search. From it, investigators can:

      1. Learn the current search status.
      2. State where the extracted data will be saved. If there is not enough space in the selected directory, a corresponding notification will appear.
      3. Overview detected data, grouped under the “Found” section. Click on any category icon to open the corresponding search results. Click “reset filters” to overview full scope of extracted data.

 

Screenshot of the “Search summary” in KeyScout
Click to overview the detected data. Reset the filters to overview the whole scope of data.

In the new version of Oxygen Forensic® Detective, we have updated the search settings as well, making them more convenient for our customers. Now, in the “Search roots” tab, the list of paths can be expanded, providing our users with ability not only to overview all of them but also to exclude search paths of no interest and add relevant ones.

We have also added a “Description” column to the “System artifacts” and “Memory” tabs, in which artifacts and data types extracted from RAM respectively are described in detail.

 

Screenshot of the specified roots in the Search settings
List of paths can be expanded and the user can remove them from search or add new ones.

 

Screenshot of a list of system artifacts in the Search settings in KeyScout
Description of system artifacts

 

Screenshot of “Memory” in the Search settings in KeyScout
Added description field to the Memory tab

 

Get more from Oxygen Forensic® Detective

At Oxygen Forensics our software is updated multiple times every year. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on new features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.

Don’t have Oxygen Forensic® Detective and want to try it out? Request a free-trial.

Leave a Reply

Your email address will not be published. Required fields are marked *