KeyScout is a tool included in Oxygen Forensic® Detective that helps collect and provide data into computer artifacts. It offers insights into passwords, applications, and system artifacts. It is compatible with Windows, Linux, and macOS.
We update our software, Oxygen Forensic® Detective, 6+ times per year, KeyScout being one of our powerful tools that receive an update to ensure investigators are able to extract critical evidence.
Oxygen Forensic® Detective v.15.2
Enhanced Linux support in Oxygen Forensic® Detective
In Oxygen Forensic® Detective v.15.2 we have enhanced support for Linux devices by making data collection easier for our users and added support for the XFS file system that is frequently used in the newest Linux versions.
KeyScout can now extract from Linux-operated devices:
- Cron tasks
- SSH keys
- Information about system accounts and groups
Oxygen Forensic® Detective v.15.1
In Oxygen Forensic® Detective v.15.1 we updated the KeyScout interface and functionality:
Deсryption of passwords, cookies, and tokens of other user profiles
In the version 15.1 update of Oxygen Forensic® Detective, it is now possible to extract and decrypt credentials, tokens, and cookies belonging to another user during the analysis. To do this, open the “Passwords” tab in the “Search settings” and add another user’s password.
If another user’s password has not been entered, KeyScout will detect the presence of another user and some of the services they are logged in, but the passwords and tokens themselves will not be extracted.
The following can be detected, extracted, and decrypted:
- Passwords, tokens, and cookies from popular web browsers: Google Chrome, Opera, Microsoft Edge;
- WhatsApp Desktop tokens;
- Windows Credentials and Windows Vault.
Overview and select partitions to analyze
Previously, the search was performed through all system partitions at once. In this release of Oxygen Forensic® Detective, we made data extraction via KeyScout more convenient. An investigator,armed with our product can now optimize the search process according to their actual needs.
Upon starting a new search and selecting the target device, “Drives and partitions” section will appear on the left sidebar. Open it to overview all detected partitions. In this section, investigators can manually select the relevant partitions and exclude from search the partitions of no interest.
Extended information about current search and saving progress
To improve the investigators’ experience, we have added a “Search summary” tab on the left sidebar that appears after starting a search. From it, investigators can:
- Learn the current search status.
- State where the extracted data will be saved. If there is not enough space in the selected directory, a corresponding notification will appear.
- Overview detected data, grouped under the “Found” section. Click on any category icon to open the corresponding search results. Click “reset filters” to overview full scope of extracted data.
Search settings update
In the new version of Oxygen Forensic® Detective, we have updated the search settings as well, making them more convenient for our customers. Now, in the “Search roots” tab, the list of paths can be expanded, providing our users with ability not only to overview all of them but also to exclude search paths of no interest and add relevant ones.
We have also added a “Description” column to the “System artifacts” and “Memory” tabs, in which artifacts and data types extracted from RAM respectively are described in detail.
Get more from Oxygen Forensic® Detective
At Oxygen Forensics our software is updated multiple times every year. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on new features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.
Don’t have Oxygen Forensic® Detective and want to try it out? Request a free-trial.