Oxygen Forensic® Detective 12.2 Release Notes

Android Rooting Enhancements

Mobile forensics

Oxygen Forensic Detective 12.2. is introducing the ability to gain root rights and conduct a full physical extraction of Android devices with installed Android OS 7 with a security patch up to and including June 2018 and Android OS 8, 9 and 10 with a security patch level up to and including October 2019.  Select the “Android physical (via ADB)” option in Oxygen Forensic Extractor and follow the instructions to connect the device via USB cable. Once the device is connected, click on the “Choose exploit method” link to select the appropriate exploit from the list. The software will apply the exploit and a full physical dump of the device will begin. After extraction, reboot the device to return it to its non-rooted state.

Choosing the rooting exploit

Spreadtrum Android Devices

Mobile forensics

In the updated Oxygen Forensic Detective, we have enhanced our support for Android devices based on the following Spreadtrum chipsets: SC9850, SC9863, SC7731E, SC9832E. The supported devices include teXet TM-5073, Fly Life Ace, Doogee N10, Alcatel 1C 2019 (5003D), DEXP BS650, Digma LINX Atom 3G, Meizu C9, Micromax Spark Go, and other popular models.  

If a device is encrypted and Secure startup is enabled, Oxygen Forensic Extractor can acquire hardware-bound keys that will all the investigator to obtain a physical dump and decrypt the image. To decrypt the obtained image, investigators will need to enter a password. If the password is unknown, brute force can be initialized right in our software.

Jailbroken Apple iOS Devices

Mobile forensics

We have significantly enhanced our support for Apple iOS devices. To begin the extraction of a full filesystem, even on password protected devices, choose the “iOS Advanced extraction” option in Oxygen Forensic Extractor. Our Extractor works with various jailbreaks, including the latest checkra1n. For devices that have checkra1n installed we have two options:

  • If a phone is unlocked, full file system and keychain will be extracted and parsed.
  • If a phone is locked, there will be limited file system extraction and no keychain.  

Moreover, the latest Oxygen Forensic Detective 12.2 extracts the complete keychain with Certificate and Key items from Apple GrayKey images and jailbroken Apple iOS devices.

The main window of iOS extraction method

Warrant Returns Parsing

Backup import

Oxygen Forensic Detective 12.2 enables import and parsing of Facebook and Instagram Warrant Returns. To import them, switch to the Home screen of Oxygen Forensic Detective and select the required option under Warrant Return group. The artifacts from Facebook Warrant Returns will include account information, the history of IP addresses, and chats with attachments. Parsing of Instagram Warrant Returns will give the following categories: account information, the history of IP addresses, contacts, chats with attachments, and stories.

Computer User Activity

Computer artifacts

The updated Oxygen Forensic® KeyScout brings significant enhancements that can be used for both criminal and corporate investigations. Now the utility allows investigators to recover insights into computer usage by collecting the following system files:

Windows PC

  • Jump Lists contain the history of the user’s recent interactions with the computer can be valuable when investigation requires tracking files and folders accessed by the user. Please note that Jump lists are preserved even if related files are deleted.
  • Shellbags allow the investigator to track the folder browsing history of the user and get the details of a folder that might no longer exist.
  • USBSTOR registry contains the history of all USB connected devices. This information may be of great importance for finding the origin of malware infection, establishing data leaks, and proving USB device ownership.


  • Quarantine Events registry stores the history of files coming from external sources, including files received from Internet and via AirDrop. This helps to trace the origin of files, including cases of malware infection.
  • FSEvents registry stores all the activity regarding computer filesystem and includes records related to deleted or unmounted files and disks.
USB Connections history on Windows OS PC

New Cloud Services

Cloud forensics

The built-in and updated Oxygen Forensic Cloud Extractor brings support for 5 new cloud services: Airbnb, IMO, Outlook People, Outlook Calendars and JioChat. The total number of supported cloud services is now at 81!

Airbnb is an online rental platform for short-term travelers that has gained tremendous popularity in the past years. However, despite having lots of advantages the reputation of Airbnb has always  been questioned due to many criminal incidents.  Knowing this, we have introduced comprehensive data extraction from the Airbnb mobile app and cloud. Cloud data includes the account and payment information, accommodations, travels, contacts, emergency contacts, and other available information.

Timeline Matrix

Data analysis

The Activity matrix within the Timeline section helps to detect when the device was most used. The Activity matrix is located in the bottom panel. It allows the filtering of events by time, application, contact, or direction of communication. Additionally, there are custom activity level settings available.

Activity matrix in Timeline section

Import of DAR Archives

Backup import

Now investigators have the ability to import and fully parse .DAR archives that are widely used and may contain Apple iOS, Android and KaiOS file systems as well as memory cards/MTP and third-party software extractions.

Wireless Connections

Mobile forensics

Oxygen Forensic® Detective 12.2 allows investigators currently signed up with Latent Wireless to receive geo-coordinates with the exact locations from MAC addresses of Wi-Fi points. Our software integrates the Latent Wireless registration key information for the user and allows location information matching to known Wi-Fi devices. Moreover, we have added SSID, BSSID and WiFi password parsing from networkHistory.txt and WifiConfigStore.xml files from Android devices.

Reports History


Now investigators have a separate section in the Oxygen Forensics Detective interface where they can find all the reports created during the course of the investigation. The Reports section is available for every extraction and contains the history of the reports with their details and links to where they are stored.

Leave a Reply

Your email address will not be published. Required fields are marked *