Support for Samsung Exynos devices
Oxygen Forensic® Detective v.13.5 brings enhanced support for Samsung Exynos devices. Now investigators can perform full-file system extractions of Samsung devices running pre-installed Android OS 9 and 10 which also have File-Based Encryption (FBE). If a user passcode is set on a device, it should be entered in the corresponding field in the software. Unlike our Samsung Exynos method for Android OS 7 through 9 devices with Full-Disk Encryption (FDE), this method does not currently include the ability to brute force the passcode.
This new approach also gives investigators access to the Samsung Secure Folder and its contents. The Secure Folder is a secure location within a Samsung device that enables users to store private data. Secure Folder extraction is supported only for Samsung Exynos devices with FBE.
Access to Huawei PrivateSpace
Huawei Private Space lets users store their private information in a hidden space within the device that can only be accessed with a fingerprint or password. Oxygen Forensic® Detective v.13.5 now gives investigators the ability to access data in the Huawei Private Space. To decrypt this securely hidden data, investigators will need to either enter the password or find it with the built-in brute force module. The functionality is available within the Huawei Android Dump method.
Enhanced support for Qualcomm devices
The Android full file system extraction method now offers additional capabilities for devices using Qualcomm chipsets and running Android OS 7 through 10. The new exploit allows investigators to gain root rights and extract a full file system. The Security Patch Level (SPL) must not be greater than December 2020.
Support for Android OS 11
OxyAgent is now compatible with Android devices running OS 11. Investigators can now use the powerful OxyAgent utility to extract evidence from any unlocked Android device. The evidence set includes contacts, messages, calls, calendars, available files and supported third-party apps.
Hash calculation for physical dumps
Investigators can now choose to calculate hashes for extracted physical dumps in the Oxygen Forensic® Android Extractor. To do this, switch to the Settings menu and select one or several preferred hash sets: SHA1, SHA256, SHA3-256 or MD5.
The updated Oxygen Forensic® KeyScout allows investigators to capture memory (RAM) and save it in RAW format for further analysis in third-party solutions, like Volatility. To create a RAM memory dump, copy the portable KeyScout from the main Oxygen Forensic® Detective Home menu to the removable media. Then, run it on a subject’s PC and choose the “Capture RAM” option on the Home screen. RAM capture will be displayed on the Memory tab in KeyScout.
Deleted Record Recovery
Deleted record recovery is available in the new File Viewer for SQLite databases. The recovery process now takes significantly less time and uses less RAM memory and CPU resources. Moreover, deleted record recovery is more accurate. To recover deleted records, simply switch to the “SQLite with Recovered Records” tab. The recovery process will start automatically. Deleted records will be displayed with a trash bin icon and highlighted in yellow. Search is available for both actual and recovered records.
Similar Image Analysis
Oxygen Forensic® Detective v.13.5 offers a convenient analysis of similar images using PhotoDNA technology. Similar Image Analysis is done automatically when entering the Files section of an extraction or a case. It takes seconds to analyze 200-300 thousand images. Similar images can be located on the Similar Images tab in the panel below.
New App Support
Oxygen Forensic® Detective v.13.5 brings support for 4 new apps and updates data parsing for XXX+ already supported apps. The new apps are Microsoft Teams, AliExpress, Wildberries and BiP Messenger.
Check the WhatsNew file in your customer area or in the software to see the full list of changes.
- Screenshots made with OxyAgent now have their names as follows: app identifier_ screenshot number.png
- Checkm8 support for iPhone 8, iPhone 8+ and iPhone X running iOS 14.4.1 and 14.4.2
- Not all data was extracted from the Google Drive cloud when the folder has specific Japanese characters
- The Backup type field in the Extraction Info panel was empty for a certain type of imported extractions like CDR files and GrayKey extractions
- Thumbnails were not removed from PDF and RTF reports, even if the corresponding option was selected
- Case info was not being included in data reports
- WhatsApp messages in the French language were not being fully parsed after being extracted via OxyAgent
- Viber attachments could not be opened in Oxygen Forensic® Detective after they were collected with Oxygen Forensic® KeyScout
- MTK Android dump made from Lenovo A319 device could not be parsed