Oxygen Forensic® Detective v.13.6

Ring data extraction


Ring LLC, an Amazon-owned company, is a home security and smart home company. One of their flagship products is the Ring Video Doorbell, a smart doorbell that contains a motion-activated camera equipped with a microphone and speaker. The footage captured by the video doorbell can be viewed in real-time or played back in the Ring mobile app. Oxygen Forensic® Detective v.13.6 now allows Ring data extraction from mobile devices, computers, and the cloud.

  • Cloud extraction is available using Ring login credentials or a token. Evidence obtained includes account information, connected devices, event history, video recordings, invited and registered contacts, location details, payment information.
  • Ring data extracted from Apple iOS and Android devices will include account and device information, locations, event history, cache, cookies, logs, and camera snapshots. We recommend using a full file system extraction to acquire the most data.
  • Investigators can also collect Ring artifacts from Windows and macOS computers using Oxygen Forensic® KeyScout. Depending on the computer’s OS this will include information about authorized devices, the device owner, camera snapshots, and logs.

Investigators can also collect Ring artifacts from Windows and macOS computers using Oxygen Forensic® KeyScout. Depending on the computer’s OS this will include information about authorized devices, the device owner, camera snapshots, and logs.

Support for Qualcomm-based Huawei devices


Oxygen Forensic® Detective v.13.6 now offers the ability to bypass screen locks and decrypt evidence from Huawei/Honor devices using File-Based Encryption (FBE) and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953. To acquire a device, choose the “Huawei Qualcomm EDL extraction” method in the Oxygen Forensic® Android Extractor and follow the instructions. Supported models include Honor 7A (AUM-L29), Huawei Y6 (2018), Mediapad M3 lite 8, etc.

Samsung Exynos Dump for Android 11 devices


We’ve once again extended our Samsung Exynos method and now it supports Samsung devices that were updated to Android OS 11 from Android OS 9 and 10. The method allows extraction of a full file system from a wide variety of Samsung Exynos devices with File-Based Encryption.

New Extraction Method for Twitter and Line


Oxygen Forensic® Detective v.13.6 introduces a new extraction method for Twitter and Line apps. Now investigators can collect this app data from any unlocked Android devices using OxyAgent. Install it on a device, select the Twitter or Line artifacts that need to be collected, and once it is done, import the extraction into Oxygen Forensic® Detective for further analysis. This app extraction method via OxyAgent also supports WhatsApp, WhatsApp Business, Signal, and Discord.

Support for WhatsApp crypt14 version


WhatsApp has recently introduced a new version of crypt14 that is used to encrypt WhatsApp backups. With Oxygen Forensic® Detective v.13.6, investigators can decrypt backups encrypted with this version both from mobile devices and in the Oxygen Forensic® Cloud Extractor using a phone number or token. Additionally, we have improved our decryption support of older versions, such as crypt7, crypt8, and crypt9.

GroupMe Cloud Extraction


GroupMe is a messaging app that has over 12 million registered users and is currently owned by Microsoft. The updated Oxygen Forensic® Cloud Extractor allows investigators to extract evidence from a GroupMe account via GroupMe, Microsoft, Google or Facebook credentials or using a token extracted from a mobile device. Evidence sets will include account details, contacts, events, as well as private and group chats with attachments and polls.

KeyScout Enhancements


We’ve introduced several enhancements to Oxygen Forensic® KeyScout. Now investigators can:

  • import and parse L01 images made on Windows, macOS, and Linux computers
  • collect logs from var/log folder on macOS and Linux
  • extract system and user Preferences from macOS
  • collect more artifacts from the Windows registry
  • extract user data from the Unigram app on Windows

Viewer for SQLite databases


We’ve added a Recovery Info column on the SQLite recovered data tab. This column will display the source file of a recovered record, which can be in .db, .log, or .wal format. Click the link to be transferred to the original record in the source file shown in the Hex Viewer. Finally, we’ve added a Recovery Options button where users can utilize detailed options for deleted data recovery.

Passcode Bruteforce Enhancements


Now investigators can select several brute force attacks that will be carried out one after another. Moreover, we made the passcode brute force process more detailed, adding information about speed, estimated number of passcodes, and number of checked passcodes.

Import and Export Enhancements


Oxygen Forensic® Detective v.13.6 allows investigators to export extracted data to Project VIC 2.0. In the Applications section, investigators can now export geo coordinates to KML and GPX formats for further analysis. For Load File format, we’ve introduced the ability to save and import report templates. Finally, investigators can now import and analyze UFED reports (UFDR format) in Oxygen Forensic® Detective.

New App Support


Oxygen Forensic® Detective v.13.6 brings support for 7 new apps and updates data parsing for 600+ app versions. The new apps are Ring, Google Admin, Mega, Marco Polo, Huawei Browser, Mi Browser, and Samsung Notes.

Resolved Issues

  • Inconsistent passcode brute force for Samsung Galaxy A3 and Samsung Galaxy J6 devices 
  • Extraction with Alcatel OneTouch 5009D and Samsung Galaxy S6 edge
  • WhatsApp backup decryption via phone number in Oxygen Forensic® Cloud Extractor
  • Uber cloud authorization
  • Chats were not parsed from WeChat v.7.0.11 (Apple iOS)
  • Data export from the Applications section did not contain Key Evidence tags and notes for applications files
  • Messages export in chat format was empty
  • Setting a password to XLS export
  • Exporting data from OFBR produced empty reports
  • HEIC format images got unattached/missing after exporting to OFBR and importing

Leave a Reply

Your email address will not be published. Required fields are marked *