Ring data extraction
MOBILE FORENSICS, CLOUD FORENSICS, COMPUTER ARTIFACTS
Ring LLC, an Amazon-owned company, is a home security and smart home company. One of their flagship products is the Ring Video Doorbell, a smart doorbell that contains a motion-activated camera equipped with a microphone and speaker. The footage captured by the video doorbell can be viewed in real-time or played back in the Ring mobile app. Oxygen Forensic® Detective v.13.6 now allows Ring data extraction from mobile devices, computers, and the cloud.
- Cloud extraction is available using Ring login credentials or a token. Evidence obtained includes account information, connected devices, event history, video recordings, invited and registered contacts, location details, payment information.
- Ring data extracted from Apple iOS and Android devices will include account and device information, locations, event history, cache, cookies, logs, and camera snapshots. We recommend using a full file system extraction to acquire the most data.
- Investigators can also collect Ring artifacts from Windows and macOS computers using Oxygen Forensic® KeyScout. Depending on the computer’s OS this will include information about authorized devices, the device owner, camera snapshots, and logs.
Investigators can also collect Ring artifacts from Windows and macOS computers using Oxygen Forensic® KeyScout. Depending on the computer’s OS this will include information about authorized devices, the device owner, camera snapshots, and logs.
Support for Qualcomm-based Huawei devices
Oxygen Forensic® Detective v.13.6 now offers the ability to bypass screen locks and decrypt evidence from Huawei/Honor devices using File-Based Encryption (FBE) and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953. To acquire a device, choose the “Huawei Qualcomm EDL extraction” method in the Oxygen Forensic® Android Extractor and follow the instructions. Supported models include Honor 7A (AUM-L29), Huawei Y6 (2018), Mediapad M3 lite 8, etc.
Samsung Exynos Dump for Android 11 devices
We’ve once again extended our Samsung Exynos method and now it supports Samsung devices that were updated to Android OS 11 from Android OS 9 and 10. The method allows extraction of a full file system from a wide variety of Samsung Exynos devices with File-Based Encryption.
New Extraction Method for Twitter and Line
Oxygen Forensic® Detective v.13.6 introduces a new extraction method for Twitter and Line apps. Now investigators can collect this app data from any unlocked Android devices using OxyAgent. Install it on a device, select the Twitter or Line artifacts that need to be collected, and once it is done, import the extraction into Oxygen Forensic® Detective for further analysis. This app extraction method via OxyAgent also supports WhatsApp, WhatsApp Business, Signal, and Discord.
Support for WhatsApp crypt14 version
MOBILE FORENSICS, CLOUD FORENSICS
WhatsApp has recently introduced a new version of crypt14 that is used to encrypt WhatsApp backups. With Oxygen Forensic® Detective v.13.6, investigators can decrypt backups encrypted with this version both from mobile devices and in the Oxygen Forensic® Cloud Extractor using a phone number or token. Additionally, we have improved our decryption support of older versions, such as crypt7, crypt8, and crypt9.
GroupMe Cloud Extraction
GroupMe is a messaging app that has over 12 million registered users and is currently owned by Microsoft. The updated Oxygen Forensic® Cloud Extractor allows investigators to extract evidence from a GroupMe account via GroupMe, Microsoft, Google or Facebook credentials or using a token extracted from a mobile device. Evidence sets will include account details, contacts, events, as well as private and group chats with attachments and polls.
We’ve introduced several enhancements to Oxygen Forensic® KeyScout. Now investigators can:
- import and parse L01 images made on Windows, macOS, and Linux computers
- collect logs from var/log folder on macOS and Linux
- extract system and user Preferences from macOS
- collect more artifacts from the Windows registry
- extract user data from the Unigram app on Windows
Viewer for SQLite databases
We’ve added a Recovery Info column on the SQLite recovered data tab. This column will display the source file of a recovered record, which can be in .db, .log, or .wal format. Click the link to be transferred to the original record in the source file shown in the Hex Viewer. Finally, we’ve added a Recovery Options button where users can utilize detailed options for deleted data recovery.
Passcode Bruteforce Enhancements
Now investigators can select several brute force attacks that will be carried out one after another. Moreover, we made the passcode brute force process more detailed, adding information about speed, estimated number of passcodes, and number of checked passcodes.
Import and Export Enhancements
Oxygen Forensic® Detective v.13.6 allows investigators to export extracted data to Project VIC 2.0. In the Applications section, investigators can now export geo coordinates to KML and GPX formats for further analysis. For Load File format, we’ve introduced the ability to save and import report templates. Finally, investigators can now import and analyze UFED reports (UFDR format) in Oxygen Forensic® Detective.
New App Support
Oxygen Forensic® Detective v.13.6 brings support for 7 new apps and updates data parsing for 600+ app versions. The new apps are Ring, Google Admin, Mega, Marco Polo, Huawei Browser, Mi Browser, and Samsung Notes.
- Inconsistent passcode brute force for Samsung Galaxy A3 and Samsung Galaxy J6 devices
- Extraction with Alcatel OneTouch 5009D and Samsung Galaxy S6 edge
- WhatsApp backup decryption via phone number in Oxygen Forensic® Cloud Extractor
- Uber cloud authorization
- Chats were not parsed from WeChat v.7.0.11 (Apple iOS)
- Data export from the Applications section did not contain Key Evidence tags and notes for applications files
- Messages export in chat format was empty
- Setting a password to XLS export
- Exporting data from OFBR produced empty reports
- HEIC format images got unattached/missing after exporting to OFBR and importing