Oxygen Forensic® KeyScout is the latest module incorporated in our all-in-one Oxygen Forensic® Detective platform. We launched the first version of KeyScout three years ago. However, with every release, we are adding a great number of new features to this module to make it a more powerful computer forensics tool. Overall, the primary functionalities of Oxygen Forensic® KeyScout now include:
- Live collection of artifacts on Windows, macOS, and Linux computers
- RAM Memory Capture
- Analysis of external drives
- Importing and parsing of computer images
Let’s have a look at the changes that we’ve recently introduced to Oxygen Forensic® KeyScout.
In the latest Oxygen Forensic® KeyScout, investigators can select a search template before data extraction. To use this functionality, switch to “Custom search mode” and select the search mode that suits the current investigation.
For example, using the pre-installed templates, investigators can quickly collect only apps, their passwords and tokens, or all the files.
If investigators do not find the right search template among the default options, they can create their own.
To do this, click the “Customize your search mode” link on the KeyScout Home screen. In the new template, investigators can add various rules, filtering by many criteria to include the file path, extension, time stamps, or use Regex and many other options. Moreover, investigators can select specific apps and system artifacts to be collected. A new template will be saved and shown in the list of templates in the Custom search mode.
External Drive analysis
Another feature that has been recently added is the ability to collect artifacts from external drives. To use it, connect an external drive to the PC in use and select the “Acquire the external drive” option in the Home screen of Oxygen Forensic® Detective.
In the opened KeyScout window, users can select exactly what to acquire: the whole disk, a partition, multiple partitions, etc. Click the “Advanced options” button for more detailed information about the external disks available for analysis. Note that external drive analysis is possible only with elevated privileges.
New artifact and OS support
The updated Oxygen Forensic® KeyScout included in Oxygen Forensic® Detective v.14.1 is fully compatible with Windows OS 11. Investigators can run a live collection of computer artifacts on computers with the latest Windows OS installed.
Additionally, in every release version, we add new computer artifacts and update support for existing ones. Let’s name a few of them:
- Added extraction of Apple Unified Log (AUL) from macOS. This file can provide investigators with a deep insight into an activity that occurred on the subject’s computer.
- Improved parsing of JumpLists that contain the history of the user’s recent interactions with the computer.
- Improved the ability to collect LNK files. These files are automatically created by Windows OS when a user opens files.
Investigators can see what system artifacts are supported in the relevant tab in the KeyScout Search Settings:
As for app artifacts, we have added the ability to extract evidence from a web-based version of Instagram from the Google Chrome browser on Windows, macOS, and Linux. Also, investigators can now extract passwords saved in Microsoft Edge. The full list of supported apps can be found on the relevant tab:
Import and parsing of computer images
Our software can ingest and parse dozens of various computer images, such as the popular A01, L01, and E01. Recently we’ve added support for new image types:
- Virtual machine images of VDI, VHD, and VMDK formats
- Images of RAW formats: DD, BIN, and IMG
- DMG and ISO images
- Logical images of 7z, rar, and tar formats
- Support for FAT, EXT2/3/4, HFS/HFS+ file systems of E01, RAW/DD, VDI, VHD, and VMDK images
To ingest any image, investigators need to click the relevant option under the “Desktop extractions” option on the software Home screen and follow the instructions.
Search for computer artifacts and an imported image will be created by Oxygen Forensic® KeyScout and then the results will be imported and shown in Oxygen Forensic® Detective. This will allow investigators to merge an imported computer image with other extractions (for example, mobile or cloud) for deeper analysis, if necessary.
If you want to know more about RAM Capture with Oxygen Forensic® KeyScout, check this article published earlier this year.