Revolutionary changes in Android logical extraction

Oxygen Forensics offers investigators a wide range of extraction methods for Android devices that include screen lock bypass methods, rooting, ADB backup creation, and a robust OxyAgent method for logical acquisition. Our OxyAgent allows investigators to collect important information to include contacts, calls, messages, calendars, files from both internal and external media cards, and more.  With many Android devices and system applications now using security that disables the backup of basic built in apps (e.g., SMS/MMS, Call Logs) having a secondary method to collect this important data from every supported Android device via USB cable is a must. 

Oxygen Forensic® Detective 12.5 comes equipped with the redesigned and enhanced OxyAgent utility that now allows investigators to acquire data via a Wi-Fi network. Select artifacts for extraction, and take screenshots of Android data that cannot be extracted via any other method.   This is extremely important with today’s applications that can only be extracted with either a rooted phone or full physical.  Now, investigators can obtain full conversations of any application on any Android device!

Data extraction via Wi-Fi

There can always be problems when dealing with mobile devices, such as faulty cables or broken USB ports. Fortunately, data extraction via Wi-Fi network is now available. To connect an Android device via Wi-Fi, choose the corresponding option in Oxygen Forensic® Extractor and follow the steps: 

1. Install OxyAgent on the device by either scanning the QR-code or manually entering the link from the Oxygen Forensic® Extractor screen to the device browser. Select a folder in which the extraction will be stored.

Figure 1: Wifi Connection Instructions

2. Once the OxyAgent app is installed, accept all permission requests, and then select Extract Over WiFi on the OxyAgent home screen.

3. Enter the device IP address displayed on the OxyAgent screen into the corresponding field within the Oxygen Forensic® Extractor window, confirm app installation and data entry, and then press Next.

4. Once the device is connected, the investigator can now select the data to extract

Figure 2: Selecting data for Extraction

5. Start the extraction. Extraction progress bars will be displayed both on the device and PC screens. Once data is extracted, investigators will be provided the option to import it into Oxygen Forensic® Detective, at which point, the app can be uninstall from the device.

Taking screenshots of Android data 

Logical data extraction does not allow investigators to gain access to the internal memory where applications are stored. Thus, investigators can miss valuable data in a basic logical Android extraction.  Our enhanced OxyAgent now makes it possible to take screenshots of any Android screen to document clear and concise evidence related to the case.  This can include any screen available to the investigator, no matter if it is a photo, video, third-party apps; anything! Follow these steps to take screenshots manually or semi-automated: 

1. Install OxyAgent on the target device. The OxyAgent is available in Oxygen Forensic Extractor.

2. Choose “Take and save screenshots” on the OxyAgent main screen. 

Figure 3: Screenshot export options

3. Investigators must give permissions to all the app to capture everything that is displayed on the screen. 

4. Click Start Now to open Settings and follow the directions to allow OxyAgent to be displayed over other apps. Return to OxyAgent and select the type of screenshot mode (semi-automated or manual):

5. Return to OxyAgent and select the type of screenshot mode (semi-automated or manual):

  1. Semi-Automated Mode: the device screen displays a joystick with the ability to set the direction of taking series of screenshots
    1. Fine-tune the accessibility settings
    2. As soon as all rights are granted, select the semi-automated mode on the home screen2
  2. Manual Mode: the device screen displays a button for taking a single screenshot

6. When all screenshots are taken, tap on the “X” to return to OxyAgent.

Figure 4: Exiting Screenshot Mode

After screenshots are made, an investigator will have two options: 

  1. Copy the folder with screenshots to a PC, and import onto Oxygen Forensic® Detective via the OxyAgent extraction option on the Home Screen. 
  2. Extract data using OxyAgent. Then, copy both folders that contain data and screenshots to the PC running Oxygen Forensic Detective, and import. Screenshots and data collected via OxyAgent will be shown as one extraction. The screenshots will be found in the files section. 
Figure 5: Screenshots in File Section

Selective data extraction 

Our redesigned and reconfigured OxyAgent now allows investigators to select data categories for extraction. 

When an investigator installs and runs our innovative OxyAgent on the target device, data categories can now be selected on the device screen (see left of Figure 6). When using a USB or Wi-Fi connection in Oxygen Forensic® Extractor, investigators can now select data to extract directly in the Oxygen Forensic® Extractor window (see Figure 7). 

We continuously update our products to provide digital forensic investigators with the best user experience possible with the maximum data collected.

Leave a Reply

Your email address will not be published. Required fields are marked *