Digital Assistants the New Eye-Witness

The popularity of virtual digital assistants is growing at a pace never seen; the estimated number of people using digital assistants worldwide is projected to reach 1.8 billion by 2021. These “assistants” make our lives easier and relevant but they also can equate to a serious privacy concern. From issues of assistants recording conversations by error and sending to uninvolved contacts, to documenting and storing all voice commands; investigators as well as users should be privy to the consequences, or evidence. Today, digital assistants are becoming one of the more valuable sources of evidence to investigators and have already been used to solve several noteworthy crimes.

Amazon Alexa

As of January 2019, Amazon’s development devices team announced they had sold over one-hundred million Alexa-enabled devices which is now available in over forty countries. When an Alexa user utters the wake word to perform a skill a recording of the query is sent to the user’s Amazon cloud account. The user specific request is processed and a response is returned to the device. Investigators, armed with Oxygen Forensic Cloud Extractor, can extract Amazon Alexa data to include these valuable recordings of that actual utterance by the user.

How to Gain Access

Oxygen Forensic Cloud Extractor can obtain access to the Amazon Alexa account using either login/password or user token. A user’s token can be extracted from either the mobile device(s) or PC(s) Alexa is currently paired to.  The Amazon Alexa token can be found in the Cloud Account section in Oxygen Forensic Detective after the mobile device has been acquired. If using a PC to locate the Amazon Alexa, simply run our Oxygen Forensic KeyScout utility. Using our powerful KeyScout utility a user’s token can be recovered if the user has logged into their Amazon Alexa account in their PC’s web browser.  It should be noted that using a token will allow an investigator to bypass 2-factor authentication that had been set within the Amazon Alexa account.

Data from Cloud

Once the cloud extraction has completed the investigator can either elect to import the collected evidence to Oxygen Forensic Detective or to our new Oxygen Forensic JetEngine module. The lion’s share of data from mobile applications are stored within the cloud.  With this being said, it should be understandable that there is a massive amount of user data available for collection.  Without question, Oxygen Forensic Cloud Extractor acquires more data from these services than any other competing tool, hands down. The valuable data extracted can contain a wealth of information to include: account and device details, contacts, user activity, incoming and outgoing messages, calendars, notifications, user created lists, created/installed skills, preferences, and more. One amazing feature in the software is the ability to extract the stored voice commands given to Alexa by the user.  The users actual voice!  The information extracted from Amazon will undoubtedly give tremendous insights into the user’s everyday activity, their contacts, shared messages, and valuable voice commands.

Google Home

Like Amazon, Google has to bring to market their own digital assistant. Today’s documentation says that there were 52 Million Google Home devices sold in 2018. Oxygen Forensic Detective arms investigators with tools to extract data from Google Home from both mobile devices and the associated cloud service.

How to gain access

Oxygen Forensic Cloud Extractor allows access to a user’s Google Home account by entering either the login/password or a Google master token. Our robust software is also capable of finding Google credentials both in a mobile devices’ image and on an associated PC. Finding Google credentials extracted from a mobile device is easy; simply navigate to the Cloud Accounts.  Also, using our KeyScout built-in utility the investigator can collect the token information from the associated PC if the user had used the PC to log into their account.

Data from Cloud

Once armed with credentials, the investigator can use the Oxygen Forensic Cloud Extractor to access the Google Home account. Like in our many other supported cloud services, the token will allow you to bypass 2-factor authentication if enabled. If your investigated user utilizes a username and password for login authentication simply be prepared to verify the identity by one of the available methods: SMS, Google Authenticator, backup codes, prompt or USB token. Google cloud provides investigators with a tremendous amount of data that is generated by a Google Home user. Data includes, but is not limited to: account and device details, voice commands, and verbose information about users. Again, like Alexa, investigators can listen to all the voice recordings created by the Google home users directly in Oxygen Forensic Detective.

Data from Mobile Devices

Many users of a Google Home device use the Google Home to set up, manage and control a Google Home device. Oxygen Forensic Detective supports the parsing and decoding of the Google Home app data from both Apple iOS and Android devices.  Data is available from iOS devices that have been jailbroken or those collected physically by Grayshifts GrayKey . Android devices must have root access or physical access to recover the database file for Google Home. Oxygen Forensics, Inc. offers a wide range of physical collection methods that are successful on a large set of Android devices.

Extracted information from the mobile app, once obtained, will include: account and device details, cache, cookies, nearby devices, and other valuable user data. It should be understood that the mobile app for Google is an active application and the app contains far less data than what is stored in the user’s associated cloud account.  A user’s cloud account is recommended if the investigation calls for the recovery the user’s complete stored history.

What an INCREDIBLE 2018!

What an incredible year at Oxygen Forensics, Inc. in 2018!  Not only have we continued to gain more customers from around the world, we have brought to the #DFIR community some amazing solutions to today’s digital forensic problems. Oh, we have been busy; however, one thing remains, our customers will always be first!  Our slogan of helping to make this world safer was supported by these incredible innovations of 2018 and our valued customers.  Let’s look at a few we are extremely proud of in all areas of forensics to include mobile, cloud, drone, IoT, and even computer.


LOCKED DEVICE SUPPORT. We added additional supported devices to our innovative screen lock bypass methods by adding the EDL method for Android devices based on selected Qualcomm chipsets. Our cutting-edge method supports a wide range of Qualcomm chipsets and works on 500+ Android devices of 26 manufacturers that include Acer, Alcatel, Asus, Coolpad, Gionee, Huawei, Lenovo, LG, Micromax, Motorola, Nokia, OnePlus, Oppo, Xiaomi, ZTE, etc. We also significantly extended and updated our Spreadtrum physical extraction method by adding support for over 100 new Android devices with 4, 8 and 16 Gb of RAM. Our updated algorithm allows for easy turn-key addition of new Spreadtrum models when requested. And finally, we added the ability to extract available photos, databases and files from a wide range of locked Samsung devices via MTP.

PHYSICAL IMAGE DECRYPTION. It’s all too common with today’s modern Android devices and their encrypted user partition. This problem, which often makes a physical extraction useless, is and will continue to be a hurdle for investigators. This year we added the ability to brute force and decrypt physical extractions of LG devices running Android OS 6.x and 7.x. You can either find the password using the built-in Passware module or enter the known password manually.


We owned 2018 with each new release by introducing industry-first methods of WhatsApp data extraction. Our new WhatsApp QR code method allows investigators to acquire all WhatsApp data using a WhatsApp QR token extracted by our KeyScout utility from a Windows computer. That means you can acquire WhatsApp data without the phone! It gets even better! Oxygen Forensic Detective also offers two more industry-exclusive WhatsApp forensic features – WhatsApp backup decryption via phone number and access to the WhatsApp Cloud Server (implemented in 2017). It must be mentioned – we support 60 unique cloud services; many of them are ONLY supported in our software!


DRONE SUPPORT. In 2018 we added physical extraction of DJI Spark and Mavic Pro drones via rooting which continues to remain an industry unique feature. Now you can gain access to drone flight logs, telemetry, and exclusive metadata using a standard USB cable. An additional unique feature, only found in, Oxygen Forensic® Detective, is the ability to extract valuable user data from from DJI cloud and SkyPixel via tokens extracted from a mobile device.


DIGITAL ASSISTANTS. Digital assistants are already a part of everyday life and have been successfully used to solve several crimes. Oxygen Forensic® Detective brought investigators the power to extract data from Amazon Alexa and Google Home from both a mobile device and their cloud services. Access to these device cloud stores was made simple with a username and password or token. These valuable pieces of information can be found and extracted from both a computer or mobile device. Detective acquires valuable information including account and device details, contacts, messages, calendars, notifications, lists, activities, skills, and more.

HEALTH-TRACKING WEARABLES. Health-tracking wearables and apps can record heart rate, sleep periods, location, and more. Data from these common every-day devices have already assisted law enforcement in several high-profile crimes. Oxygen Forensic® Detective in 2018 gave investigators the ability to extract locations, workouts, health and other valuable data from Fitbit, Google Fit, and Samsung Health both from both mobile devices and cloud services.

We introduced data extraction from smartwatches based on Mediatek chipset. Oxygen Forensic® Detective now performs logical acquisition of MTK smartwatches and allows forensic experts to extract device model, contacts, calls, messages, multimedia files, and other valuable data. We supported over 30 smartwatch models in 2018!


PASSWORDS AND TOKENS. This year we introduced our portable KeyScout utility that armed investigators with a tool to seek and locate tokens and passwords saved in desktop web browsers and other applications, like Internet Explorer, Google Chrome, Mozilla Firefox, Opera, and Mozilla Thunderbird. An added bonus, KeyScout finds credentials in iCloud for Windows, WhatsApp Desktop, Telegram Desktop and Unigram apps and also collects the passwords to Wi-Fi hot spots. The collected credentials can then be imported into Oxygen Forensic® Cloud Extractor for immediate use.


JETENGINE. We closed 2018 with our innovative 64-bit module – Oxygen Forensic® This powerful forensic utility allows investigators to quickly parse volumes of data and leverage advanced analytical tools to quickly pinpoint and quantify evidence. The days of slowly processing large data sets from mobile devices, IoT sources, cloud services, and drones are over! Now you can extract data in Oxygen Forensic® Detective and then import it to Oxygen Forensic® JetEngine for fast data parsing and analysis.


The numbers will always tell a better story! As of 2018 Oxygen Forensic® Detective supports data extraction from 24977 unique device profiles, 453 unique apps, 8806 app versions and 60 cloud services!  We are looking forward to a great 2019 with our continued great customer support, innovative research and development team, fabulous staff, and the best customers in the world.

Location, Location, Location

Location PinAs a former law enforcement officer, I am cognizant of the importance of location information. Using this type of data we were often able to tie a party involved in an investigation to a particular place and time. Back then, location data might have come from a witness statement, surveillance video, audio capture, or another archaic source. Today, there are almost 8 billion beacons around the world carried in the pockets of humans, offering investigators a wealth of information about individuals’ whereabouts. However, many times this captured location information from an individual’s mobile device is overlooked by the agent.

Digital forensic investigators often rely on the data at hand on the physical device (e.g., parsed applications on the device, chat messages, media) to make a determination of location at a particular date and time. This is often fruitful using digital examination tools and training, but what if the necessary data is not stored on the device?  What if the device is locked with a passcode, wiped, unavailable, or destroyed?  This has been, and will more often be, a problem with investigations into digital data on mobile devices. With these limitations investigators will need additional sources of data.

The data stored within the cloud for each individual using a mobile device can be many times larger than that of the mobile device. From backups to the storage of app data, a user’s cloud can be massive. Just think of your own device. When you uninstall an app or switch out a phone, you simply have to download the app and re-authenticate, and magically the app populates the data. This data in the cloud can be a treasure trove of evidence. What about services on the device that are not really an app, but are just a digital breadcrumb of a service?

Google Location is a service that is not new, but collects a scary amount of user data – fantastic as a digital forensic examiner. Google flat out explains, much like Amazon or other data companies, that data will be used to make their services better. With that being said, Google will capture the location of the device to better the usage of an application’s location services, their own Wi-Fi Positioning Service, or other “additional” services. The use of the Wi-Fi positioning service is brilliant for examiners, especially when users do not have GPS on their devices or even turn it off.  Since the capture of GPS data is done by crowd sourcing, a user’s Wi-Fi can actually determine their location because a previous user had their GPS enabled and reported that location of the access point BSSID. Now, a user walks by and the location simply registers (not even authenticates) the coordinates onto the user’s device. BOOM, a GPS point is created into Google Location services for the user’s account.

A great example can be seen in the image below, which shows the area surrounding our headquarters in Alexandria, Virginia, USA. This is a simple dump of data using Oxygen Forensic Detective’s built-in Oxygen Forensic Cloud Extractor and the selection of my Google Location.  Those are not crayon marks or added lines, but routes created by the raw data extraction containing location information. By closer inspection along the Potomac there is a great running path I frequent in the mornings and there is a clear line up and back. It should be noted I do not have a tracking application running at anytime, simply my device in my pocket. Furthermore, Google Location is not an app that is installed but a service that other apps can access when needed and also used by Google to “improve” services. This means the app is not parsed or generally supported by commercial tools.

Figure 1. Oxygen Forensics office in Alexandria, VA, USA

So, what does this mean to you the investigator? Maybe you do not have an application which shows the device was in the area. However, with a cloud extraction an investigator can filter the data to the date/time in question and determine location of the account and possibly the individual. Google Location data, along with other app data, can be the smoking gun an investigator needs. Best yet, Google Locations are captured for any device (laptop, Apple, Android) where the user is signed into their account. Again, this information can be extraordinary in today’s investigations.

By using data from multiple sources (e.g., mobile device, cloud backups) an investigator can turn a circumstantial case into one that is bullet proof. Today’s investigators need to be ready to look in other sources for that digital gold. Good luck!