Oxygen Forensic®

DETECTIVE

Release notesVersion 14.0 September 2021

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

We are delighted to introduce the latest major update of our flagship product, Oxygen Forensic® Detective! Version 14.0 offers numerous innovations and enhancements that will make your job easier, cut backlogs, and allow access to evidence that was previously unavailable. Note: key features will be described in detail in our corporate blog. Make sure to check it every week for in-depth, useful articles.

Passwords ManagerNow investigators can easily create custom dictionaries for brute force attacks in the new “Passwords Manager.” It can be found in the “Options” section of the software or on the toolbar of the “Accounts and “Passwords” section. This new, convenient tool accumulates all the extracted passwords from the “Accounts and Passwords” sections. Investigators also have the option to import passwords from a .txt file or enter them manually. Once created, password lists will be available in the “Attack Manager” in the brute force module and can be used for password attacks. Now users can also create custom attacks using the options available in the Passware Kit Mobile. Once created, custom attacks will be shown in the “Attack Manager.”

Mobile Forensics

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

Android App Downgrade Using this Android backup method, investigators cannot extract applications of the latest version because their data is normally not included in the backup. In this case, the APK downgrade procedure is required to access app evidence. Oxygen Forensic® Detective v.14.0 introduces an Android app downgrade method that will allow investigators to extract valuable app evidence from a wide variety of unlocked Android devices. This method is compatible with Android OS versions 5-11.

Support for MT6753 Chipset The “MTK Android Dump” method now supports chipset MT6753. This method allows screen lock bypass, hardware key extraction, and evidence decryption from over 150 devices based on this chipset. Please note, devices with DAA (Data Authentication Algorithm) are not supported yet.

Following the comprehensive instructions, investigators need to select apps for downgrade, make a copy of original apps, downgrade their versions, extract data, and restore apps to their original state. Currently, the APK Downgrade method covers over 45 popular apps that can be downgraded, including WhatsApp, Facebook, Instagram, Twitter, Tinder, and many others.

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

New App SupportOxygen Forensic® Detective v.14.0 introduces support for 6 new apps and updates data parsing for 900+ app versions. Our new apps include Digital Wellbeing, Beekeeper, Solocator, Chatwork, Grindr, and GPS Camera. The total number of supported app versions now exceeds 24,200.

Telegram Extraction via OxyAgent Starting from Oxygen Forensic® Detective v.14.0, investigators can collect Telegram data from any unlocked Android device using OxyAgent. Install it on the device, select the Telegram artifacts that need to be collected, and after the extraction, import them into Oxygen Forensic® Detective. This method is compatible with Android OS versions 7 and higher. The evidence set will include account info, authorized sessions, contacts, chats, channels, saved messages, and calls. Secret chats are not supported by this method. If several accounts are used, they can all be extracted. In the event that Telegram is locked with a passcode, the software will offer to enter it. Otherwise, the extraction won’t start. Note: Telegram data can also be extracted from mobile devices using other methods, from the cloud and computers.

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

General

Merging ExtractionsOxygen Forensic® Detective v.14.0 introduces a significant enhancement for data analysis. Now investigators can merge several extractions into one. This is often required in cases when evidence is extracted using various methods and needs to be merged together. Let’s name a few:

To merge extractions, select them in the extraction tree on the right sidebar and select “Merge extractions” in the context menu. Then, follow the instructions. Extractions can either be merged at the analyzed data or file system levels. The first method is good when extractions of different platforms, like a device and a cloud service, need to be merged. The second method is recommended for extractions of the same device when several extraction methods are used to acquire evidence.

• Separate extractions of an Android device and its SIM card can now be merged and viewed together.• Evidence extracted from an Android device using various methods, such as OxyAgent and ADB backup. • Device and cloud extractions from the same owner.

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

• The quality of deleted data recovery has improved – we can now recover much more deleted data with fewer duplicates and trash records.• Files containing over 2GB of data can now be completely recovered from databases. • The speed at which deleted data is recovered from apps has significantly increased.

App Data Recovery EnhancementsWe’ve significantly improved deleted data recovery from applications. If app deleted data recovery is enabled at import, users will see the following results:

As a result, less time is required to import a backup or image into the software.

The import speed with data recovery enabled comparing to the previous version of Oxygen Forensic® Detective

Deleted valid records recovered per app comparing to the previous version of Oxygen Forensic® Detective

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

We’ve also extended the functionality of our SQLite Viewer. The enhancements include hash calculations for databases, Journal and WAL files, and the ability to view and search records in free and unused pages, located in the “All deleted data” section in the Viewer.

Cloud

Computer artifacts

Cloud Extractor EnhancementsInvestigators can now extract evidence from Grindr iCloud backups using the corresponding iCloud login and password. The evidence set includes account information, contacts, files, as well as private and group chats. 2FA is also supported.

The updated Oxygen Forensic® Cloud Extractor also offers the extraction of new types of Instagram messages, voice messages, video chat notifications, liked messages, and stickers. We’ve also updated authorization and extraction algorithms for Slack, Evernote, iCloud Contacts, and WhatsApp Cloud.

KeyScout EnhancementsWe’ve introduced a great number of enhancements and support for new artifacts in KeyScout. First, we’ve added import and parsing of new RAW formats: DD, BIN, and IMG. The import option is located under “Desktop Extractions” on the Home screen of Oxygen Forensic® Detective.

Second, the updated KeyScout offers the ability to extract data from external drives. Select the “Drive” option in the Home screen of Oxygen Forensic® KeyScout and follow the instructions. Extraction is possible with elevated privileges only.

• Extraction of Apple Unified Log from macOS.• Extraction of the web-based version of Instagram from Google Chrome

Third, we’ve redesigned the KeyScout Home Screen. It now offers investigators the option to conveniently select search templates before beginning an extraction. Finally, new artifacts have been added:

Oxygen Forensics www.oxygen-forensic.com support@oxygen-forensic.com

Minor ImprovementsOxygen Forensic® Detective can now ingest two new types of third-party images - UFDR reports made from non-smartphones and Huawei backups created in UFED.

Resolved Issues • Extraction issues with Xiaomi Redmi 3S and Micromax Q402 Plus.• Export issue of 174GB iTunes backup. • Oxygen Forensic® Extractor not allowing users to enter PIN/ PUK for SIM card extraction.• Not all messages were being parsed from a Samsung Smart Switch backup made from a Samsung S8+ device.• Calls and messages not being parsed from UFDR reports.• Messages of Facebook Search Warrants being shown as incoming.• Parsing issues of Element Messenger and Discord cache.• Date modified timestamps of exported files were being saved incorrectly from the Files section.• Issues with Slack cloud data extraction.• Filter for geo coordinates did not work on Maps that were opened from the Timeline section.• Addresses received via WiGLE were not correctly displayed on the sidebar.• Ctrl+space hotkey did not mark files as Key Evidence in a thumbnail view.

• Browser as well as extraction of Google Chrome Browser cache. • Support for Your Phone and Chatwork apps.