We present the latest update of our flagship software, Oxygen Forensic® Detective v.14.3! This version introduces support for a new Kirin 985 chipset, full file system extraction of iOS 15 devices, import of Google Takeout data, support for the WhatsApp QR Multi-Device cloud service, search by hex lists, and many other features. The key features will be described in detail in our corporate blog. For a full list of updates, refer to the “What’s New” file in the software Options menu.
Support for Kirin 985 chipset
Oxygen Forensic® Detective v.14.3 introduces support for a new Kirin 985 chipset. Using the Huawei Data method, investigators can now access even
more screen-locked Huawei devices and decrypt their data. Supported devices include Honor 30, Huawei nova 7 5G, Huawei nova 7 Pro 5G, Huawei nova 8 5G,
Huawei nova 8 Pro 4G/5G, and Honor Pad V6 10.4.
Please note that the SPL (Security Patch Level) should be no later than June 2021.
Checkm8 support for iOS 15 devices
Full file system can now be extracted from Apple devices running iOS 15.0 – 15.3.1 These devices include iPhone 6, iPhone 6s Plus, iPhone SE, iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, and iPhone X. Moreover, we’ve completely redesigned the algorithm of keychain extraction for iOS 15 devices.
Zoom Data Extraction via OxyAgent
Zoom data can now be quickly collected from any unlocked Android device via OxyAgent. OxyAgent can be installed on a device via USB, Wi-Fi or OTG device. Evidence set includes the information about the account, contacts, private and group chats, conferences, and calls. Please note that an internet connection is required for this extraction method. In addition to the OxyAgent method, investigators can use other approaches to collect Zoom evidence from mobile devices, computers, and the cloud in Oxygen Forensic® Detective.
Android Full File System Enhancements
We’ve added a new exploit to our Android full file system method. This exploit covers unlocked Android devices based on many Qualcomm chipsets: MSM8917, MSM8953, SD205, SD210, SD429, SD439, SD450, SD460, SD480, SD632, SD660, SD662, etc. Supported devices must have the Linux kernel of versions 4.9, 4.14, 4.19, and 5.4, and the SPL (Security Patch Level) no older than May 2021. Our support includes Xiaomi Mi 5, Moto G5, Samsung A11, and Samsung A70.
App Decryption with the Android KeyStore keys
Oxygen Forensic® Detective v.14.3 allows decrypting app data with the keys from the Android KeyStore. This approach is available within the Android Full File System method which works on unlocked Android devices running version 5 and later. An Android device needs to be either compatible with the above-mentioned method or connected in a rooted state. Currently two apps, Signal and Silent phone, are supported for decryption, but the list will be growing.
Investigators can now extract evidence from the following new apps: Spark, Mi Fit, Burner, Craigslist, SberDisk, and Litchi for DJI Drones. The total number of supported app versions now exceeds 28,500.
Support for WhatsApp QR Multi-Device
The WhatsApp multi-device feature is widely available in a beta version. It allows users to link up to four devices, without having to keep their primary mobile device connected to the internet. Following this trend, we have added support for the WhatsApp QR Multi-Device service. As before, investigators can authorize it by scanning a QR code with a mobile device in Oxygen Forensic® Cloud Extractor. The evidence set will include the information about the account, chats, contacts, and missed calls. Investigators can now select particular WhatsApp chats for extraction. Please note that the previous version of the WhatsApp QR service is also available in our Cloud Extractor.
Mi Fit Cloud Extraction
Welcome our 100th supported cloud service – Mi Fit, the app that tracks activity, analyzes sleep, and evaluates workouts. Authorization in this service is available via many combinations, including username and password, unique identifier and password, and token from mobile devices, username and password from Xiaomi, Google, or Facebook accounts. Extracted evidence will include contacts, body measurements, band data, alarms, and more.
New Computer Artifacts
The updated Oxygen Forensic® KeyScout now supports macOS images of APFS file system as well as the following drives and images that contain the exFAT file
system: E01, RAW / DD, VHD, VDI, VMDK, DMG, and ISO. Other important KeyScout updates include:
- The ability to view the information about installed and auto run apps on macOS.
- Support for Spark app on macOS.
- Updated JumpLists parsing from Windows.
- Updated support for Apple pre-installed apps: Calendar, Contacts, Mail, Maps, Messages, Notes, Photos, and Reminders.
- Updated Skype parsing.
Import of Google Takeout and MTK Feature Phones
Two new import formats are added in this update. First, investigators can now import and analyze Google Takeout data. Overall, Google Takeout data may contain very many categories, including Google Photos, Google Home, Google Contacts, Google Wallet, etc. Second, MTK feature phone extractions can be ingested and parsed in Oxygen Forensic® Detective.
Search by Hex Lists
Oxygen Forensic® Detective v.14.3 introduces the ability to search in file content by hex sequences. It can be done both at data import and in the Search section. We’ve also added the Hex Lists Manager that stores pre-installed and custom hex lists. To search by hex sequences, go to the Search section, switch to the Hex tab and manually enter a hex sequence or choose one from the Hex list.
Enhanced Support for Video Frames
Oxygen Forensic® Detective allows splitting videos into video frames. It is done automatically on the Videos tab in the Files section. Investigators can select the interval from 1 second to 30 seconds. In version 14.3, we’ve introduced the ability to add video frames to Key Evidence and assign tags to them. Now, working with video evidence is much easier.
- Error of not having enough space in cache partition while using the Samsung Exynos method.
- Not all data was being collected from Chromium browser by Oxygen Forensic® KeyScout.
- Exporting from case filter applied only to the first extraction in a list.
- Invalid floating point operation error on attempt to export Apple messages as chats in separate files.
- Issue when MPG/MPEG video files were classified as audio.
- Issue when media files were encrypted in imported Huawei backups.
- Issue when no app data was found by custom search in DD image in Oxygen Forensic® KeyScout.
- Issue when 3gp audio files were not be detected during the custom search in Oxygen Forensic® KeyScout.