We’re officially halfway through the year, which means it’s time to recap the most innovative functions we were able to bring to the digital forensics community. We’ve divided our recent advancements into 4 categories: Cloud Data Extraction, Mobile Data Extraction, Computer Artifacts, and Data Analytics.
Mobile Data Extraction
Next on our list are mobile data extractions. Our development team has dedicated much of this year to introducing new extraction and decryption techniques for mobile data acquisition. Below are the extraction methods that we found to be most beneficial when acquiring critical evidence.
- Sony MTK Dump – Bypass screen locks and create a full physical dump of Sony devices based on MTK chipsets with Full Disk Encryption (FDE). If Secure Startup is enabled, investigators can use the built-in brute force module to find the user passcode.
- Samsung Exynos Devices – Samsung Exynos devices running Android OS 9-11 with File-Based Encryption (FBE) are now supported. This method also allows the extraction of Samsung Secure Folder data.
- Huawei/Honor Devices – Bypass screen locks and decrypt evidence from devices using FBE and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953.
- HuaweiPrivate Space – Decrypted data from locked Huawei Android devices running Android 9-10 and based on Kirin chipsets.
- MTK Chipsets – Acquire data from screen-locked Android devices based on the following MTK chipsets: MT6739, MT6737 and MT6580.
- Qualcomm-based Devices – Gain temporary root rights and perform file system acquisitions to unlocked devices running Android OS 7-10 and with a Security Patch Level no later than December 2020..
- OxyAgent Utility – Android OS 11 is now fully supported. Quickly collect data from Discord, Twitter, Viber and Line apps. We’ve also added the option to create video recordings of any data inside a device.
- Checkm8 Method – This method has been continuously updated for iOS full file system extraction. Currently, it supports Apple devices running iOS versions up to 15 beta.
Cloud Data Extraction
Device acquisition and decryption are one of the most challenging aspects of a digital investigator’s job. We place great importance on this form of data acquisition given that access to cloud data uncovers a whole new world of evidence for investigators.
This year we have added support for 6 new cloud services:
- Ring Video Doorbell
Additionally, we updated authorization and extraction algorithms for our 90+ supported cloud services. Among the most important are the added ability to:
- Decrypt WhatsApp backups of the latest crypt14 format
- Extract the latest iCloud backups (including iOS 15 beta version)
- Extract data using the WhatsApp QR code method
Enhancing Oxygen Forensic® KeyScout has also been a priority. First, we added the ability to capture RAM and save it to RAW format. Now, investigators can import and parse new backup formats to include file system ZIP archives as well as AD1, and L01 logical images. We also added parsing of many new computer artifacts and apps and redesigned the Options menu.
In their everyday work, investigators have to deal with incredible amounts of extracted evidence.. Considering this, we introduced several new analytical tools that are guaranteed to save investigators time and reduce backlogs. Our most recent enhancements include:
- An improved Facial Categorization system that allows users to create face sets and conduct searches for specific faces within one or more extractions in the Search section.
- Automatic Similar Image Analysis using PhotoDNA technology is now offered in the Files section
- The “Application Activity” tab in the Timeline section allows investigators to gain quick insights into the activity of applications extracted from Apple iOS and Android devices as well as computers.
- 7 new Smart Filters are available in the Timeline section, offering investigators a great opportunity to filter Timeline events by various criteria and quickly find relevant evidence.