Oxygen Forensic® Detective 13.5 is now available! Decrypt Huawei PrivateSpace data, perform extraction of Android OS 11 devices, capture RAM and more.
Support for Samsung Exynos devices
Oxygen Forensic® Detective v.13.5 brings enhanced support for Samsung Exynos devices. Now investigators can perform full-file system extractions of Samsung devices running pre-installed Android OS 9 and 10 which also have File-Based Encryption (FBE). If a user passcode is set on a device, it should be entered in the corresponding field in the software. Unlike our Samsung Exynos method for Android OS 7 through 9 devices with Full-Disk Encryption (FDE), this method does not currently include the ability to brute force the passcode.
This new approach also gives investigators access to the Samsung Secure Folder and its contents. The Secure Folder is a secure location within a Samsung device that enables users to store private data. Secure Folder extraction is supported only for Samsung Exynos devices with FBE.
Access to Huawei PrivateSpace
Huawei PrivateSpace lets users store their private information in a hidden space within the device that can only be accessed with a fingerprint or password. Oxygen Forensic® Detective v.13.5 now gives investigators the ability to access data in the Huawei PrivateSpace. To decrypt this securely hidden data, investigators will need to either enter the password or find it with the built-in brute force module. The functionality is available within the Huawei Android Dump method.
Enhanced support for Qualcomm devices
The Android full -file system extraction method now offers additional capabilities for devices using Qualcomm chipsets and running Android OS 7 through 10. The new exploit allows investigators to gain root rights and extract a full file system. The Security Patch Level (SPL) must not be greater than December 2020.
Support for Android OS 11
OxyAgent is now compatible with Android devices running OS 11. Investigators can now use the powerful OxyAgent utility to extract evidence from any unlocked Android device. The evidence set includes contacts, messages, calls, calendars, available files and supported third-party apps.
Hash calculation for physical dumps
Investigators can now choose to calculate hashes for extracted physical dumps in the Oxygen Forensic® Android Extractor. To do this, switch to the Settings menu and select one or several preferred hash sets: SHA1, SHA256, SHA3-256 or MD5.
RAM Capture
The updated Oxygen Forensic® KeyScout allows investigators to capture memory (RAM) and save it in RAW format for further analysis in third-party solutions, like Volatility. To create a RAM memory dump, copy the portable KeyScout from the main Oxygen Forensic® Detective Home menu to the removable media. Then, run it on a subject’s PC and choose the “Capture RAM” option on the Home screen. RAM capture will be displayed on the Memory tab in KeyScout.
Deleted Record Recovery
Deleted record recovery is available in the new File Viewer for SQLite databases. The recovery process now takes significantly less time and uses less RAM memory and CPU resources. Moreover, deleted record recovery is more accurate.
To recover deleted records, simply switch to the “SQLite with Recovered Records” tab. The recovery process will start automatically. Deleted records will be displayed with a trash bin icon and highlighted in yellow. Search is available for both actual and recovered records.
Similar Image Analysis
Oxygen Forensic® Detective v.13.5 offers a convenient analysis of similar images using PhotoDNA technology. Similar Image Analysis is done automatically when entering the Files section of an extraction or a case. It takes seconds to analyze 200-300 thousand images. Similar images can be located on the Similar Images tab in the panel below.
You can request a fully-featured demo license of Oxygen Forensic® Detective 13.5 here
