Huawei Device Support In Oxygen Forensic Detective

Oxygen Forensic Detective offers various methods of data extraction from Huawei devices. First, Huawei devices can be connected via USB cable for logical or physical acquisition depending on the model and Android OS version. However, with constantly growing device security direct data extraction from a device is getting more and more difficult. With this in mind we keep on introducing alternative methods of device data extraction. For Huawei devices we have two options.Huawei backups

Huawei backups are a good alternative to direct data extraction. They can be created in two ways – either in Huawei’s HiSuite software on a PC or from the device itself with data residing on its SD card. Our software allows investigators to import both Huawei and HiSuite backups up to and including 9.1, the latest version. The evidence set is massive and includes contacts, calls, messages, calendar events, file system artifacts including the data/data folder and applications. In our testing, all the most popular applications are fully parsed: WhatsApp, Facebook Messenger, Gmail, Web browsers, Instagram, etc. Please note that a standard Android ADB backup will not often include these apps.

Huawei backups can be encrypted if the user has set a password. However, this is not a problem for Oxygen Forensic Detective. Investigators can either enter a known password ,brute force it using the built-in brute force engine, and even use custom dictionaries. It should be noted that various versions of Huawei backups can be encrypted with different encryption algorithms. Of note, the latest version (9.1) of Huawei and HiSuite backups found on the SD card will be encrypted by default even if a user has not set any password. The best part, Oxygen Forensic Detective supports any encrypted backup regardless of encryption algorithm and version.

When should an investigator use this method?

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

a) When full access to the device is available but the important data (e.g., apps) cannot be extracted using typical extraction techniques. In this instance, create a Huawei backup and import it into Oxygen Forensic Detective or Jet Engine.

b) When you have a locked device that cannot be acquired. Check the SD card for a Huawei backup that might have been made by the device owner. If located simply import as indicated above.

Huawei cloud

Cloud is a goldmine of digital evidence. In certain cases when a Huawei device cannot be acquired directly the associated cloud account might be the only alternative. Oxygen Forensic Cloud Extractor offers investigators an exclusive feature to mobile device forensics; access a user’s data within the Huawei cloud via login/password or token. Tokens can be located and parsed in Oxygen Forensic Detective if a physical acquisition has been conducted. If a Huawei cloud account is secured with 2FA, Oxygen Forensic Cloud Extractor offers two options: receive a verification code by SMS or by email.

When successful the following data can be extracted from the Huawei cloud account:

1. Account details
2. Connected device(s)
3. List of email accounts
4. Contacts including deleted ones
5. Calls
6. Calendar events
7. Messages

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...