Oxygen Forensics announced today the release of Oxygen Forensic Detective v.12.6, Powered by JetEngine, the company’s flagship software. This release introduces Telegram and Huawei cloud data extraction via QR code, support for the latest iCloud backups, new WhatsApp extraction method, full file system acquisition from Apple iOS devices, enhanced Huawei Android dump, and many other features.
WhatsApp extraction from Android devices
When physical extraction is not supported for Android devices, investigators can use OxyAgent to run a logical extraction to collect data. Our OxyAgent is typically used to acquire basic artifacts that include: contacts, calls, calendars, and messages. With the updated OxyAgent, logical extractions using Oxygen Forensic Detective 12.6 will now include valuable WhatsApp data. Investigators can now collect WhatsApp and WhatsApp Business chats, contacts, and account information using OxyAgent, when installed on an Android device.
To start a WhatsApp extraction, choose “Extract third-party applications data” in the OxyAgent home screen, and follow the instructions. Once the WhatsApp data is collected, investigators can then extract other available data using the OxyAgent and collectively import it into Oxygen Forensic® Detective for review and analysis.
Enhanced Huawei Dump Method
Earlier this year, Oxygen Forensics introduced features to include: screen lock bypass, physical extraction, and physical dump decryption for Huawei devices with Android OS 9-10 and based on Kirin 980, 970, 710 and 710F chipsets. The latest Oxygen Forensic® Detective 12.6 adds support for 5 more Kirin chipsets: 659, 810, 960, 990 and 990 5G. Overall, our support now covers 134 Huawei devices released within the last two years. Additionally, we have significantly improved the process of dump decryption, making it smoother and easier for investigators to obtain a decrypted image.
Apple iOS Full File System Extraction
Oxygen Forensic® Detective 12.6 offers full file system extraction using the checkm8 vulnerability from Apple iOS devices running iOS up to and including 13.6. The supported devices extend from Apple’s A7 to A11 SoC, which includes iPhone 5s through iPhone X and the corresponding iPad devices. The process of device acquisition via ckecma8 vulnerability is now completely automatic.
Easily operate this built-in feature by first connecting the device to a PC and launching Oxygen Forensic® Detective. Select Oxygen Forensic® Extractor and choose “iOS Advanced Extraction” in the clearly labeled menu. Finally, select “Checkm8 acquisition”.
Our software continually adds additional applications for selective extraction. Using this feature with a jailbroken Apple iOS device, investigators can select only the artifacts they will need in their evidence set, saving time, and benefitting the limited scope of some investigations. These artifacts may include general section data, like contacts, calls, messages, mail, Apple Photos, as well as various popular apps.
QR code method for Telegram and Huawei clouds
The updated Oxygen Forensic® Cloud Extractor provides the ability to extract complete Telegram and Huawei cloud data by scanning a QR code from a mobile device. If legally permissible (e.g., warrant, court order, consent), the QR code method will allow investigators to quickly transfer all the data from a mobile device into Oxygen Forensic® Detective. Please note, the QR code authorization is also supported for WhatsApp, Viber, Line Messengers, and Line Keep.
Support for the latest iCloud backups
With the Apple security protocols, obtaining a successful extraction of the latest iCloud backups with 2FA enabled has become a real challenge for digital investigators. The updated Oxygen Forensic® Cloud Extractor provides access to the latest iCloud backups made from Apple iOS devices with OS versions 13 and 14. Extraction is available via login and password, with complete instructions on the process outlined within the Oxygen Forensic® Cloud Extractor.
New computer artifacts
The updated Oxygen Forensic® KeyScout now allows investigators to collect a great number of new artifacts, both on Windows and macOS computers. To begin, investigators can extract complete data from Zoom, Facebook Messenger, and Amazon Photos apps installed on Windows and macOS. Next, the KeyScout gives investigators more insights into the computer usage by collecting information about the application activity from the ActivitiesCache file. The KeyScout also retrieves information from the executed apps in the Amcache file, as well as extracts the list of installed Windows applications.
We’ve brought several enhancements to our built-in analytics tools:
- Our Image Categorization detects images of two new types – vehicles and chats. If an investigator enables Image Categorization in the Options program menu, images will be automatically categorized during the data extraction and import. Users will be able to view the results in the Key Evidence and Files sections.
- We’ve also added the ability to view locations on the Oxygen Forensic® Maps based on the selected time zone. Investigators can set a required time zone in the Options menu in Maps.
- Now, investigators can select contacts of interest in the Contacts section. Clicking on the Social Graph button on the toolbar will immediately visualize connections between selected contacts on the Social Graph. Furthermore, various modes of Social Graph can be opened on separate tabs, making analyzing social links even easier.
Wish to try the new Oxygen Forensic Detective? Ask for a demo license here.