Oxygen Forensic® Detective 13.0 introduces the ability to bypass screen lock, perform physical acquisition, and decrypt data from Samsung devices based on Exynos chipset. The functionality is available for Samsung devices running Android OS 7,8 and 9 and covers 76 devices models. There is also a built-in opportunity for our users to request support for an unsupported Samsung model.
Oxygen Forensic® Detective performs physical acquisition without changing the KNOX counter. If Secure startup is enabled on a device the software offers the opportunity to brute force the passcode to decrypt a physical dump.
Overall Exynos is the 5th chipset supported by Oxygen Forensics screen lock bypass methods. The others are Kirin, MTK, Qualcomm, and Spreadtrum.
Optical Character Recognition
Oxygen Forensic® Detective offers the new OCR section that is available at no additional charge to all the users. Now investigators can easily convert texts on screenshots and photos into machine-encoded ones. To enable and configure the Optical Character Recognition feature please go to Options/Advanced analytics in the software. In the OCR section, you can run image OCR pressing the relevant button on the toolbar.
Support for new cloud services
The updated Oxygen Forensic® Cloud Extractor adds support for 3 new cloud services and brings improvements for many existing ones. The total amount of supported cloud services equals 86.
- Zoom. Access to the Zoom cloud is available via login/password or token found in Apple iOS and Android devices. Extracted evidence will include the account information, contacts, chats and conferences.
- Huawei Cloud Backups. Besides the already supported Huawei Cloud Data services, now there is an opportunity to extract complete Huawei Cloud Backups via login/password, token, QR code or SMS code.
- Firefox Lockwise. Access to this service is available via login/password or token found in Apple iOS devices. Investigators can extract the account information and saved logins and passwords.
Support for new computer artifacts
The updated Oxygen Forensic® KeyScout is now able to collect more new artifacts on computers. First of all, it allows investigators to extract all available user data from Telegram Desktop, Skype, Drobox, WhatsApp Desktop, and Google Sync apps on Windows and macOS.
Secondly, the KeyScout can now extract several new system files: Prefetch files that contain detailed information on what apps have been run on PC, Events from the Windows registry and $MFT files that contain the information about the NTFS file system.
Moreover, there is an opportunity now to run the Scout with the Admin rights to gain low-level access to Windows drives and thus to more complete information.
Enhanced support for WhatsApp
In the new version, we have added two enhancements for our WhatsApp extraction methods.
- Now you can collect additional data from Android devices using installed OxyAgent: audio and video calls, full information about contacts participating in group chats, contact pictures, etc.
- We’ve added the new decryption method for WhatsApp iCloud and WhatsApp Google backups. Now backups can be decrypted via WhatsApp Cloud token that is automatically saved in the software after WhatsApp Cloud service is used. This WhatsApp Cloud token decrypts any WhatsApp backups associated with the same phone number.
Finally, all the extracted system files are not shown in the single System Artifacts section in Oxygen Forensic® Detective.
Import of Meiya Pico extractions
Oxygen Forensic® Detective 13.0 can now import and analyze extractions made from Apple iOS and Android devices with the Meiya Pico tool. Oxygen Forensic® Detective will fully parse all the data available in Meiya Pico backups.
Now investigators can search data more quickly using search templates. They can be created and saved in the Search section. Search templates can contain any supported search criteria that include RegEx, Keywords, Hash Sets, Text, etc. Search can be done in parsed data, in file names, or file content.
Wish to try Oxygen Forensic® Detective 13.0? Request a fully-featured demo license here.