Oxygen Forensic Detective 13.6 Introduces Support For Qualcomm-Based Huawei Devices

Oxygen Forensic Detective 13.6 is now available! Extract Ring Video Doorbell data, acquire locked Qualcomm-based Huawei devices, Samsung Exynos devices with Android OS 11 and more.

 Ring Doorbell data extraction

Ring LLC, an Amazon-owned company, is a home security and smart home company. One of their flagship products is the Ring Video Doorbell, a smart doorbell that contains a motion-activated camera equipped with a microphone and speaker. The footage captured by the video doorbell can be viewed in real-time or played back in the Ring mobile app. Oxygen Forensic® Detective v.13.6 now allows Ring data extraction from mobile devices, computers, and the cloud.

  • Cloud extraction is available using Ring login credentials or a token. Evidence obtained includes account information, connected devices, event history, video recordings, invited and registered contacts, location details, payment information.
  • Ring data extracted from Apple iOS and Android devices will include account and device information, locations, event history, cache, cookies, logs, and camera snapshots. We recommend using a full file system extraction to acquire the most data.
  • Investigators can also collect Ring artifacts from Windows and macOS computers using Oxygen Forensic® Depending on the computer’s OS this will include information about authorized devices, the device owner, camera snapshots, and logs.

Ring doorbell extractions can not only be conveniently analyzed in Oxygen Forensic® Detective v.13.6 but also merged with other data extractions to build a more comprehensive case.

Support for Qualcomm-based Huawei devices 

Oxygen Forensic® Detective v.13.6 now offers the ability to bypass screen locks and decrypt evidence from Huawei/Honor devices using File-Based Encryption (FBE) and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953.

To acquire a device, choose the “Huawei Qualcomm EDL extraction” method in the Oxygen Forensic® Android Extractor and follow the instructions. Supported models include Honor 7A (AUM-L29), Huawei Y6 (2018), Mediapad M3 lite 8, etc.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Samsung Exynos Dump for Android 11 devices

We’ve once again extended our Samsung Exynos method and now it supports Samsung devices that were updated to Android OS 11 from Android OS 9 and 10. The method allows extraction of a full file system from a wide variety of Samsung Exynos devices with File-Based Encryption.

 New Extraction Method for Twitter and Line

Oxygen Forensic® Detective v.13.6 introduces a new extraction method for Twitter and Line apps. Now investigators can collect this app data from any unlocked Android devices using OxyAgent. Install it on a device, select the Twitter or Line artifacts that need to be collected, and once it is done, import the extraction into Oxygen Forensic® Detective for further analysis. This app extraction method via OxyAgent also supports WhatsApp, WhatsApp Business, Signal, and Discord.

Support for WhatsApp crypt14 version

WhatsApp has recently introduced a new version of crypt14 that is used to encrypt WhatsApp backups. With Oxygen Forensic® Detective v.13.6, investigators can decrypt backups encrypted with this version both from mobile devices and in the Oxygen Forensic® Cloud Extractor using a phone number or token. Additionally, we have improved our decryption support of older versions, such as crypt7, crypt8, and crypt9.

GroupMe Cloud Extraction

GroupMe is a messaging app that has over 12 million registered users and is currently owned by Microsoft. The updated Oxygen Forensic® Cloud Extractor allows investigators to extract evidence from a GroupMe account via GroupMe, Microsoft, Google or Facebook credentials or using a token extracted from a mobile device. Evidence sets will include account details, contacts, events, as well as private and group chats with attachments and polls.

KeyScout Enhancements

We’ve introduced several enhancements to Oxygen Forensic® KeyScout. Now investigators can:

  • import and parse L01 images made on Windows, macOS, and Linux computers
  • collect logs from var/log folder on macOS and Linux
  • extract system and user Preferences from macOS
  • collect more artifacts from the Windows registry
  • extract user data from the Unigram app on Windows

Viewer for SQLite databases

We’ve added a Recovery Info column on the SQLite recovered data tab. This column will display the source file of a recovered record, which can be in .db, .log, or .wal format. Click the link to be transferred to the original record in the source file shown in the Hex Viewer. Finally, we’ve added a Recovery Options button where users can utilize detailed options for deleted data recovery.

Passcode Bruteforce Enhancements

Now investigators can select several brute force attacks that will be carried out one after another. Moreover, we made the passcode brute force process more detailed, adding information about speed, estimated number of passcodes, and number of checked passcodes.

Import and Export Enhancements

Oxygen Forensic® Detective v.13.6 allows investigators to export extracted data to Project VIC 2.0. In the Applications section, investigators can now export geo coordinates to KML and GPX formats for further analysis. For Load File format, we’ve introduced the ability to save and import report templates. Finally, investigators can now import and analyze UFED reports (UFDR format) in Oxygen Forensic® Detective.

New App Support

Oxygen Forensic® Detective v.13.6 brings support for 7 new apps and updates data parsing for 600+ app versions. The new apps are Ring, Google Admin, Mega, Marco Polo, Huawei Browser, Mi Browser, and Samsung Notes.

Wish to try version 13.6? Ask for a fully-featured demo license.

Leave a Comment