This has been a challenging year for all of us, and as it comes to a close, we wanted to take this opportunity to thank our customers and the forensic community for their continued support and trust in us during this time.
We are proud and grateful to acknowledge that Oxygen Forensics has not only adjusted to the changing environment but led the industry with innovative online training, continued output of groundbreaking tools, and consistent, world-class customer service.
MOBILE DEVICE EXTRACTION
The screen lock bypass methods we introduced for Android devices this year put us at the forefront of the mobile forensics industry. Our complete catalog of supported physical extraction methods does not only allow investigators to extract evidence from a locked Android device but also decrypt dumps using the built-in brute force module. Let’s recap our most notable achievements.
- Added Huawei Kirin Support. Our exclusive Huawei Android Dump enables extraction and decryption of devices based on 710, 710F, 810, 659, 960, 970, 980, 990, 990 5G Kirin chipsets with File-Based Encryption and running Android OS 9 and 10.
- Introduced extraction for Exynos chipsets. Samsung Exynos Dump provides extraction and decryption of devices based on Exynos chipsets with Full Disk Encryption and running Android OS 7, 8 and 9.
- Introduced support for 2 new MTK chipsets. MTK Android Dump method now supports two new chipsets for extraction and decryption – MT 6739 and МТ 6580.
- Improved support for Qualcomm chipsets. Investigators can perform a screen lock bypass, physical extraction, and decrypt physical dumps of Android devices based on Qualcomm MSM8917, MSM8937, MSM8940 and MSM8953 chipsets.
- Improved support for Spreadtrum chipsets. Our Spreadtrum Dump method now supports extraction and decryption for devices based on Spreadtrum SC9850, Spreadtrum SC9863, Spreadtrum SC7731E, and Spreadtrum SC9832E chipsets.
- Introduced data acquisition via checkm8. We added Apple iOS full file system and keychain extractions using the checkm8 vulnerability for iPhone 5s through iPhone X, as well as the corresponding iPad devices running iOS up to and including 14.3. Selective data extractions are available for this method.
- Enhanced OxyAgent utility. Investigators can now use USB or Wi-Fi to extract evidence from Android devices. OxyAgent also allows investigators to screenshot data and extract WhatsApp and Signal Messenger data, Android file structure, and the list of apk files as long as the device is unlocked.
- Added a new extraction method for Android devices. We introduced file system extraction for Android devices with File-Based Encryption and running Android 10. This method is based on rooting and allows access to device applications.
DATA IMPORT
We added several new file formats to Oxygen Forensic Detective. Now investigators can import and parse data from Facebook, Twitter, Snapchat, and Instagram Warrant Returns. Similarly, we added parsing of Samsung Smart Switch backups, a great alternative source of evidence. Not stopping there, we introduced support for Android and PC E01 images and Meiya Pico extractions to our list.
CLOUD DATA EXTRACTION
Our number of supported cloud services has increased once again to double and triple those of our nearest competitors. This year we added 14 new cloud services to our catalog: Slack, Skype, SecMail, Zoom, Amazon Photos, Airbnb, IMO, Firefox Lockwise, Firefox Browser, Huawei Cloud backups, VIPole, Evernote, and JioChat.
Moreover, we introduced the ability to extract iCloud backups made from the latest Apple iOS 14.3 devices.
Our industry-first innovative method of cloud data extraction via QR code was significantly extended. Investigators can now use QR codes to extract cloud evidence from Telegram, Huawei Cloud Data, Huawei Cloud backups, as well as previously supported apps like WhatsApp, Viber, Line Messengers, and Line Keep.
We also updated authorization and extraction algorithms for already supported cloud services like Wickr Me, FitBit, Huawei Cloud, Instagram, Google Mail, Line Google Backup, Linkedin, Mi Cloud, Outlook Calendar, Outlook People, and OneDrive. We also improved extraction via our WhatsApp QR method, WhatsApp cloud, and WhatsApp backup decryption via phone number.
Overall, our built-in Cloud Extractor supports 90 cloud services.
COMPUTER ARTIFACTS
Throughout the year, each release has made our Oxygen Forensic® KeyScout a more powerful tool for computer live artifact collection.
To start, we gave investigators the ability to recover valuable insights into computer usage by collecting a wide variety of system files, such as Jump Lists, Shellbags, USBSTOR, Amcache, ActivitiesCache, Prefetch, and many others on Windows PCs. For macOS users, we added Quarantine Events and FSEvents files.
Our powerful Oxygen Forensic® KeyScout can locate and decrypt a vast number of computer artifacts and credentials for various pre-installed Apple apps on macOS. Signal Messenger, Zoom, Facebook Messenger, Amazon Photos, Dropbox, Google Sync, Skype, Telegram, Slack, OneDrive, and Evernote data on macOS and Windows computers can also be located and decrypted.
DATA PARSING AND ANALYSIS
First, we focused on improving decryption capabilities for secure apps such as Signal Messenger, Wickr Me, Wire, ChatSecure, and Facebook secret chats. Decrypting app data from Apple iOS devices is now possible after the introduction of full keychain extraction via checkm8. The total amount of supported app versions now exceeds 19,500.
When it comes to analytics, we are known for providing our users with the industry’s most comprehensive and innovative tools. This year we introduced several new features built into Oxygen Forensic Detective at no additional cost:
- Optical Character Recognition – allows investigators to easily search for words located within screenshots and images by automatically converting them to machine-encoded text.
- New Statistics Section – helps investigators quickly gather actionable intelligence of a user’s activity. This tool also tracks the investigator’s interactions with the evidence.
- New Reports section – places all generated reports in one location for simpler, more efficient access.
- Enhanced Image Categorization – we added several new categories, such as Vehicles, Chats, QR codes, Maps. In total, this section offers 16 categories.
- Enhanced Facial Categorization – allows investigators to identify people wearing glasses, hats, and, most importantly, masks.
Wish to try Oxygen Forensic Detective? Ask for a demo license here.
