Oxygen Forensics: 2021 in Review

As this year comes to a close, we want to recap the advancements we’ve undergone as a company, as well as some of our favorite software features of 2021. This year we were finally able to return to onsite conferences and training. We all missed real meetings so much! Not only that, but we also experienced tremendous growth, bringing on new team members, expanding our headquarters, and adding a new location in the UK.

None of this would be possible without your continued support and trust in us. We thank you for joining us in our mission to help good people make this world safer, and we look forward to continuing this journey.

Mobile Data Extraction

For the second year in a row, we are leading in screen lock bypass and decryption methods for Android OS devices. We’ve implemented numerous methods that allow investigators to access critical evidence, even when it seemed impossible. Let’s review our most advanced extraction methods of 2021.

  • Samsung Exynos Devices. Samsung Exynos devices running Android OS 9-11 with File-Based Encryption (FBE) are now supported. This method allows the extraction of Samsung Secure Folder data.
  • Huawei Qualcomm Devices. Bypass screen locks and decrypt evidence from devices using FBE and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953.
  • Huawei Kirin Devices. Bypass screen locks and decrypt evidence from devices running Android OS 9 and 10, and the latest SPL (Security Patch Level) of May and June 2021.
  • HuaweiPrivate Space. Decrypt HuaweiPrivate Space data from locked Huawei Android devices running Android 9-10 and based on Kirin chipsets.
  • Sony MTK Devices. Bypass screen locks and create full physical dumps of Sony devices based on MTK chipsets with Full Disk Encryption (FDE). With Secure Startup enabled, investigators can use the built-in brute force module to find the user passcode.
  • Android MTK Devices. Acquire data from screen-locked Android devices based on the following MTK chipsets: MT6739, MT6753, MT6737, and MT6580. If Data Authentication Algorithm (DAA) is enabled, there is a possibility to disable it in the software.
  • LG Qualcomm Devices. Bypass screen lock and decrypt physical dumps of LG Android devices based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, MSM8953.
  • Full File System Extraction. Gain temporary root rights and perform file system acquisitions to unlocked devices with the SPL (Security Patch Level) up to May 2021.
  • APK Downgrade. Downgrade app versions and extract app data from unlocked devices running Android OS versions 5-11.
  • OxyAgent Utility. Android OS 11 is fully supported. Quickly collect data from popular apps like Discord, Twitter, Viber, and Wickr Me. We’ve also added the option to create video recordings of any data inside a device.

As for mobile data parsing, like in previous years, we focused on app parsing to include the most popular encrypted and VPN apps: Silent Phone, iMe Messenger & Crypto Wallet, Brave Private Browser, Private Photo Vault Pro, ProtonMail, CyberGhost VPN, ZenMate VPN, and more. Currently, the total number of supported app versions exceeds 26,000.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Cloud Data Extraction

This year we have added support for 9 new cloud services:

  • Tinder
  • OkCupid
  • TikTok
  • Grindr iCloud backups
  • Grindr Google backups
  • Discord
  • Ring Video Doorbell
  • GroupMe
  • MEGA

Additionally, we updated authorization and extraction algorithms for our 98 supported cloud services. Among the most important are the added ability to:

  • Decrypt WhatsApp backups of the latest crypt14 format
  • Extract the latest iCloud backups (including iOS 15 beta version)
  • Acquire WhatsApp data via QR code method

Computer Artifacts

With every release, we add a great number of new features to Oxygen Forensic® KeyScout, making it a more powerful computer forensics tool.

First, we added the ability to capture RAM and save it in RAW format. Second, we gave investigators the option to import and parse many new file formats, including file system ZIP archives, AD1, L01 logical images, DD, BIN, IMG images, and virtual machine images. Third, we introduced the ability to create and use search templates before the extraction process. Lastly, we added parsing of many new computer artifacts and apps, while also redesigning the entire utility interface.

Data Import

We continue to add support for new data sources. Let’s name a few:

  • Google Warrant Returns
  • Android GrayKey images
  • UFDX and UFDR files, and UFED reports
  • The latest versions of Samsung Smart Switch backups
  • Apple iOS and Android file system folders

Additionally, we added a great time-saving feature – Selective Data Analysis, giving investigators the opportunity to select the apps they need to parse before importing their data.

Data Analytics

Investigators deal with an incredible amount of extracted data on a daily basis. Considering this, we introduced several new analytical tools to save time and reduce backlogs.

  • Facial Categorization allows investigators to create face sets and conduct searches for specific faces within one or more extractions in the Search section.
  • Similar Image Analysis uses PhotoDNA technology to automatically compare and sort images in the Files section.
  • Image Categorization has implemented two new categories – Tattoos and Aircrafts.
  • Merging several extractions permits investigators to merge data from various extractions into one for further analysis.
  • Application Activity in the Timeline section allows investigators to gain quick insights into the activity of applications extracted from devices and computers.
  • Smart Filters has incorporated 7 new filters to the Timeline section, offering investigators an opportunity to filter Timeline events by various criteria and quickly find relevant evidence.

Leave a Comment