Oxygen Forensics: 2021 in Review

As this year comes to a close, we want to recap the advancements we’ve undergone as a company, as well as some of our favorite software features of 2021. This year we were finally able to return to onsite conferences and training. We all missed real meetings so much! Not only that, but we also experienced tremendous growth, bringing on new team members, expanding our headquarters, and adding a new location in the UK.

None of this would be possible without your continued support and trust in us. We thank you for joining us in our mission to help good people make this world safer, and we look forward to continuing this journey.

Mobile Data Extraction

For the second year in a row, we are leading in screen lock bypass and decryption methods for Android OS devices. We’ve implemented numerous methods that allow investigators to access critical evidence, even when it seemed impossible. Let’s review our most advanced extraction methods of 2021.

  • Samsung Exynos Devices. Samsung Exynos devices running Android OS 9-11 with File-Based Encryption (FBE) are now supported. This method allows the extraction of Samsung Secure Folder data.
  • Huawei Qualcomm Devices. Bypass screen locks and decrypt evidence from devices using FBE and based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, and MSM8953.
  • Huawei Kirin Devices. Bypass screen locks and decrypt evidence from devices running Android OS 9 and 10, and the latest SPL (Security Patch Level) of May and June 2021.
  • HuaweiPrivate Space. Decrypt HuaweiPrivate Space data from locked Huawei Android devices running Android 9-10 and based on Kirin chipsets.
  • Sony MTK Devices. Bypass screen locks and create full physical dumps of Sony devices based on MTK chipsets with Full Disk Encryption (FDE). With Secure Startup enabled, investigators can use the built-in brute force module to find the user passcode.
  • Android MTK Devices. Acquire data from screen-locked Android devices based on the following MTK chipsets: MT6739, MT6753, MT6737, and MT6580. If Data Authentication Algorithm (DAA) is enabled, there is a possibility to disable it in the software.
  • LG Qualcomm Devices. Bypass screen lock and decrypt physical dumps of LG Android devices based on the following Qualcomm chipsets: MSM8917, MSM8937, MSM8940, MSM8953.
  • Full File System Extraction. Gain temporary root rights and perform file system acquisitions to unlocked devices with the SPL (Security Patch Level) up to May 2021.
  • APK Downgrade. Downgrade app versions and extract app data from unlocked devices running Android OS versions 5-11.
  • OxyAgent Utility. Android OS 11 is fully supported. Quickly collect data from popular apps like Discord, Twitter, Viber, and Wickr Me. We’ve also added the option to create video recordings of any data inside a device.

As for mobile data parsing, like in previous years, we focused on app parsing to include the most popular encrypted and VPN apps: Silent Phone, iMe Messenger & Crypto Wallet, Brave Private Browser, Private Photo Vault Pro, ProtonMail, CyberGhost VPN, ZenMate VPN, and more. Currently, the total number of supported app versions exceeds 26,000.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Cloud Data Extraction

This year we have added support for 9 new cloud services:

  • Tinder
  • OkCupid
  • TikTok
  • Grindr iCloud backups
  • Grindr Google backups
  • Discord
  • Ring Video Doorbell
  • GroupMe
  • MEGA

Additionally, we updated authorization and extraction algorithms for our 98 supported cloud services. Among the most important are the added ability to:

  • Decrypt WhatsApp backups of the latest crypt14 format
  • Extract the latest iCloud backups (including iOS 15 beta version)
  • Acquire WhatsApp data via QR code method

Computer Artifacts

With every release, we add a great number of new features to Oxygen Forensic® KeyScout, making it a more powerful computer forensics tool.

First, we added the ability to capture RAM and save it in RAW format. Second, we gave investigators the option to import and parse many new file formats, including file system ZIP archives, AD1, L01 logical images, DD, BIN, IMG images, and virtual machine images. Third, we introduced the ability to create and use search templates before the extraction process. Lastly, we added parsing of many new computer artifacts and apps, while also redesigning the entire utility interface.

Data Import

We continue to add support for new data sources. Let’s name a few:

  • Google Warrant Returns
  • Android GrayKey images
  • UFDX and UFDR files, and UFED reports
  • The latest versions of Samsung Smart Switch backups
  • Apple iOS and Android file system folders

Additionally, we added a great time-saving feature – Selective Data Analysis, giving investigators the opportunity to select the apps they need to parse before importing their data.

Data Analytics

Investigators deal with an incredible amount of extracted data on a daily basis. Considering this, we introduced several new analytical tools to save time and reduce backlogs.

  • Facial Categorization allows investigators to create face sets and conduct searches for specific faces within one or more extractions in the Search section.
  • Similar Image Analysis uses PhotoDNA technology to automatically compare and sort images in the Files section.
  • Image Categorization has implemented two new categories – Tattoos and Aircrafts.
  • Merging several extractions permits investigators to merge data from various extractions into one for further analysis.
  • Application Activity in the Timeline section allows investigators to gain quick insights into the activity of applications extracted from devices and computers.
  • Smart Filters has incorporated 7 new filters to the Timeline section, offering investigators an opportunity to filter Timeline events by various criteria and quickly find relevant evidence.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles