Top Software Updates from Oxygen Forensics in 2022

by

As this year comes to a close, we want to review the top advancements we’ve made to our software in 2022.

Mobile Data Extraction

This year we’ve introduced numerous methods and features to allow investigators increased access to evidence from mobile devices and cloud services, even if encrypted. Let’s review our extraction updates of 2022.

  • Android MTK Devices. MTK-based devices have been our priority this year. We’ve added passcode brute force for MTK-based Android devices with File-Based Encryption (FBE). These devices include the popular Xiaomi, Oppo, and Realme models. We’ve also added support for 3 new MTK chipsets: MT6765, MT6768, and MT6785. Our support for MTK-based Android devices with Full-Disk Encryption has also been significantly enhanced. Learn more in this article.
  • Access to the Xiaomi Second Space. Within the MTK Android Dump method, we’ve added the ability to brute force and decrypt Xiaomi Second Space where sensitive data might be located.
  • Brute force for Samsung Exynos (FBE) devices. Now you can brute force passcodes to decrypt data from Samsung Exynos devices with FBE and running Android OS 10-11.
  • Huawei Kirin Devices. We’ve added support for Kirin 985 and 820 chipsets. Now you can decrypt evidence from many more Huawei devices running Android OS 9 and 10. More information on this method is available here.
  • Huawei MainSpace. If several MainSpaces are activated, passcodes to all of them can now be brute forced and applied. Use the Huawei Android Dump method for this.
  • Android Agent Utility. For manual extraction, we’ve added support for the following new apps: Zoom, Wickr Pro, Silent Phone, Kik Messenger, Firefox. Use this method for fast data collection from unlocked Android devices.
  • Android KeyStore Extraction. We’ve enhanced the ability to extract encryption keys from the Android KeyStore to decrypt secure apps, like Signal, Silent Phone, and ProtonMail. Use the Full File System, Huawei Kirin, and Qualcomm methods for this purpose.
  • iOS checkm8 method. We have updated this method with the release of every new iOS version. Currently, it is compatible with all the versions up to, and including, 15.7.
  • iOS Agent. We’ve introduced a new method of iOS data extraction. Currently, this method covers a vast variety of devices including iPhone 11 and iPhone 12. The supported versions are 14.0 – 14.3, 14.4 – 14.5.1, and 15.0 – 15.1.1. Learn more in this article.
  • Mobile App Parsing. We’ve focused on app parsing updates and decryption of secure and vault apps like ProtonMail, Calculator+, Calculator#, FileSafe, and Briar. Currently, the total number of supported app versions exceeds 34,600.

Cloud Data Extraction

This year we focused on enhancing support for our 102 supported cloud services. However, we have also introduced support for multiple new services:

We’ve also added the ability to import and decrypt WhatsApp backups of .crypt 15 type.

Computer Artifacts

With every release, we add a great number of functionality and interface enhancements to Oxygen Forensic® KeyScout, making it a more powerful computer forensics tool.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

This year we’ve significantly improved the KeyScout interface, making it more user friendly. In addition, we’ve extended a number of supported system and user artifacts that can be collected on macOS, Windows, and Linux computers.

We’ve also added support for new types of computer images:

  • Lx01 images
  • Ex01 images
  • images of virtual machines of VMX and VBOX formats
  • macOS Time Machine backups
  • Windows Volume Shadow Copy snapshots
  • macOS images that contain the APFS file system
  • images and drives that contain the exFAT file system

Data Import

This year we’ve added many new evidence sources to our toolkit:

Data Analytics

Many great analytic enhancements have been incorporated this year:

  • User Searches section. You can now analyze all the extracted user searches in a single view.
  • New analysis tool in Timeline. We’ve added the ability to compare device call and message logs with CDR data.
  • Facial Categorization
    • multi-thread facial categorization using GPU and CPU
    • adding faces from video frames from the File section to face sets that are used in facial search across extracted evidence
    • ability to categorize faces from video frames in the Files section and add them to the Faces section
    • Selective categorization of faces in the Files section
  • Hex Search. We’ve added Hex Lists Manager in the Search section.
  • Locations analysis. Now you can get addresses from geo coordinates using OpenStreetMap and Mapbox services.

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image. From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case. Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice. Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability. Useful links: Amped FIVE - https://ampedsoftware.com/five Video Evidence Principles - https://blog.ampedsoftware.com/2023/0... CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image.

From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case.

Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice.

Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability.

Useful links:

Amped FIVE - https://ampedsoftware.com/five
Video Evidence Principles - https://blog.ampedsoftware.com/2023/0...
CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_dnSPwNdMn5M

Investigating Video: The Vital First Steps

Forensic Focus 15 hours ago

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

Read more at https://www.forensicfocus.com/news/forensic-focus-digest-may-10-2024/ #dfir #digitalforensics

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_QVjq2Xu_MQ8

Forensic Focus Digest, May 10 2024 #dfir #digitalforensics

Forensic Focus 10th May 2024 12:43 pm

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective. KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more. Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more. Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

In this webinar, Jordan Portfleet from the Oxygen Forensic Training Team introduces KeyDiver, a new module integrated into Oxygen Forensic Detective.

KeyDiver is designed to find passwords to decrypt various encrypted data sources like BitLocker and FileVault2 encrypted volumes, encrypted ZIP files, Apple Notes, Telegram Desktop app, and more.

Jordan provides an in-depth walkthrough of KeyDiver's features and demonstrates how to create different types of brute force attacks like mask attacks, dictionary attacks, and custom password guessing. He explains the various settings available for customizing attacks, managing GPU utilization, monitoring progress, and more.

Jordan also shares tips on leveraging additional data sources and social engineering techniques to improve password guessing success rates.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_3hDBpcA9rdw

Oxygen Forensic® KeyDiver

Forensic Focus 9th May 2024 11:08 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles

Investigating Video: The Vital First Steps
Webinars

Investigating Video: The Vital First Steps

ByAmpedSoftwareMay 13, 2024
Forensic Focus Digest, May 10 2024
News

Forensic Focus Digest, May 10 2024

ByForensic FocusMay 10, 2024
Oxygen Forensic® KeyDiver
Webinars

Oxygen Forensic® KeyDiver

ByOxygenForensicsMay 9, 2024
Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16
News

Detego Global Announces Webinar To Demonstrate The Powerful New Features Of Detego v4.16

ByDetego Digital ForensicsMay 8, 2024
Digital Forensics Round-Up, May 08 2024
News

Digital Forensics Round-Up, May 08 2024

ByForensic FocusMay 8, 2024
UK Parliamentary Legislation Introduced Against Deepfakes
News

UK Parliamentary Legislation Introduced Against Deepfakes

ByForensic FocusMay 2, 2024