KeyScout Updated.

February 14, 2023

Check out the updates made to KeyScout for each Oxygen Forensic® Detective release.

 

KeyScout is a tool included in Oxygen Forensic® Detective that helps collect and provide data into computer artifacts. It offers insights into passwords, applications, and system artifacts. It is compatible with Windows, Linux, and macOS. Learn more about KeyScout.

We update our software, Oxygen Forensic® Detective, 6+ times per year, KeyScout being one of our powerful tools that receive an update to ensure investigators are able to extract critical evidence.

Table of Contents

Oxygen Forensic® Detective v.15.5

In v.15.5 we added analysis of hibernation files and drive partitions protected with BitLocker.

Learn More

Oxygen Forensic® Detective v.15.4

Logical Volume Manager

We have enabled the analysis of physical images and external disks that use Logical Volume Manager technology.

Learn More

 

Oxygen Forensic® Detective v.15.3

Functionality updates

A number of functional and interface updates to KeyScout were introduced:

  • Added extended analysis of live RAM that now includes memory pages from pagefiles
  • More detailed information about data search progress
  • Redesigned and simplified the work with search profiles

Learn More

Oxygen Forensic® Detective v.15.2

Enhanced Linux support in Oxygen Forensic® Detective

In Oxygen Forensic® Detective v.15.2 we have enhanced support for Linux devices by making data collection easier for our users and added support for the XFS file system that is frequently used in the newest Linux versions.

KeyScout can now extract from Linux-operated devices:

  • Cron tasks
  • SSH keys
  • Information about system accounts and groups

Learn More

 

Oxygen Forensic® Detective v.15.1

In Oxygen Forensic® Detective v.15.1 we updated the KeyScout interface and functionality:

 

Deсryption of passwords, cookies, and tokens of other user profiles

In the version 15.1 update of Oxygen Forensic® Detective, it is now possible to extract and decrypt credentials, tokens, and cookies belonging to another user during the analysis. To do this, open the “Passwords” tab in the “Search settings” and add another user’s password.

 

Screenshot of extracting and decrypting credentials with KeyScout

 

If another user’s password has not been entered, KeyScout will detect the presence of another user and some of the services they are logged in, but the passwords and tokens themselves will not be extracted.

The following can be detected, extracted, and decrypted:

  • Passwords, tokens, and cookies from popular web browsers: Google Chrome, Opera, Microsoft Edge;
  • WhatsApp Desktop tokens;
  • Windows Credentials and Windows Vault.

 

Screenshot of credentials for accounts that KeyScout found

Overview and select partitions to analyze

Previously, the search was performed through all system partitions at once. In this release of Oxygen Forensic® Detective, we made data extraction via KeyScout more convenient. An investigator,armed with our product can now optimize the search process according to their actual needs.

Upon starting a new search and selecting the target device, “Drives and partitions” section will appear on the left sidebar. Open it to overview all detected partitions. In this section, investigators can manually select the relevant partitions and exclude from search the partitions of no interest.

 

Screenshot of the “new search” section of KeyScoutScreenshot of viewing the drives and partitions of the “live system”

Extended information about current search and saving progress

To improve the investigators’ experience, we have added a “Search summary” tab on the left sidebar that appears after starting a search. From it, investigators can:

  1. Learn the current search status.
  2. State where the extracted data will be saved. If there is not enough space in the selected directory, a corresponding notification will appear.
  3. Overview detected data, grouped under the “Found” section. Click on any category icon to open the corresponding search results. Click “reset filters” to overview full scope of extracted data.

 

Screenshot of the “Search summary” in KeyScout
Click to overview the detected data. Reset the filters to overview the whole scope of data.

In the new version of Oxygen Forensic® Detective, we have updated the search settings as well, making them more convenient for our customers. Now, in the “Search roots” tab, the list of paths can be expanded, providing our users with ability not only to overview all of them but also to exclude search paths of no interest and add relevant ones.

We have also added a “Description” column to the “System artifacts” and “Memory” tabs, in which artifacts and data types extracted from RAM respectively are described in detail.

 

Screenshot of the specified roots in the Search settings
List of paths can be expanded and the user can remove them from search or add new ones.

 

Screenshot of a list of system artifacts in the Search settings in KeyScout
Description of system artifacts

 

Screenshot of “Memory” in the Search settings in KeyScout
Added description field to the Memory tab

Get more from Oxygen Forensic® Detective

At Oxygen Forensics our software is updated multiple times every year. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on new features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.

Want to try out KeyScout?

Get a 15-day free trial of Oxygen Forensic® Detective.

Request Trial