Now investigators can easily create custom dictionaries for brute force attacks in the new “Passwords Manager.” It can be found in the “Options” section of the software or on the toolbar of the “Accounts and “Passwords” section. This new, convenient tool accumulates all the extracted passwords from the “Accounts and Passwords” sections. Investigators also have the option to import passwords from a .txt file or enter them manually. Once created, password lists will be available in the “Attack Manager” in the brute force module and can be used for password attacks.
Now users can also create custom attacks using the options available in the Passware Kit Mobile. Once created, custom attacks will be shown in the “Attack Manager.”
Android App Downgrade
Using this Android backup method, investigators cannot extract applications of the latest version because their data is normally not included in the backup. In this case, the APK downgrade procedure is required to access app evidence. Oxygen Forensic® Detective v.14.0 introduces an Android app downgrade method that will allow investigators to extract valuable app evidence from a wide variety of unlocked Android devices. This method is compatible with Android OS versions 5-11.
Following the comprehensive instructions, investigators need to select apps for downgrade, make a copy of original apps, downgrade their versions, extract data, and restore apps to their original state. Currently, the APK Downgrade method covers over 45 popular apps that can be downgraded, including WhatsApp, Facebook, Instagram, Twitter, Tinder, and many others.
Support for MT6753 Chipset
The “MTK Android Dump” method now supports chipset MT6753. This method allows screen lock bypass, hardware key extraction, and evidence decryption from over 150 devices based on this chipset. Please note, devices with DAA (Data Authentication Algorithm) are not supported yet.
Telegram Extraction via OxyAgent
Starting from Oxygen Forensic® Detective v.14.0, investigators can collect Telegram data from any unlocked Android device using OxyAgent. Install it on the device, select the Telegram artifacts that need to be collected, and after the extraction, import them into Oxygen Forensic® Detective. This method is compatible with Android OS versions 7 and higher.
The evidence set will include account info, authorized sessions, contacts, chats, channels, saved messages, and calls. Secret chats are not supported by this method. If several accounts are used, they can all be extracted. In the event that Telegram is locked with a passcode, the software will offer to enter it. Otherwise, the extraction won’t start. Note: Telegram data can also be extracted from mobile devices using other methods, from the cloud and computers.
New App Support
Oxygen Forensic® Detective v.14.0 introduces support for 6 new apps and updates data parsing for 900+ app versions. Our new apps include Digital Wellbeing, Beekeeper, Solocator, Chatwork, Grindr, and GPS Camera. The total number of supported app versions now exceeds 24,200.
Oxygen Forensic® Detective v.14.0 introduces a significant enhancement for data analysis. Now investigators can merge several extractions into one. This is often required in cases when evidence is extracted using various methods and needs to be merged together. Let’s name a few:
- Separate extractions of an Android device and its SIM card can now be merged and viewed together.
- Evidence extracted from an Android device using various methods, such as OxyAgent and ADB backup.
- Device and cloud extractions from the same owner.
To merge extractions, select them in the extraction tree on the right sidebar and select “Merge extractions” in the context menu. Then, follow the instructions. Extractions can either be merged at the analyzed data or file system levels. The first method is good when extractions of different platforms, like a device and a cloud service, need to be merged. The second method is recommended for extractions of the same device when several extraction methods are used to acquire evidence.
App Data Recovery Enhancements
We’ve significantly improved deleted data recovery from applications. If app deleted data recovery is enabled at import, users will see the following results:
- The quality of deleted data recovery has improved – we can now recover much more deleted data with fewer duplicates and trash records.
- Files containing over 2GB of data can now be completely recovered from databases.
- The speed at which deleted data is recovered from apps has significantly increased.
As a result, less time is required to import a backup or image into the software.
We’ve also extended the functionality of our SQLite Viewer. The enhancements include hash calculations for databases, Journal and WAL files, and the ability to view and search records in free and unused pages, located in the “All deleted data” section in the Viewer.
Cloud Extractor Enhancements
Investigators can now extract evidence from Grindr iCloud backups using the corresponding iCloud login and password. The evidence set includes account information, contacts, files, as well as private and group chats. 2FA is also supported.
The updated Oxygen Forensic® Cloud Extractor also offers the extraction of new types of Instagram messages, voice messages, video chat notifications, liked messages, and stickers. We’ve also updated authorization and extraction algorithms for Slack, Evernote, iCloud Contacts, and WhatsApp Cloud.
We’ve introduced a great number of enhancements and support for new artifacts in KeyScout.
First, we’ve added import and parsing of new RAW formats: DD, BIN, and IMG. The import option is located under “Desktop Extractions” on the Home screen of Oxygen Forensic® Detective.
Second, the updated KeyScout offers the ability to extract data from external drives. Select the “Drive” option in the Home screen of Oxygen Forensic® KeyScout and follow the instructions. Extraction is possible with elevated privileges only.
Third, we’ve redesigned the KeyScout Home Screen. It now offers investigators the option to conveniently select search templates before beginning an extraction.
Finally, new artifacts have been added:
- Extraction of Apple Unified Log from macOS.
- Extraction of the web-based version of Instagram from Google Chrome Browser as well as extraction of Google Chrome Browser cache.
- Support for Your Phone and Chatwork apps.
Oxygen Forensic® Detective can now ingest two new types of third-party images – UFDR reports made from non-smartphones and Huawei backups created in UFED.
- Extraction issues with Xiaomi Redmi 3S and Micromax Q402 Plus.
- Export issue of 174GB iTunes backup.
- Oxygen Forensic® Extractor not allowing users to enter PIN/ PUK for SIM card extraction.
- Not all messages were being parsed from a Samsung Smart Switch backup made from a Samsung S8+ device.
- Calls and messages not being parsed from UFDR reports.
- Messages of Facebook Search Warrants being shown as incoming.
- Parsing issues of Element Messenger and Discord cache.
- Date modified timestamps of exported files were being saved incorrectly from the Files section.
- Issues with Slack cloud data extraction.
- Filter for geo coordinates did not work on Maps that were opened from the Timeline section.
- Addresses received via WiGLE were not correctly displayed on the sidebar.
- Ctrl+space hotkey did not mark files as Key Evidence in a thumbnail view.