Oxygen Forensic® Detective v.14.1

We are delighted to introduce an update of our flagship product, Oxygen Forensic® Detective! Version 14.1 enhances extraction capabilities in all the main modules – mobile, cloud, and computer artifacts, as well as improves data analysis with the implementation of a new feature.
Key features regarding this release will be explored in detail in our corporate blog. For the full list of changes, please refer to the “WhatsNew” file in the software Options menu.

Screen Lock Bypass for LG Devices

In Oxygen Forensic® Detective v.14.1, investigators can now create a physical dump, extract hardware keys, and decrypt evidence from locked LG devices based on Qualcomm chipsets. This method requires a device to be put in LAF (LG Advanced Flash) mode. The supported devices must run Android OS 6 or 7 and be based on one of the following chipsets: MSM8917, MSM8937, MSM8940, MSM8953. This method covers LG Q6 (LG-M700), LG Stylus 2 Plus (LG-SM550), LG Stylo 3 Plus (LG-MP450), and any other model available in the Supported devices list.

Enhanced Screen Lock Bypass for MTK Devices

We’ve also enhanced our support for screen-locked Android devices running on Mediatek chipsets. Now, devices with the enabled DAA authentication are supported. Oxygen Forensic® Detective disables the DAA and allows investigators to extract hardware keys and decrypt data. Supported devices include Nokia 5.1 Plus, Motorola One Action, Xiaomi Readmi Note 8 Pro, and more. This functionality is available within the MTK Android Dump method.

Wickr Me Extraction via OxyAgent

Oxygen Forensic® Detective v.14.1 allows fast collection of Wickr Me data from any unlocked Android device using OxyAgent. OxyAgent can be installed on a device via USB, Wi-Fi, or OTG device. The evidence set includes the information about the account, contacts, private and group chats with attachments, and calls. Wickr Me chats are stored for up to 6 days on the device. After expiration, chats cannot be acquired via OxyAgent. To extract expired chats, use the physical methods available in Oxygen Forensic® Detective.

Full File System Extraction

We’ve added a new exploit to our “Android full file system” method. This exploit covers many unlocked Android devices based on various chipsets. Supported devices must have GPU Mali-G31, Mali-G51, Mali-G52, Mali-G71, Mali-G72, Mali-G76, Mali-G77, Mali-G78 (Bifrost, Valhall), the Linux kernel of 2.6.0-5.4 versions and run Android OS 7 – 11. The SPL (Security Patch Level) must be no older than May 2021. This exploit does not support Samsung and Huawei devices due to the additional layers of their security.

Extended Checkm8 Support

There is a known issue that on iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, and iPhone X running iOS 14.x you must first turn off the passcode before performing data extraction via checkm8 vulnerability. In Oxygen Forensic® Detective v.14.1 if the passcode is unknown, you can extract limited amount of data from iPhone 7 and iPhone 7 Plus running iOS 14.0-14.8.1 in BFU mode. For a full file system extraction, you still need to turn off the passcode.

App Support

In version 14.1, we lay focus on our new secure app parsing. Now, investigators can extract and decrypt evidence from iMe Messenger & Crypto Wallet, Brave Private Browser, Private Photo Vault Pro, ProtonMail and WhatsApp backups (crypt12).  Moreover, Oxygen Forensic® Detective v.14.1 introduces support for MX TakaTak and Reddit social networks. The total number of supported app versions exceed 25,200!

MEGA data extraction

MEGA is a widely used cloud storage and file hosting service that uses end-to-end encryption. Investigators can now extract evidence from this service using Oxygen Forensic® Cloud Extractor. Authorization in the service can be done using login credentials or token from Apple iOS and Android devices. If 2FA is enabled, a code will be required. Evidence sets may include information about the account, contacts, files, private chats, and links.

Extraction of Grindr Google Backups

In the previous version we added support for Grindr iCloud backups. Now Grindr backups can also be extracted from Google. Investigators can gain access to Grindr chats authorized in Google Drive using the corresponding login and password.

Telegram Extraction Enhancements

In the new release, we’ve implemented two of our most frequently requested improvements to the Telegram cloud. First, investigators can now extract comments left in channel messages. This data often contains valuable pieces of evidence.
Second, we’ve added the option to select which specific Telegram chats to extract before data extraction. This will allow investigators to save time by only extracting the data and evidence they need for the investigation.

Parsing of New Computer Images

A great number of new computer image formats can be now ingested and parsed in Oxygen Forensic® Detective:

  • Images of virtual machines of VDI, VHD, and VMDK formats
  • Logical images of 7z, rar, tar formats.
  • DMG and ISO images.

We’ve also introduced support for FAT, EXT2/3/4, HFS/HFS+ file systems of E01, RAW/DD, VDI, VHD, and VMDK images. To import all these images, select the relevant options under the “Desktop extractions” option on the software Home screen.

Artifact and OS Support

The updatedOxygen Forensic® KeyScout fully supports Windows OS 11 and its artifacts. Additionally, we’ve added parsing of separate .eml files and updated support for Telegram and Thunderbird apps.

Image Categorization of Tattoos and Aircrafts

We’ve updated our Image Categorization tool to now include the categorization of tattoos and aircrafts. Images containing tattoos and aircrafts will have a corresponding label both in the Files and Key Evidence sections, once extracted data is analyzed. Overall, 18 categories are now supported for image categorization.

Furthermore, we’ve improved the image categorization algorithm. Investigators will be able to categorize images several times faster. Image Categorization of Weapons and Drugs categories have been significantly improved.

OCR Enhancements

Images can be now preprocessed for better optical character recognition. We’ve added adaptive threshold processing. Small pictures, particularly thumbnails, can now be upscaled. Note that the enabled preprocessing will increase recognition time by 20-30%.

Resolved Issues

  • Not all WhatsApp messages were parsed from a Huawei Kirin Dump.
  • Occurred while extracting Telegram data via OxyAgent.
  • Error “Too many requests” appearing during Telegram cloud data extraction.
  • Amount of files displayed in a merged extraction were lower than in separate extractions.
  • PDF report did not contain a custom image header.