We are delighted to introduce the latest update of our flagship software, Oxygen Forensic® Detective v.14.2! This new version introduces updated device and cloud acquisition methods, enhanced data import capabilities, and support for many new artifacts. The key features will be described in detail in our corporate blog. For a full list of updates, refer to the “What’s New” file in the software Options menu.
Enhanced Support for Huawei Kirin Devices
In Oxygen Forensic® Detective v.14.2, we’ve updated the Huawei Dump method that works with Kirin-based devices running Android OS 9 and 10. It now supports Huawei devices with the SPL (Security Patch Level) of May and June 2021. For devices with the updated SPL, we have changed the password brute force algorithm. Now password recovery is done on devices while extracting hardware keys, instead of on a dump. This method works for both device data and PrivateSpace extraction.
Redesigned iTunes Backup Method
We’ve completely redesigned and improved the iTunes backup method that is used for logical data extraction from unlocked Apple iOS devices. This method is now available in the new Device Extractor. Besides the improved GUI, investigators will be able to view more detailed information about the extraction while it occurs. Furthermore, extractions will be immediately saved in the destination folder that investigators choose. Previously, it was temporarily saved in the default folder on Disk C. For connection, investigators will now need only iTunes, which can be downloaded from the official website or the Microsoft Store.
In this new release, we lay focus on VPN app parsing. Investigators can now extract evidence from CyberGhost VPN, ZenMate VPN, ExpressVPN, NordVPN, and RusVPN apps. Moreover, Oxygen Forensic® Detective v.14.2 introduces support for Flock, AntonChat, VK Mail and Clubhouse (Android). The total number of supported app versions now exceeds 25,800.
Selective Data Analysis
Oxygen Forensic® Detective v.14.2 introduces a great time-saving feature – Selective Data Analysis. Now, before data import, investigators can select what data to parse for further analysis. To use this feature, select the “Selective Data Analysis” option in the Import Wizard and check the particular apps that need to be parsed. This functionality not only saves an incredible amount of time but also allows investigators to parse only the data required for the current investigation. This feature is supported for iOS, Android and KaiOS extractions.
Google Warrant Returns
Oxygen Forensic® Detective v.14.2 can ingest and parse Google Warrant Returns. Investigators can expect the following evidence set: device details, calendars, Gmail contacts, Gmail messages, Google Drive, Locations History, and My Activity. This is the 5th type of Warrant Returns that our software can parse. Our other supported returns are for Instagram, Facebook, Twitter, and Snapchat.
Other Import Updates
There are several other import enhancements in Oxygen Forensic® Detective v.14.2. First, we’ve added support for Android GrayKey extractions. Second, investigators can now ingest and parse UFDX files. Finally, we’ve updated our support for the latest versions of Samsung Smart Switch backups.
Cloud Extractor Updates
In response to customer requests, we’ve mainly focused on the update of already supported cloud services. We’ve updated the authorization algorithms for the WhatsApp QR, WhatsApp Cloud, VIPole, Telegram, Foursquare, and Microsoft services. We’ve also updated our support for LinkedIn. Lastly, we’ve redesigned the way extracted emails (IMAP) are shown in Oxygen Forensic® Detective. Now, the analysis of cloud emails will be much easier.
New Computer Artifacts
The updated Oxygen Forensic® KeyScout allows investigators to collect more artifacts on Windows computers:
- USN (NTFS) journals
- LogFile (NTFS) journals
- LNK files from Windows Desktop and other sources
- TOAST notifications
Additionally, we’ve added the ability to collect Google Drive data for Desktop from Windows and macOS computers. Investigators can extract files, images, folders, caches, and the list of synchronized devices.
- Error that occurred when the software was closed on Windows OS 8 and 11.
- Encryption keys could not be extracted from Asus Zenfone 3 Max.
- Error that occurred while importing a corrupted TAR or ADB backup.
- Errors that occurred when importing backups from long destination paths.