Oxygen Forensic® Detective v.14.4

We present the latest update of our flagship software, Oxygen Forensic® Detective, v.14.4! This version introduces support for:

  1. Huawei 820 chipset
  2. Decryption of ProtonMail
  3. RunKeeper cloud extraction
  4. Wickr Pro acquisition from Android devices
  5. Import of macOS Time Machine backups

For a full list of updates, refer to the “What’s New” file in the software Options menu.

Support for Kirin 820 chipset

Mobile forensics

Oxygen Forensic® Detective v.14.4 introduces support for a new Kirin 820 chipset. Using the Huawei Dump method, investigators can now access more screen-locked Huawei devices, including the following models: Huawei 30S, Huawei 30S 5G, Huawei Mate Pad 5G, Huawei P40 Lite 5G, Huawei X10 5G, Huawei nova 7 SE, and Huawei nova 7 SE 5G. Please note that the SPL (Security Patch Level) should be no later than June 2021. Overall, Oxygen Forensic® Detective now supports the following Kirin chipsets: 710, 710F, 810, 820, 659, 960, 970, 980, 985, 990, and 990 5G.

Wickr Pro Extraction via OxyAgent

Mobile forensics

Wickr Pro data can now be quickly collected from any unlocked Android device via OxyAgent. OxyAgent can be installed on a device via USB, Wi-Fi, or OTG device. The evidence set includes information about the account, contacts, private chats, rooms, and calls. Once the acquisition process is finished, the OxyAgent extraction can be imported into Oxygen Forensic® Detective for review and analysis.

Checkm8 Support Updates

Mobile forensics

Now investigators can extract the full file system via checkm8 vulnerability from Apple devices running the iOS versions 15.4-15.4.1. Moreover, in the previous software version, we completely redesigned the algorithm of keychain extraction for iOS 15 devices. In Oxygen Forensic® Detective v.14.4, this new extraction method works for devices with iOS versions lower than 15.0. Finally, we’ve made the whole extraction process more forensically sound. Now, at the end of extraction, instead of rebooting an iOS device, Oxygen Forensic® Detective turns it off.

App Support

Mobile forensics

Oxygen Forensic® Detective v.14.4 introduces the ability to decrypt ProtonMail contacts and emails from Android devices. Please note that the decryption support is available only within the Android Full File System method, which works on unlocked Android devices running version 5 and later. This method allows getting encryption keys that are used for ProtonMail decryption.

Moreover, investigators can now extract evidence from the following new apps: Craigslist (Android), and Rocket.Chat (Apple iOS, Android). The total number of supported app versions now exceeds 29000.

RunKeeper Extraction

Cloud forensics

We’ve added support for the 101st cloud service – RunKeeper, a popular GPS fitness-tracking app. To extract cloud evidence, investigators can authorize via login credentials, password from Google or Facebook, or token. There is no 2FA for this service. Extracted evidence will include the information about the account, challenges, contacts, routes, workouts, etc.

Moreover, we keep on maintaining already supported cloud services. In this release, we’ve updated our support for Mi Fit, Google Android Cloud Data, MEGA, and VKontakte.

KeyScout Updates

Computer artifacts

The updated Oxygen Forensic® KeyScout now supports the import and analysis of macOS Time Machine backups. Moreover, we’ve added the ability to analyze Windows Volume Shadow Copy snapshots. Additionally, file search by hash is now available. The following hash types are supported: MD5, SHA1, SHA256, SHA512, and SHA3-256.

The new computer artifacts include:
• Extraction of the WhatsApp QR Multi-device and Telegram for macOS tokens.
• Extraction of Apple Calendar, Contacts, Messages, Maps, Notes, Reminders, Photos on macOS 12.1.
• Parsing of encrypted WhatsApp messages from Windows and macOS.
• Parsing of cache files of Thumbcache_xxx.db from WIndows.
• Updated support for Viber and Microsoft Outlook.

Import Updates


In Oxygen Forensic® Detective v.14.4, investigators can ingest and fully parse XRY backups of version 12. Now at data import, users can choose the display time zone for extraction. This time zone will be shown across the entire extraction once it is parsed in the software. The option is available in the General Import Settings in the Import Wizard.

Export Updates


We’ve added two improvements to the Export engine. First, investigators can now rename the fields in data reports. This functionality is available under the Sections tab in the Export Settings. Second, reports with long paths are now fully supported; previously, they were not fully processed.

This Release Resolves the Following Issues

• The participant names could not show up correctly in RSMF reports.
• Attachments were not linked properly in RSMF reports.
• No links were in messages after exporting in HTML
• KeyScout did not open on macOS Monterey 12.2.
• Exporting EML to a long file path resulted in an empty folder.
• Unable to install Agent on a device with 12 Android onboard.
• WhatsApp Google Backup Authentication Https Post Error.