About Oxygen Corporate Explorer v.1 Updates.

September 19, 2023

Welcome our new product - Oxygen Corporate Explorer. Find critical evidence quickly and accelerate case resolution using targeted, remote data collection, task scheduling, and advanced search and analysis.

For a full list of updates, refer to the “What’s New” file in Oxygen Corporate Explorer.

1.0 1.1 1.2

Oxygen Corporate Explorer v.1.2

This update includes:

  • Decryption of VeraCrypt containers
  • Deleted file recovery from FAT16, FAT32, and exFAT file systems
  • Cloud extraction of Google Messages
  • Samsung Browser extraction via Android Agent
  • A new smart filter in the Timeline section

Endpoint Data Collection

Remote Device Collector Updates

Now, once the Remote Device Collector is installed on the endpoint and its shortcut is created, it can be manually started anytime by the user. The user can connect a mobile device and extract data. In the previous version of the Remote Device Collector, device registration and data extraction were managed by the Admin only.

Remote Device Registration

There are now two types of endpoint device registration. Previously, a mobile device could only be assigned to a particular endpoint. With this new version, the mobile device may have a Roaming status, allowing it to be extracted on any registered endpooint. The device registration status will be shown in the Hostname column in the Agent Management Center.

Computer Artifacts

Deleted Files Recovery

We added the ability to recover deleted files from FAT16, FAT32, and exFAT file systems. To do so, select the “Recover deleted files” option in the KeyScout Search settings, then select drives and partitions where you want to recover deleted files.

Decryption of VeraCrypt containers

Oxygen Corporate KeyScout can now extract VeraCrypt encryption keys from Windows RAM. With a found VeraCrypt encryption key drive, partitions and separate file containers can be decrypted.

Key features of this functionality include:

  • Support for standard and hidden containers
  • Detection of drives, partitions, or file containers protected with VeraCrypt
  • Extraction of VeraCrypt encryption keys of any versions
  • Support for all 15 VeraCrypt encryption algorithms

In addition to VeraCrypt encryption keys, drives, and partitions can be decrypted with a known password in Oxygen Corporate KeyScout.

New Artifacts

The updated Oxygen Corporate KeyScout enables users to collect the following new artifacts:

  • Installed Homebrew packages from macOS
  • Shim Cache from Windows
  • The information about permissions that were given to applications on Windows
  • NordVPN from Windows, macOS, and GNU/Linux
  • PureVPN from Windows, macOS, and GNU/Linux
  • VLC Media Player from Windows, macOS, and GNU/Linux
  • A paid version of ViPole from Windows, macOS, and GNU/Linux
  • Telegram stories from macOS

Moreover, we added decryption of Viber databases from macOS and WhatsApp databases from Windows images.

Mobile Extraction Updates

Support for Xiaomi Redmi devices

In Oxygen Corporate Explorer v.1.2, we added the ability to extract hardware keys and decrypt physical dumps of Xiaomi devices based on the Qualcomm SDM439 chipset. Xiaomi Redmi 7A, Xiaomi Redmi 8, and Xiaomi Redmi 8A devices running Android OS 7 or higher are now supported.

Extended support for UNISOC-based devices

We also added support for the devices based on the UNISOC T606, T616, T612, and T310 chipsets and running Android OS 10 – 13. Now you can extract hardware keys to decrypt physical dumps of many HTC, Motorola, Nokia, Realme, ZTE, and other devices based on these chipsets.

Enhanced APK Downgrade method

Our APK Downgrade method allows extraction of popular apps by temporarily downgrading app versions so that they are included in the ADB backup. In Oxygen Corporate Explorer v.1.2, we added support for Android OS versions 12 and 13. You can extract data from many more Android devices using this method. With our support for WhatsApp, Instagram, Facebook, Twitter, and 40 other supported apps, you will have access to much more critical evidence.

Samsung Browser extraction via Android Agent

You can now quickly collect Samsung Browser data from any unlocked Android device using our Android Agent. It can be installed on a device via USB, WiFi, or OTG device. Once the acquisition process is finished, the extraction can be imported into Oxygen Corporate Explorer for review and analysis. The evidence set will include saved logins, passwords, history, bookmarks, downloads, and other available data.

Enhanced iOS Agent method

We significantly enhanced the ability to extract full file system and keychain via the iOS Agent. Now you can extract them from devices with iOS versions 14.6 – 14.8.1, 15.6 – 15.7.1, and 16.0 – 16.5.

New App support

We added support for the following new apps:

  • Threads (Android, iOS)
  • TikTok Lite (Android)
  • TanTan (Android, iOS)
  • 1Password (Android, iOS)

We also added passcode brute force for encrypted Apple Notes and the Briar app.

The total number of supported app versions now exceeds 40,000.

Import Updates

Import Images

In Oxygen Corporate Explorer, we added the ability to import the following images:

  • Physical dumps of Xiaomi Redmi 7A/8/8A based on the Qualcomm SDM439 chipset
  • Physical dumps of the UNISOC T606/T616/T612, and T310 chipsets
  • XRY backups of versions 10.3.1 and newer

Additionally, you can now select artifacts to import and analyze from Oxygen Corporate KeyScout extractions. This is a great time-saving feature as you do not need to import the whole extraction anymore.

Cloud Extractor Updates

Clubhouse data extraction

The latest Oxygen Forensic® Cloud Extractor enables data extraction from Clubhouse via phone number or token. The extracted data set includes account info, contacts, audio messages, replays, chats, notifications, and information about the houses.

Bumble data extraction

Bumble is another new service added in Oxygen Corporate Explorer. Data extraction from this dating app is supported via phone number or token. Extracted evidence will include profile info, contacts, messages, and album photos.

Google Messages extraction

Now you can also extract Google Messages from the cloud. Use a token or scan a QR code with a mobile device to gain access to this cloud service. The evidence set will include information about the account owner, SIM cards, contacts, as well as private and group chats.

Data Analysis Updates

Analytic Tools Update

We enhanced our analytical sections with two features:

  • New categories have been added to the Image Categorization section: medical, meme, offensive gesture, and schematic.
  • A new smart filter now allows showing events before and after those events marked with a particular tag in the Timeline section.

Oxygen Corporate Explorer v.1.1

Download PDF


This update includes:

  • Remote Device Collector (RDC)
  • Support for AWS Wickr and Samsung Email
  • New computer artifacts
  • Timeline enhancements

For a full list of updates, refer to the “What’s New” file in the Oxygen Corporate Explorer “Options” menu.

Endpoint Data Collection

Remote Device Collector

Ground breaking Remote Device Collector (RDC) is now available in the Agent ManagementCenter of Oxygen Corporate Explorer. You can now remotely connect any unlocked devicerunning Android OS 4 – 13 to our software and extract contacts, calls, messages, calendars, andmedia file information via Android Agent. Once the data is extracted, it can be seamlesslyimported in Oxygen Corporate Explorer for analysis and reporting. Now you can collect Androiddata quickly and efficiently, regardless of where the device is located.

Computer Artifacts

New and updated artifacts

Oxygen Corporate KeyScout enables users to collect the following new artifacts:

  • Permissions given by macOS applications
  • Background app activity from Windows
  • History of recently opened files from Linux
  • Secret DPAPI password from Windows
  • ICQ data from Windows, macOS, and Linux
  • FileZilla data from Windows, macOS, and Linux
  • Spark data from Windows
  • Discord data from Linux
  • Discord cookies and messages from Windows and macOS

Updated artifact support includes:

  • Data about network interfaces from Windows
  • Event logs from Windows. Now data about VPN, BITS, and DPAPI can be collected
  • Spark data from macOS

Mobile Extraction Updates

Support for the MT6833 chipset

Oxygen Corporate Explorer offers extraction of hardware keys and decryption of Android devices based on the MT6833 chipset, having File-Based Encryption (FBE), and running Android OS 10-13. Our support covers Samsung, Xiaomi, Oppo, Realme, Vivo, and Motorola devices.

Additional Extractor updates

Our updated Oxygen Forensic® Device Extractor introduces several additional enhancements:

  • The ability to extract the full file system and keychain via checkm8 from Apple iOS devices with iOS version 15.7.7.
  • Updated extraction via iOS Agent from iPhones running iOS versions 15.0 – 15.4.1.
  • Updated Kik data extraction via Android Agent from unlocked Android devices.
  • Updated data extraction via Android Agent from Huawei devices running HarmonyOS.

App support

We added support for the following new apps:

  • AWS Wickr (iOS, Android)
  • Samsung Email (Android)
  • Vivaldi Browser (Android)

Data Analysis


In Oxygen Corporate Explorer, we included several enhancements for our analytical tools:

  • Timeline: added a new smart filter. Now you can quickly filter and view the events that happened before and after the events marked with tags.
  • Timeline: added the ability to filter by seconds, minutes, and hours in the time filter.
  • Maps: added the Activity Matrix for geo coordinates. Now you can deeply analyze the geo location data and determine the peaks of user activity.

Oxygen Corporate Explorer v.1.0

Download PDF

All-in-one platform

Conduct various  investigations in one single platform by collecting data from computers, cloud services, and mobile devices, whether they are onsite or remote. Leverage built-in powerful analytics to gain quick insights into your case.

Remote and onsite endpoint acquisition

Collect data from Windows, macOS, and Linux-based endpoints no matter where they are located. Local collections are also supported.

Cloud and mobile data extraction

 Collect communications, documents, and other data from a variety of enterprise cloud services and mobile devices. Merge these collections with  computer ones to see a full picture of the event.

Scheduled and automatic collections

 Save time by scheduling regular data collections and automatic collections.

Targeted and fast collections

 Speed up your investigation with simultaneous and targeted data collection from various digital sources. Collect documents, downloaded data and files with a specific extension within a specified time frame.

Built-in powerful analytics

 Build a timeline of events, leverage AI-powered analytics to run OCR on documents and screenshots, and automatically categorize collected images. Use keywords, RegEx, and other types of search to quickly find required artifacts.

Integration with other solutions

 Export collected data into various file formats including Relativity for further analysis.


Computer artifacts

  • Computer artifacts can be extracted from a live running system (Windows, macOS, Linux) and forensic disk image files (AD1, E01, L01, ZIP archives).
  • Live system acquisition can be made remotely or locally by running Oxygen Corporate KeyScout on the targeted computer (Windows, macOS, Linux).
  • You can collect the following:
    • System artifacts: USBSTOR, Shellbags, Prefetch, Jumplist, Task Scheduler, registry and event logs, macOS  file system events and preferences, and more.
    • User data from messengers, social media, storages, web browsers, and other apps such as: WhatsApp, Slack, Skype, Viber, Dropbox, Microsoft Teams, Outlook, iCloud Drive.
    • Capture volatile memory (RAM) and save it in RAW format compatible with Volatility and other memory analysis utilities.

Cloud data

  • Utilize the credentials to quickly access and download cloud-based data within a specified time period.
  • Extract evidence from a great variety of cloud services:
    • Messengers and social media: Slack, WhatsApp, Telegram, Viber, Zoom, LinkedIn, Chatwork, Flock, Teams, and others.
    • Emails: Mail (IMAP), Google Mail, Outlook Mail, Secmail.
    • Storages: Dropbox, Amazon EC2,  Amazon S3, iCloud, OneDrive, Google Drive, Box, MEGA, and more.
    • Business such as: Evernote, Apple Calendar, Safari, Google Tasks, Google Calendars.

Mobile data

  • Run fast and targeted data collections from unlocked iPhones, iPads, and various Android devices to extract contacts, communications, event history, locations, deleted records, and more.
  • Utilize advanced screen lock bypass methods for Samsung, Huawei, Xiaomi, Motorola, Oppo,  and other Android-powered devices.
  • Import and parse device backups (iTunes, Samsung, Huawei) and other third-party mobile images.
  • Decrypt data from secure apps and device storages including Apple Notes, Wickr, Signal, Vault apps, Huawei PrivateSpace, Samsung Secure Folder, and others.

Analysis and Reporting

  • Analyze computer, mobile, and cloud extractions in one case.
  • Track down the timeline of events and gain quick insights into the user statistics.
  • Determine social connections between contacts.
  • Run facial and image categorization, and Optical Character Recognition.
  • Visualize visited and common locations on the map.
  • Search artifacts in extracted data by various criteria.
  • Export data to various file formats compatible with other tools.

Schedule a demo with one of our forensic experts.

You are opting in to receiving marketing emails. By submitting this form, I acknowledge that I have read Oxygen Forensics Privacy Policy. You will be able to Unsubscribe.