About Oxygen Forensic® Detective v.16 Updates.

Added support for screen-locked Samsung devices based on the Unisoc SC9863A chipset and running Android OS 10-13. We’ve also significantly accelerated data extraction from UNISOC-based Android devices. Our tests show extraction speeds 7-8 times faster than before.

Added support for two more Mediatek chipsets – MT6781 and МТ6877. You can extract hardware keys and decrypt physical dumps of screen-locked devices running Android OS 10 or higher. Supported models include Xiaomi Redmi Note 12S, Xiaomi Redmi Note 11S 4G, Xiaomi Redmi Note 12 Pro+, Realme 8i, Samsung Galaxy M53 5G, Samsung Galaxy Quantum 3, Samsung Galaxy A34 5G, and more.

Extract evidence from screen-locked Samsung devices based on the Qualcomm Snapdragon SDM845 chipset. Supported models include Samsung Galaxy Note 9, Samsung Galaxy S9 and Samsung Galaxy S9+.

Extract second authorized account of WhatsApp or WhatsApp Business on an Android device using Android Agent. Evidence set will include contacts, calls, and chats.

Extract full file system via checkm8 from iPads running iOS 16. The following models and iOS versions are supported:

• iPad 7th gen: iOS 13.1 – 16.7.5
• iPad 6th gen: iOS 13.0 – 16.7.5
• iPad 5th gen: iOS 12.4 – 16.7.5

Extract evidence from Steam, a video game digital distribution service, from the cloud via login/password or token. Supported artifacts include the account information, contacts, products, reviews, groups, group discussions, group events, group announcements, and group comments.

Enhanced Oxygen Forensic^® KeyDiver capabilities to find passcodes to:

• encrypted iTunes backups
• encrypted 7-ZIP archives

Attack methods can be created using a dictionary, mask, or a user’s personal data from an extraction.

Search Microsoft Office files by file signatures selecting this option in the Files tab of Oxygen Forensic^® KeyScout. This feature might be useful when extensions of Microsoft Office files are altered or deleted by a user.

The following new computer artifacts are supported:

• Steam (Windows, macOS, GNU/Linux)
• BitTorrent (Windows)
• 1Password (Windows, macOS, GNU/Linux)
• Box Drive (Windows, macOS)
• Box Tools (Windows, macOS)
• Web version of Box (Windows, macOS, GNU/Linux)

Updated artifacts include:

• Event log (Windows)
• WhatsApp (mac-OS)

Enhancements  to the Chats View, focusing on improved visualization of forwarded and replied chats, as well as chat statuses and chat filtering. These enhancements are also included in the export of chats.

Import and parse Apple Warrant Returns. Parsed data will include contacts, calendars, notes, messages, reminders, photos, iCloud Drive, Find My Friends, and other available data.

Import improvements include:

• A separate import of Apple Keychain is now available. Parsed keychain data can be found in the Accounts and Passwords section as well as in the Applications section of Oxygen Forensic^®
• Import and parse VDI images of Android extractions.
• Parsing of logical MD-Next extractions.

Preliminary reports can be generated including the following data:

• Device/case info
• Categories and number of artifacts
• Applications and number of artifacts for each application
• First and last contacted contacts
• Last communication by the owner
• Last elements on the Timeline
• Key Evidence data

To run this type of data export, right click on extraction in the device tree and choose the “Pre-export data” option. This feature might be useful if an investigator needs a basic report to kickstart an investigation or to compare the number of artifacts provided by different extraction methods.

Oxygen Forensic^® Detective v.16.1.1 introduces support for the Qualcomm Snapdragon 845/710 chipset. You can extract data from screen-locked Android devices based on this chipset and running Android OS 7 or higher. Supported models include Google Pixel 3, HTC Exodus 1, LG Velvet 4G, LG G7 ThinQ, Motorola One Fusion, Nokia 9 PureView, OPPO Find X, Realme 3 Pro, Sony Xperia XZ2, Xiaomi Black Shark, Xiaomi Mi 8, ZTE Axon 9 Pro, and others.

We added support for two more Mediatek chipsets – MT6771 and МТ6873. You can extract hardware keys and decrypt physical dumps of screen-locked Android devices that include the following models:  BQ 6430L Aurora, Gionee X50, Honor Play 4, Huawei Enjoy Z 5G, Nokia 5.1 Plus, OPPO Reno4 Z 5G, Philips S688, ZTE Blade 10 Prime, and more.

You can now extract app data via Android Agent from devices running Android OS 14.0. Android Agent can be installed on a device via USB, WiFi, or OTG device. Once the acquisition process is finished, the Android Agent extraction can be imported into Oxygen Forensic^® Detective for review and analysis.

New App support

We added support for the 3 pre-installed iOS apps with the following categories:

• Weather app:
  • Last location
  • Favorite places
  • Search results
  • Cache
• Files app:
  • Folders
  • Files
  • Cache
• Alarms app:
  • Alarms
  • Timers
  • Bedtime

Moreover, we have added data parsing of CapCut app for Android and Apple iOS devices. The total number of supported app versions now exceeds 45,200.

Now you can extract evidence from Reddit cloud via login/password or token. Supported artifacts include the account information, chats, posts, subreddits, notifications, reactions, comments, subscriptions, and blocked users.

The following new computer artifacts are supported:

• μTorrent data from Windows
• Information about .torrent files from Windows, macOS, and GNU/Linux
• Apple FaceTime data from macOS
• OpenOffice data from Windows and GNU/Linux
• FastStone Image Viewer data from Windows
• Microsoft Outlook data from macOS

Updated artifacts include:

• Facebook Messenger (Windows and macOS)
• Microsoft Outlook (Windows)

We also added support for the new encryption algorithm of Viber (Windows).

We updated our Translation module and added support for 5 new languages: Turkish, Farsi, Polish, Ukrainian, and Belarusian. The Translation module is available at no additional charge to all the users.

Learn more about our translation module →

A new translation tool is now integrated into Oxygen Forensic^® Detective, at no additional cost. It supports 20 language pairs and allows translation of messages in the Applications, Messages, and Timeline sections. Translated messages can be also exported to data reports.

Support for the UNISOC SC9863A chipset was added. You can extract data from screen-locked Android devices based on this chipset and running Android OS 10-13. Supported models include Lenovo K13, Motorola Moto E6i, Motorola Moto E7i Power, Nokia C01 Plus, Nokia C12, Realme C30s, Samsung Galaxy A04, and ZTE Blade A31.

We’ve added support for two more Mediatek chipsets – MT6893 and MT6853. You can extract hardware keys and decrypt physical dumps of screen-locked Android devices that include the following models: Huawei Enjoy 20 5G, Huawei Nova 8 SE Standard, Motorola Edge 20 lite, OPPO K9 Pro 5G, Realme GT Neo 2T, Samsung Galaxy A32 5G, Samsung Galaxy Jump, Xiaomi 11T, and ZTE S30.

We updated our Full File System extraction method for Android devices and it is now compatible with devices that have the Security Patch Level (SPL) no later than October 2022.

The list of applications supported by the APK downgrade method has been extended. The following new apps have been added:  Baidu Browser, BBM, Like, Maxthon Browser, Opera, Puffin, Shareit, Snapchat, Tiktok, Truecaller, Tumblr, Zangi, Zello, and Zoom.

Moreover, you can now see the full list of supported apps in the initial window of the APK Downgrade method.

The new version enables you to extract the full file system and keychain via iOS Agent from iPads based on the A8 – A15, M1, and M2 chipsets and running iPadOS 15.0 – 15.7.3 and 16.1 – 16.5.

We added support for the following new apps:

• Bitwarden (Android, Apple)
• Trello (Android, Apple)
• Message+ (Apple)

The total number of supported app versions now exceeds 44,300.

Oxygen Forensic^® Detective v.16.1 allows the import and parsing of Instagram data that can be downloaded following these instructions. Our software supports both HTML and JSON formats of Instagram account data files. Parsed data will include the account info, chats, followers, comments, likes, Threads account data, and many other available categories.

You can now import and parse logical FFS extractions of MDF (MD-Next) software.

Previously, our software enabled access to the WhatsApp QR Multi-Device service by scanning a QR code or via token. Now you can also access it via phone number. Enter the phone number in the Cloud Extractor and insert the code in the WhatsApp app on a mobile device.

Now you can access Facebook cloud data via Facebook token extracted from an Apple iOS device.

A passcode brute force module, Oxygen Forensic^® KeyDiver, is now available at no additional charge. With this module you can find passcodes to decrypt encrypted partitions, files, and applications:

• partitions protected with BitLocker
• partitions protected with FileVault 2
• encrypted ZIP files
• passcode-locked Telegram app
• encrypted Apple Notes

The list of supported partitions and applications is ever-growing.

You can create an attack method using a dictionary, mask, or a user’s personal data from an extraction.

Learn more about Oxygen Forensic® KeyDiver →

We added the ability to recover deleted files from NTFS if KeyScout runs with the escalated privileges. To recover deleted data from partitions, select them in the Drives and partitions section of KeyScout.

You can now import and parse computer images of AFF4 and VHDX formats. For a VHDX format, snapshots are also supported.

The updated Oxygen Forensic^® KeyScout enables users to collect the following new artifacts:

• information about recently used applications, documents, servers, partitions, and other objects of macOS.
• LibreOffice data from Windows, macOS, and GNU/Linux.
• Exodus data from Windows, macOS, and GNU/Linux.
• Todoist data from Windows, macOS, and GNU/Linux.
• Stories of public channels and quoted messages from Telegram for macOS.
• OneDrive data from Windows and macOS.
• Slack data from Windows, macOS, and GNU/Linux.

You can now extract public data via iOS Agent from Apple iOS devices with versions 12 and higher. Public data includes device information, contacts, calendar events, photos, media files, and shared files. This method is recommended when full file and keychain extraction is not supported or cannot be done.

We added several enhancements to our extraction methods:

• Added extraction of iOS 17 devices via iTunes backup procedure.
• Extractions are now much easier with animated instructions incorporated in the checkm8 method.
• Android KeyStore extraction is now supported for devices with pre-installed Android OS 13.
• Updated ability to extract WhatsApp, WhatsApp Business, Discord, Viber, and Google Chrome data via Android Agent.
• Using Android Agent, you can now re-extract data protected with a passcode if the first attempt fails.

We added support for the following new apps:

• Bumble (Android, iOS)
• Todoist (Android, iOS)
• Samsung My Files (Android)
• Gmail Go (Android)

The total number of supported app versions now exceeds 41,200.

In Oxygen Forensic^® Detective v.16.0.1, we added the following functionality:

• Import and decryption of physical images of Honor 7S and Huawei Y5 devices.
• Extraction of metadata from UFED extractions of CLBX format.

We also updated support for MTK-based devices having TEE T6.

In Oxygen Forensic^® Detective v.16.0.1, we added the following functionality:

• Import and decryption of physical images of Honor 7S and Huawei Y5 devices.
• Extraction of metadata from UFED extractions of CLBX format.

We also updated support for MTK-based devices having TEE T6.

The updated Oxygen Forensic^® KeyScout enables users to collect the following new artifacts:

• IrfanView app from Windows
• KMPlayer from Windows
• Dropbox from GNU/Linux
• The creation and modification dates of APFS partitions
• The serial number of a macOS computer
• The history of the user logins on macOS
• Information about trusted documents and locations stored in MS Office apps
• Information about documents printed with CUPS (Common UNIX Printing System) from macOS and GNU/Linux
• Information about bookmarks and sessions of web browsers based on the Blink engine

Additionally, you can now  decrypt user passwords extracted from FileZilla Client as well as logins and passwords saved in the system VPN client.

In Oxygen Forensic^® Detective v.16.0, we added the ability to extract hardware keys and decrypt physical dumps of Xiaomi devices based on the Qualcomm SDM439 chipset. Xiaomi Redmi 7A, Xiaomi Redmi 8, and Xiaomi Redmi 8A devices running Android OS 7 or higher are now supported.

We also added support for the devices based on the UNISOC T606, T616, T612, and T310 chipsets and running Android OS 10 – 13. Now you can extract hardware keys based on these chipsets to decrypt physical dumps of many HTC, Motorola, Nokia, Realme, ZTE, and other devices.

Learn more about UNISOC-based device support →

Our APK Downgrade method allows the extraction of popular apps by temporarily downgrading app versions so that they are included in the ADB backup. In Oxygen Forensic^® Detective v.16.0, we added support for Android OS versions 12 and 13. Now you can extract data from many more Android devices using this method. With our support for WhatsApp, Instagram, Facebook, Twitter, and 40 other supported apps,  you will have access to much more critical evidence.

Learn more about APK Downgrade →

Our APK Downgrade method allows the extraction of popular apps by temporarily downgrading app versions to include them in the ADB backup. In Oxygen Forensic^® Detective v.16.0, we added support for Android OS versions 12 and 13. Now you can extract data from many more Android devices using this method. With our support for WhatsApp, Instagram, Facebook, Twitter, and 40 other supported apps,  you will have access to much more critical evidence.

We significantly enhanced the ability to extract full file system and keychain via the iOS Agent. Now you can extract them from devices with iOS versions 14.6 – 14.8.1, 15.6 – 15.7.1, and 16.0 – 16.5.

We added passcode brute force for encrypted Apple Notes and the Briar app.

If an Apple Note is encrypted, you can click the Enter passcode button on the toolbar of the Apple Notes section and brute force the passcode using our various available attacks.

You can now brute force the passcode for the Briar app installed on Android devices. This functionality is available in the Full File System extraction method.

We added support for the following new apps:

• Threads (Android, iOS)
• TikTok Lite (Android)
• TanTan (Android, iOS)
• 1Password (Android, iOS)

The total number of supported app versions now exceeds 40,000.

In Oxygen Forensic^® Detective v.16.0, we added the ability to import the following images:

• Physical dumps of Xiaomi Redmi 7A/8/8A based on the Qualcomm SDM439 chipset
• Physical dumps of the UNISOC T606/T616/T612, and T310 chipsets
• XRY backups of versions 10.3.1 and newer

Additionally, you can now select artifacts to import and analyze from Oxygen Forensic^® KeyScout extractions. This is a great time-saving feature as you do not need to import the whole extraction anymore.

Bumble is another new service added in Oxygen Forensic^® Detective v.16.0. Data extraction from this dating app is supported via phone number or token. Extracted evidence will include profile info, contacts, messages, and album photos.

Launched in 2020, Clubhouse currently has over 10 million weekly active users. The latest Oxygen Forensic^® Cloud Extractor enables data extraction from Clubhouse via phone number or token. The extracted data set includes account info, contacts, audio messages and replays, chats, notifications, and information about the houses.

Now you can also extract Google Messages from the cloud. Use a token or scan a QR code with a mobile device to gain access to this cloud service. The evidence set will include information about the account owner, SIM cards, contacts, as well as private and group chats.

With this version, the total number of supported cloud services is now 105.

We added the ability to recover deleted files from FAT16, FAT32, and exFAT file systems. To do so, select the “Recover deleted files” option in the KeyScout Search settings,then, select drives and partitions where you want to recover deleted files.

The updated Oxygen Forensic^® KeyScout can now extract VeraCrypt encryption keys from Windows RAM. With a found VeraCrypt encryption key drive, partitions and separate file containers can be decrypted.

The key features of this functionality include:

• Support for standard and hidden containers
• Detection of drives, partitions, or file containers protected with VeraCrypt
• Extraction of VeraCrypt encryption keys of any versions
• Support for all 15 VeraCrypt encryption algorithms

In addition to VeraCrypt encryption keys, drives and partitions can be decrypted with a known password in Oxygen Forensic^® KeyScout.

Learn more about VeraCrypt support →

The updated Oxygen Forensic^® KeyScout enables users to collect the following new artifacts:

• Installed Homebrew packages from macOS
• Shim Cache from Windows
• The information about permissions that were given to applications on Windows
• NordVPN from Windows, macOS, and GNU/Linux
• PureVPN from Windows, macOS, and GNU/Linux
• VLC Media Player from Windows, macOS, and GNU/Linux
• A paid version of ViPole from Windows, macOS, and GNU/Linux
• Telegram stories from macOS

Moreover, we added decryption of Viber databases from macOS and WhatsApp databases from Windows images.