About Oxygen Remote Explorer v.1 Updates.

febrero 20, 2024

Find critical evidence quickly and accelerate case resolution using targeted, remote data collection, task scheduling, and advanced search and analysis.

For a full list of updates, refer to the “What’s New” file in Oxygen Remote Explorer, formerly known as Oxygen Corporate Explorer.

1.0 1.1 1.2 1.3 1.3.1

Oxygen Remote Explorer v.1.3.1

Download PDF

 

The latest update to our remote and onsite collection solution is here, Oxygen Remote Explorer v.1.3.1! Note that this product was previously known as Oxygen Corporate Explorer.

Read below some of the key features included in this release. For a full list of updates, refer to the “What’s New” file in the Oxygen Remote Explorer “Options” menu

Endpoint Data Collection

Deleted file recovery for Windows-based endpoints

We added the ability to choose deleted file recovery in the Profile Configuration window for Windows-based endpoints. Before extraction, users can choose if they want to recover deleted files from remote endpoints. Deleted file recovery is available from NTFS, FAT, and exFAT file systems.

Computer Artifacts

Extraction of μTorrent data from Windows and search for torrent files

Oxygen Remote KeyScout now collects μTorrent data from Windows computers. Evidence sets will include torrents, filters, history, and other artifacts. We also added the ability to search for files with .torrent extension on Windows, macOS, and Linux, and extract information about them.

Other new artifacts:

  • Apple FaceTime data from macOS
  • OpenOffice data from Windows and GNU/Linux
  • Microsoft Outlook data from macOS
  • FastStone Image Viewer data from Windows

Mobile Forensic Updates

Enhanced Android Agent method

You can now extract app data via Android Agent from devices running Android OS 14.0. Android Agent can be installed on a device via USB, WiFi, or OTG device. Once the acquisition process is finished, the Android Agent extraction can be imported into Oxygen Forensic® Detective for review and analysis.

Cloud Forensic Updates

Reddit cloud data extraction

Now you can extract evidence from Reddit cloud via login/password or token. Supported artifacts include the account information, chats, posts, subreddits, notifications, reactions, comments, subscriptions, and blocked users.

General

Updated Translation module

We updated our Translation module and added support for 5 new languages: Turkish, Farsi, Polish, Ukrainian, and Belarusian. The Translation module is available at no additional cost.

Interested in trying out Oxygen Corporate Explorer v.1.3.1? Get a demo.

This update includes:

  • Remote iOS device extraction
  • Brute force module for computer partitions, apps, and files
  • Enhanced FFS and APK Downgrade methods
  • Access to WhatsApp QR Multi-Device service via phone number

Oxygen Remote Explorer v.1.3

Download PDF

 

Endpoint Data Collection

Remote iOS device extraction

Remote iOS device extraction is now available in the Agent Management Center of Oxygen Remote Explorer. You can remotely collect any data or selected data from an unlocked device, even with the latest iOS 17.2 version. The data set will include contacts, messages, calls, media files, and applications. Once the data is extracted, it can be imported in Oxygen Remote Explorer for analysis and reporting.

Agent Management Center

Several enhancements are added to the Agent Management Center.

Now you can:

  • view all the event logs created by a user
  • manage Agents via MSRPC\SSH protocol
  • use separate user profiles for Agent authorization and deployment on Linux-based endpoints

Computer Artifacts

Passcode brute force module

A passcode brute force module, Oxygen Forensic® KeyDiver, is now available at no additional charge.

Using this module, you can find passcodes to:

  • partitions protected with BitLocker
  • partitions protected with FileVault 2
  • encrypted ZIP files
  • passcode-locked Telegram app
  • encrypted Apple Notes

You can create an attack method using a dictionary, mask, or a user’s personal data from an extraction.

Deleted data recovery from NTFS

We added the ability to recover deleted files from NTFS if Oxygen Remote KeyScout runs with the escalated privileges. To recover deleted data from partitions, select them in the Drives and partitions section of Oxygen Remote KeyScout.

Support for AFF4 and VHDX formats

You can now import and parse computer images of AFF4 and VHDX formats. For a VHDX format, snapshots are also supported.

New artifacts

The updated Oxygen Remote KeyScout enables users to collect the following new artifacts:

  • information about recently used applications, documents, servers, partitions, and other objects of macOS.
  • LibreOffice data from Windows, macOS, and GNU/Linux.
  • Exodus data from Windows, macOS, and GNU/Linux.
  • Todoist data from Windows, macOS, and GNU/Linux.
  • Stories of public channels and quoted messages from Telegram for macOS.
  • OneDrive data from Windows and macOS.
  • Slack data from Windows, macOS, and GNU/Linux.

Mobile Forensic Updates

Enhanced Full File System extraction for Android devices

We updated our Full File System extraction method for Android devices and it is now compatible with devices that have the Security Patch Level (SPL) no later than October 2022.

Enhanced APK Downgrade method

The list of applications supported by the APK downgrade method has been extended. The following new apps have been added:  Baidu Browser, BBM, Like, Maxthon Browser, Opera, Puffin, Shareit, Snapchat, Tiktok, Truecaller, Tumblr, Zangi, Zello, and Zoom. Moreover, you can now see the full list of supported apps in the initial window of the APK Downgrade method.

Extraction via iOS Agent for iPads

The new version enables you to extract the full file system and keychain via iOS Agent from iPads based on the A8 – A15, M1 and M2 chipsets, and running iPadOS 15.0 – 15.7.3 and 16.1 – 16.5.

Support for the UNISOC SC9863A chipset

Support for the UNISOC SC9863A chipset is added. You can extract data from screen-locked Android devices based on this chipset and running Android OS 10-13.

Support for the MT6893 and MT6853 chipsets

We added support for two more Mediatek chipsets – MT6893 and MT6853. You can extract hardware keys and decrypt physical dumps of screen-locked Android devices based on these chipsets.

New app support

We added support for the following new apps:

  • Bitwarden (Android, Apple)
  • Trello (Android, Apple)
  • Message+ (Apple)

The total number of supported app versions now exceeds 44,300.

Import Updates

Import of Instagram account copy

Oxygen Remote Explorer now allows the import and parsing of Instagram data that can be downloaded following this instruction. Our software supports both HTML and JSON formats of Instagram account data files. Parsed data will include the account info, chats, followers, comments, likes, Threads account data, and many other available categories.

Cloud Forensic Updates

Access to WhatsApp QR Multi-Device service via phone number

Previously, our software enabled access to the WhatsApp QR Multi-Device service by scanning a QR code or via token. Now you can also access it via phone number. Enter the phone number in the Cloud Extractor and insert the code in the WhatsApp app on a mobile device.

Facebook data extraction via iOS token

Now you can access Facebook cloud data via Facebook token extracted from an Apple iOS device.

Oxygen Remote Explorer v.1.2

This update includes:

  • Decryption of VeraCrypt containers
  • Deleted file recovery from FAT16, FAT32, and exFAT file systems
  • Cloud extraction of Google Messages
  • Samsung Browser extraction via Android Agent
  • A new smart filter in the Timeline section

Endpoint Data Collection

Remote Device Collector Updates

Now, once the Remote Device Collector is installed on the endpoint and its shortcut is created, it can be manually started anytime by the user. The user can connect a mobile device and extract data. In the previous version of the Remote Device Collector, device registration and data extraction were managed by the Admin only.

Remote Device Registration

There are now two types of endpoint device registration. Previously, a mobile device could only be assigned to a particular endpoint. With this new version, the mobile device may have a Roaming status, allowing it to be extracted on any registered endpooint. The device registration status will be shown in the Hostname column in the Agent Management Center.

Computer Artifacts

Deleted Files Recovery

We added the ability to recover deleted files from FAT16, FAT32, and exFAT file systems. To do so, select the “Recover deleted files” option in the KeyScout Search settings, then select drives and partitions where you want to recover deleted files.

Decryption of VeraCrypt containers

Oxygen Remote KeyScout can now extract VeraCrypt encryption keys from Windows RAM. With a found VeraCrypt encryption key drive, partitions and separate file containers can be decrypted.

Key features of this functionality include:

  • Support for standard and hidden containers
  • Detection of drives, partitions, or file containers protected with VeraCrypt
  • Extraction of VeraCrypt encryption keys of any versions
  • Support for all 15 VeraCrypt encryption algorithms

In addition to VeraCrypt encryption keys, drives, and partitions can be decrypted with a known password in Oxygen Remote KeyScout.

New Artifacts

The updated Oxygen Remote KeyScout enables users to collect the following new artifacts:

  • Installed Homebrew packages from macOS
  • Shim Cache from Windows
  • The information about permissions that were given to applications on Windows
  • NordVPN from Windows, macOS, and GNU/Linux
  • PureVPN from Windows, macOS, and GNU/Linux
  • VLC Media Player from Windows, macOS, and GNU/Linux
  • A paid version of ViPole from Windows, macOS, and GNU/Linux
  • Telegram stories from macOS

Moreover, we added decryption of Viber databases from macOS and WhatsApp databases from Windows images.

Mobile Extraction Updates

Support for Xiaomi Redmi devices

In Oxygen Remote Explorer v.1.2, we added the ability to extract hardware keys and decrypt physical dumps of Xiaomi devices based on the Qualcomm SDM439 chipset. Xiaomi Redmi 7A, Xiaomi Redmi 8, and Xiaomi Redmi 8A devices running Android OS 7 or higher are now supported.

Extended support for UNISOC-based devices

We also added support for the devices based on the UNISOC T606, T616, T612, and T310 chipsets and running Android OS 10 – 13. Now you can extract hardware keys to decrypt physical dumps of many HTC, Motorola, Nokia, Realme, ZTE, and other devices based on these chipsets.

Enhanced APK Downgrade method

Our APK Downgrade method allows extraction of popular apps by temporarily downgrading app versions so that they are included in the ADB backup. In Oxygen Remote Explorer v.1.2, we added support for Android OS versions 12 and 13. You can extract data from many more Android devices using this method. With our support for WhatsApp, Instagram, Facebook, Twitter, and 40 other supported apps, you will have access to much more critical evidence.

Samsung Browser extraction via Android Agent

You can now quickly collect Samsung Browser data from any unlocked Android device using our Android Agent. It can be installed on a device via USB, WiFi, or OTG device. Once the acquisition process is finished, the extraction can be imported into Oxygen Remote Explorer for review and analysis. The evidence set will include saved logins, passwords, history, bookmarks, downloads, and other available data.

Enhanced iOS Agent method

We significantly enhanced the ability to extract full file system and keychain via the iOS Agent. Now you can extract them from devices with iOS versions 14.6 – 14.8.1, 15.6 – 15.7.1, and 16.0 – 16.5.

New App support

We added support for the following new apps:

  • Threads (Android, iOS)
  • TikTok Lite (Android)
  • TanTan (Android, iOS)
  • 1Password (Android, iOS)

We also added passcode brute force for encrypted Apple Notes and the Briar app.

The total number of supported app versions now exceeds 40,000.

Import Updates

Import Images

In Oxygen Remote Explorer, we added the ability to import the following images:

  • Physical dumps of Xiaomi Redmi 7A/8/8A based on the Qualcomm SDM439 chipset
  • Physical dumps of the UNISOC T606/T616/T612, and T310 chipsets
  • XRY backups of versions 10.3.1 and newer

Additionally, you can now select artifacts to import and analyze from Oxygen Remote KeyScout extractions. This is a great time-saving feature as you do not need to import the whole extraction anymore.

Cloud Extractor Updates

Clubhouse data extraction

The latest Oxygen Forensic® Cloud Extractor enables data extraction from Clubhouse via phone number or token. The extracted data set includes account info, contacts, audio messages, replays, chats, notifications, and information about the houses.

Bumble data extraction

Bumble is another new service added in Oxygen Remote Explorer. Data extraction from this dating app is supported via phone number or token. Extracted evidence will include profile info, contacts, messages, and album photos.

Google Messages extraction

Now you can also extract Google Messages from the cloud. Use a token or scan a QR code with a mobile device to gain access to this cloud service. The evidence set will include information about the account owner, SIM cards, contacts, as well as private and group chats.

Data Analysis Updates

Analytic Tools Update

We enhanced our analytical sections with two features:

  • New categories have been added to the Image Categorization section: medical, meme, offensive gesture, and schematic.
  • A new smart filter now allows showing events before and after those events marked with a particular tag in the Timeline section.

Oxygen Remote Explorer v.1.1

Download PDF

 

This update includes:

  • Remote Device Collector (RDC)
  • Support for AWS Wickr and Samsung Email
  • New computer artifacts
  • Timeline enhancements

For a full list of updates, refer to the “What’s New” file in the Oxygen Remote Explorer “Options” menu.

Endpoint Data Collection

Remote Device Collector

Ground breaking Remote Device Collector (RDC) is now available in the Agent ManagementCenter of Oxygen Remote Explorer. You can now remotely connect any unlocked devicerunning Android OS 4 – 13 to our software and extract contacts, calls, messages, calendars, andmedia file information via Android Agent. Once the data is extracted, it can be seamlesslyimported in Oxygen Remote Explorer for analysis and reporting. Now you can collect Androiddata quickly and efficiently, regardless of where the device is located.

Computer Artifacts

New and updated artifacts

Oxygen Remote KeyScout enables users to collect the following new artifacts:

  • Permissions given by macOS applications
  • Background app activity from Windows
  • History of recently opened files from Linux
  • Secret DPAPI password from Windows
  • ICQ data from Windows, macOS, and Linux
  • FileZilla data from Windows, macOS, and Linux
  • Spark data from Windows
  • Discord data from Linux
  • Discord cookies and messages from Windows and macOS

Updated artifact support includes:

  • Data about network interfaces from Windows
  • Event logs from Windows. Now data about VPN, BITS, and DPAPI can be collected
  • Spark data from macOS

Mobile Extraction Updates

Support for the MT6833 chipset

Oxygen Remote Explorer offers extraction of hardware keys and decryption of Android devices based on the MT6833 chipset, having File-Based Encryption (FBE), and running Android OS 10-13. Our support covers Samsung, Xiaomi, Oppo, Realme, Vivo, and Motorola devices.

Additional Extractor updates

Our updated Oxygen Forensic® Device Extractor introduces several additional enhancements:

  • The ability to extract the full file system and keychain via checkm8 from Apple iOS devices with iOS version 15.7.7.
  • Updated extraction via iOS Agent from iPhones running iOS versions 15.0 – 15.4.1.
  • Updated Kik data extraction via Android Agent from unlocked Android devices.
  • Updated data extraction via Android Agent from Huawei devices running HarmonyOS.

App support

We added support for the following new apps:

  • AWS Wickr (iOS, Android)
  • Samsung Email (Android)
  • Vivaldi Browser (Android)

Data Analysis

Updates

In Oxygen Remote Explorer, we included several enhancements for our analytical tools:

  • Timeline: added a new smart filter. Now you can quickly filter and view the events that happened before and after the events marked with tags.
  • Timeline: added the ability to filter by seconds, minutes, and hours in the time filter.
  • Maps: added the Activity Matrix for geo coordinates. Now you can deeply analyze the geo location data and determine the peaks of user activity.

Oxygen Remote Explorer v.1.0

Download PDF

All-in-one platform

Conduct various  investigations in one single platform by collecting data from computers, cloud services, and mobile devices, whether they are onsite or remote. Leverage built-in powerful analytics to gain quick insights into your case.

Remote and onsite endpoint acquisition

Collect data from Windows, macOS, and Linux-based endpoints no matter where they are located. Local collections are also supported.

Cloud and mobile data extraction

 Collect communications, documents, and other data from a variety of enterprise cloud services and mobile devices. Merge these collections with  computer ones to see a full picture of the event.

Scheduled and automatic collections

 Save time by scheduling regular data collections and automatic collections.

Targeted and fast collections

 Speed up your investigation with simultaneous and targeted data collection from various digital sources. Collect documents, downloaded data and files with a specific extension within a specified time frame.

Built-in powerful analytics

 Build a timeline of events, leverage AI-powered analytics to run OCR on documents and screenshots, and automatically categorize collected images. Use keywords, RegEx, and other types of search to quickly find required artifacts.

Integration with other solutions

 Export collected data into various file formats including Relativity for further analysis.

Features

Computer artifacts

  • Computer artifacts can be extracted from a live running system (Windows, macOS, Linux) and forensic disk image files (AD1, E01, L01, ZIP archives).
  • Live system acquisition can be made remotely or locally by running Oxygen Remote KeyScout on the targeted computer (Windows, macOS, Linux).
  • You can collect the following:
    • System artifacts: USBSTOR, Shellbags, Prefetch, Jumplist, Task Scheduler, registry and event logs, macOS  file system events and preferences, and more.
    • User data from messengers, social media, storages, web browsers, and other apps such as: WhatsApp, Slack, Skype, Viber, Dropbox, Microsoft Teams, Outlook, iCloud Drive.
    • Capture volatile memory (RAM) and save it in RAW format compatible with Volatility and other memory analysis utilities.

Cloud data

  • Utilize the credentials to quickly access and download cloud-based data within a specified time period.
  • Extract evidence from a great variety of cloud services:
    • Messengers and social media: Slack, WhatsApp, Telegram, Viber, Zoom, LinkedIn, Chatwork, Flock, Teams, and others.
    • Emails: Mail (IMAP), Google Mail, Outlook Mail, Secmail.
    • Storages: Dropbox, Amazon EC2,  Amazon S3, iCloud, OneDrive, Google Drive, Box, MEGA, and more.
    • Business such as: Evernote, Apple Calendar, Safari, Google Tasks, Google Calendars.

Mobile data

  • Run fast and targeted data collections from unlocked iPhones, iPads, and various Android devices to extract contacts, communications, event history, locations, deleted records, and more.
  • Utilize advanced screen lock bypass methods for Samsung, Huawei, Xiaomi, Motorola, Oppo,  and other Android-powered devices.
  • Import and parse device backups (iTunes, Samsung, Huawei) and other third-party mobile images.
  • Decrypt data from secure apps and device storages including Apple Notes, Wickr, Signal, Vault apps, Huawei PrivateSpace, Samsung Secure Folder, and others.

Analysis and Reporting

  • Analyze computer, mobile, and cloud extractions in one case.
  • Track down the timeline of events and gain quick insights into the user statistics.
  • Determine social connections between contacts.
  • Run facial and image categorization, and Optical Character Recognition.
  • Visualize visited and common locations on the map.
  • Search artifacts in extracted data by various criteria.
  • Export data to various file formats compatible with other tools.

Schedule a demo with one of our forensic experts.